Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Infected or not?

  • This topic is locked This topic is locked
4 replies to this topic

#1 thesparky


  • Members
  • 4 posts
  • Local time:07:20 AM

Posted 06 December 2008 - 11:40 PM

My computer was running slow but that cleared up decently when I ran CCleaner and removed a bunch of junk. Still, I did a few different scans because these days, when I try and use several programs like WinRAR, winamp, and when I try to install some programs, I get an error (the old '[program] encountered an error, needs to close' bit). Thanks for your help.

Panda Security's online scan (which I stopped early because I thought it was taking too long, which might have been a mistake) outputted the following:
ANALYSIS: 2008-12-06 19:56:19
Description Version Active Updated
ThreatFire Yes Yes
AVG 7.5.552 7.5.552 Yes Yes
Id Description Type Active Severity Disinfectable Disinfected Location
00004013 spyware/dynadesk Spyware No 0 Yes No HKEY_LOCAL_MACHINE\Software\Microsoft\Code Store Database\Distribution Units\{F5192746-22D6-41BD-9D2D-1E75D14FBD3C}
00024343 adware/keenvalue Adware No 0 Yes No c:\windows\system32\drivers\etc\hosts.bho
00029459 spyware/betterinet Spyware No 1 Yes No c:\windows\inf\biini.inf
00032745 adware/sahagent Adware No 0 Yes No c:\windows\system32\sahagent1012.exe
00034477 spyware/new.net Spyware No 1 Yes No c:\windows\ndnuninstall5_64.exe
00034477 spyware/new.net Spyware No 1 Yes No c:\windows\ndnuninstall5_48.exe
Sent Location 8
Id Severity Description 8

Scans from ThreatFire, Online Armor, and Spybot S&D detected nothing, while AdAware I think got one of the ones found by Panda.

Kaspersky's online scan gave me this:
Saturday, December 6, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version:
Program database last update: Saturday, December 06, 2008 19:53:45
Records in database: 1440831

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - Critical Areas:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
C:\Documents and Settings\Rahul\Start Menu\Programs\Startup
C:\Program Files

Scan statistics:
Files scanned: 40547
Threat name: 5
Infected objects: 6
Suspicious objects: 0
Duration of the scan: 02:20:45

File name / Threat name / Threats count
C:\Program Files\RealVNC\VNC4\wm_hooks.dll/C:\Program Files\RealVNC\VNC4\wm_hooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
C:\Program Files\MathType\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.612 1
C:\Program Files\RealVNC\VNC4\wm_hooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
C:\WINDOWS\NDNuninstall5_64.exe Infected: not-a-virus:AdWare.Win32.NewDotNet 1
C:\WINDOWS\system32\BO2202031216.dll Infected: not-a-virus:AdWare.Win32.VirtualBouncer.d 1
C:\WINDOWS\system32\sahagent1012.exe Infected: not-a-virus:AdWare.Win32.Sahat.a 1

The selected area was scanned.

And the HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:51:39 PM, on 06/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\Program Files\Tall Emu\Online Armor\oasrv.exe
C:\Program Files\ThreatFire\TFService.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\Program Files\Tall Emu\Online Armor\oaui.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Rahul\Local Settings\Temp\jkos-Rahul\binaries\ScanningProcess.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\ThreatFire\TFUN.exe
C:\Documents and Settings\Rahul\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Trixie.Bho - {B0744341-96E0-4341-9ED2-8BC36CE0CCD0} - mscoree.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [SdScansGO] rundll32.exe C:\WINDOWS\stup_tmp.#32,Ini
O4 - HKLM\..\Run: [Resume copy] copyfstq.exe /startup
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [D-Link AirPlus XtremeG] C:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [ThreatFire] C:\Program Files\ThreatFire\TFTray.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [hfxp] C:\Program Files\HFXP\hfxp.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: FTP Server.lnk = C:\Program Files\Windows Ftp Server\WinFtpServer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open Link Target in Firefox - file://C:\Documents and Settings\Rahul\Application Data\Mozilla\Firefox\Profiles\4oc5rnhl.default\extensions\{5D558C43-550F-4b12-84AB-0D8ABDA9F975}\firefoxviewlink.html
O8 - Extra context menu item: View This Page in Firefox - file://C:\Documents and Settings\Rahul\Application Data\Mozilla\Firefox\Profiles\4oc5rnhl.default\extensions\{5D558C43-550F-4b12-84AB-0D8ABDA9F975}\firefoxviewpage.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - C:\WINDOWS\System32\mscoree.DLL
O9 - Extra 'Tools' menuitem: Tri&xie Options... - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - C:\WINDOWS\System32\mscoree.DLL
O9 - Extra button: AOL Instant Messenger ™ - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM95\aim.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: cpcScanner - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab30149.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1123394707015
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab30149.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab30149.cab
O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} - http://download.rfwnad.com/cab/crack.CAB
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\System32\oodag.exe
O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oasrv.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\ThreatFire\TFService.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe
O24 - Desktop Component 0: (no name) - http://www.galapagos.org/images_gallery/sunset.jpg
O24 - Desktop Component 1: (no name) - http://www.galapagos.org/images_gallery/giantt.jpg
O24 - Desktop Component 2: (no name) - http://www.galapagos.org/images_gallery/seals.jpg
O24 - Desktop Component 3: (no name) - http://www.galapagos.org/images_gallery/lava.jpg
O24 - Desktop Component 4: (no name) - http://www.galapagos.org/images_gallery/trees.jpg
O24 - Desktop Component 5: (no name) - http://www.galapagos.org/images_gallery/island.jpg

End of file - 11335 bytes

Edited by thesparky, 06 December 2008 - 11:43 PM.

BC AdBot (Login to Remove)


#2 suebaby41


    W.A.M. (Women Against Malware)

  • Malware Response Team
  • 6,248 posts
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:11:20 AM

Posted 16 December 2008 - 09:19 AM

We apologize for the delay in responding to your request for help. We are volunteer staff at Bleeping Computer and get overwhelmed at times with the large number of users seeking help. We are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate your letting us know. If not, please perform the following steps so we can have a look at the current condition of your computer. If you have not done so, include a description of your problem along with any steps you may have performed so far.

When you have completed the steps below, a staff member will review the log and provide instructions for you to get your computer clean and free of malware.

Thanks and we apologize for the delay.

We need to see current information on what is happening in your computer. Please perform the following scan:
  • Please download DDS by sUBs from one of the following links. Save it to your desktop.
  • After downloading the tool:
  • Double click on the DDS icon, allow it to run. Please note: If the scan fails to run, you may have to disable any script protection running.
  • A small box, which gives an explanation about the tool, will open. No input is needed, the scan is running.
  • Notepad will open with the results, click No to the Optional_Scan.
  • Follow the instructions that pop up for posting the results.
  • Close the program window and delete the program from your desktop.
  • Enable your antivirus and anti-spyware protection.
  • Reconnect to the Internet.

You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#3 thesparky

  • Topic Starter

  • Members
  • 4 posts
  • Local time:07:20 AM

Posted 16 December 2008 - 06:24 PM

Here's the log it said to post. Unfortunately, I can't zip the other file (WinRAR is among the crashing programs and I can't find a native zipper on my computer) so I've not attached it. Thanks.

[Actually, I can tell you there are two strange entries in the would-be attachment; the names are gibberish.]

DDS (Version 1.1.0) - NTFSx86
Run by Rahul at 15:10:50.26 on 16/12/2008
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.631.265 [GMT -8:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\ThreatFire\TFService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Documents and Settings\Rahul\Desktop\dds.com

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearchAssistant = hxxp://www.google.com/ie
BHO: {000123B4-9B42-4900-B3F7-F4B073EFC214} - c:\program files\orbitdownloader\orbitcth.dll
BHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
BHO: {B0744341-96E0-4341-9ED2-8BC36CE0CCD0} - mscoree.dll
TB: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
uRun: [msnmsgr] "c:\program files\msn messenger\msnmsgr.exe" /background
uRun: [hfxp] c:\program files\hfxp\hfxp.exe
uRun: [DAEMON Tools] "c:\program files\daemon tools\daemon.exe" -lang 1033
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [SdScansGO] rundll32.exe c:\windows\stup_tmp.#32,Ini
mRun: [Resume copy] copyfstq.exe /startup
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe
mRun: [HP Software Update] c:\program files\hewlett-packard\hp software update\HPWuSchd2.exe
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [D-Link AirPlus XtremeG] c:\program files\d-link\airplus xtremeg\AirPlusCFG.exe
mRun: [AVG7_CC] c:\progra~1\grisoft\avgfre~1\avgcc.exe /STARTUP
mRun: [ANIWZCS2Service] c:\program files\ani\aniwzcs2 service\WZCSLDR2.exe
mRun: [AlcxMonitor] ALCXMNTR.EXE
mRun: [ThreatFire] c:\program files\threatfire\TFTray.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [OnlineArmor GUI] "c:\program files\tall emu\online armor\oaui.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [AVG7_Run] c:\progra~1\grisoft\avgfre~1\avgw.exe /RUNONCE
StartupFolder: c:\docume~1\rahul\startm~1\programs\startup\ftpser~1.lnk - c:\program files\windows ftp server\WinFtpServer.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Open Link Target in Firefox - file://c:\documents and settings\rahul\application data\mozilla\firefox\profiles\4oc5rnhl.default\extensions\{5d558c43-550f-4b12-84ab-0d8abda9f975}\firefoxviewlink.html
IE: View This Page in Firefox - file://c:\documents and settings\rahul\application data\mozilla\firefox\profiles\4oc5rnhl.default\extensions\{5d558c43-550f-4b12-84ab-0d8abda9f975}\firefoxviewpage.html
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\progra~1\aim95\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - {20CCCFEC-D26F-4ffe-996B-388B39C8CCCA} - c:\windows\system32\mscoree.DLL
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\progra~1\aim95\aim.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\rahul\applic~1\mozilla\firefox\profiles\4lxmzs5a.default\
FF - component: c:\documents and settings\rahul\application data\mozilla\firefox\profiles\4lxmzs5a.default\extensions\{6ac85730-7d0f-4de0-b3fa-21142dd85326}\platform\winnt\components\ColorZilla.dll
FF - plugin: c:\program files\opera7\program\plugins\np32dsw.dll
FF - plugin: c:\program files\opera7\program\plugins\npdrmv2.dll
FF - plugin: c:\program files\opera7\program\plugins\npdsplay.dll
FF - plugin: c:\program files\opera7\program\plugins\NPJava11.dll
FF - plugin: c:\program files\opera7\program\plugins\NPJava12.dll
FF - plugin: c:\program files\opera7\program\plugins\NPJava13.dll
FF - plugin: c:\program files\opera7\program\plugins\NPJava14.dll
FF - plugin: c:\program files\opera7\program\plugins\NPJava32.dll
FF - plugin: c:\program files\opera7\program\plugins\NPJPI150_04.dll
FF - plugin: c:\program files\opera7\program\plugins\NPMetaStream3.dll
FF - plugin: c:\program files\opera7\program\plugins\NPOFFICE.DLL
FF - plugin: c:\program files\opera7\program\plugins\NPOJI610.dll
FF - plugin: c:\program files\opera7\program\plugins\nppdf32.dll
FF - plugin: c:\program files\opera7\program\plugins\nppl3260.dll
FF - plugin: c:\program files\opera7\program\plugins\nprjplug.dll
FF - plugin: c:\program files\opera7\program\plugins\nprpjplug.dll
FF - plugin: c:\program files\opera7\program\plugins\NPSWF32.dll
FF - plugin: c:\program files\opera7\program\plugins\npwmsdrm.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-12-6 28544]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2008-1-6 51488]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2008-1-6 39200]
R1 Avg7Core;AVG7 Kernel;c:\windows\system32\drivers\avg7core.sys [2005-12-6 821856]
R1 Avg7RsW;AVG7 Wrap Driver;c:\windows\system32\drivers\avg7rsw.sys [2005-10-22 4224]
R1 Avg7RsXP;AVG7 Rezident Driver;c:\windows\system32\drivers\avg7rsxp.sys [2005-10-22 27776]
R1 AvgClean;AVG Clean Driver;c:\windows\system32\drivers\avgclean.sys [2007-4-2 10760]
R1 HFSYS;HFSYS;\??\c:\windows\system32\drivers\HFSYS.SYS [2004-1-11 19732]
R1 NDISRD;NDISRD;\??\c:\windows\system32\drivers\NDISRD.sys [2008-2-9 18944]
R1 OADevice;OADriver;\??\c:\windows\system32\drivers\OADriver.sys [2008-2-9 68608]
R1 OAmon;OAmon;\??\c:\windows\system32\drivers\OAmon.sys [2008-2-9 25600]
R2 ThreatFire;ThreatFire;c:\program files\threatfire\TFService.exe service []
R3 ramirr;ramirr;c:\windows\system32\drivers\ramirr.sys [2003-4-19 2560]
R3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\TfNetMon.sys [2008-1-6 33056]
S2 Avg7Alrt;AVG7 Alert Manager Server;c:\progra~1\grisoft\avgfre~1\avgamsvr.exe [2005-12-6 418816]
S2 Avg7UpdSvc;AVG7 Update Service;c:\progra~1\grisoft\avgfre~1\avgupsvc.exe [2004-11-21 49664]
S2 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [2007-6-7 115744]
S2 SvcOnlineArmor;Online Armor;"c:\program files\tall emu\online armor\oasrv.exe" [2008-2-9 4625984]
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [2005-3-22 450400]
S3 ExtranetAccess;Contivity VPN Service;"c:\program files\nortel networks\Extranet_serv.exe" [2007-6-7 643072]

=============== Created Last 30 ================

2008-12-06 14:50 28,544 a------- c:\windows\system32\drivers\pavboot.sys
2008-12-06 14:43 <DIR> --d----- c:\program files\Panda Security
2008-12-06 12:07 102,664 a------- c:\windows\system32\drivers\tmcomm.sys
2008-12-06 12:06 <DIR> --d----- c:\documents and settings\rahul\.housecall6.6
2008-11-22 23:53 <DIR> --d----- c:\docume~1\rahul\applic~1\QuosaDDM

==================== Find3M ====================

2008-10-24 13:07 39,200 a------- c:\windows\system32\drivers\TfSysMon.sys
2008-10-24 13:07 33,056 a------- c:\windows\system32\drivers\TfNetMon.sys
2008-10-24 13:07 12,576 a------- c:\windows\system32\drivers\TfKbMon.sys
2008-10-24 13:07 51,488 a------- c:\windows\system32\drivers\TfFsMon.sys
2008-10-24 03:21 455,296 a------- c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 04:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-16 12:38 826,368 a------- c:\windows\system32\wininet.dll
2008-10-13 15:38 87,643 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-10-03 02:02 247,326 a------- c:\windows\system32\strmdll.dll
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll
2005-05-06 21:16 2,066,308 a------- c:\program files\FileZilla Server Backup.rar
2004-09-05 18:04 784 a------- c:\docume~1\rahul\applic~1\mpauth.dat
2001-11-14 20:37 233,742 a------- c:\program files\mie.dat
2001-10-22 20:44 5,222 a------- c:\program files\set.ico
2001-07-04 21:23 135 a------- c:\program files\g.gif
2001-07-04 21:23 150 a------- c:\program files\b.gif
2001-07-04 21:23 119 a------- c:\program files\u.gif
2001-07-04 21:23 143 a------- c:\program files\w.gif
2001-01-27 10:28 151 a------- c:\program files\r.gif
2005-08-16 17:29 3,350 a--sh--- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 15:13:01.18 ===============

Edited by thesparky, 16 December 2008 - 06:27 PM.

#4 suebaby41


    W.A.M. (Women Against Malware)

  • Malware Response Team
  • 6,248 posts
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:11:20 AM

Posted 20 December 2008 - 07:02 PM

  • Please download Sysclean Package and save it to your desktop.
    • Create a new folder on drive "C:\" and name it Sysclean - (C:\Sysclean).
    • Place the SYSCLEAN.COM inside that folder.
    • Then download the latest Official Pattern Release for windows - (Pattern files are usually named lptxxx.zip, where xxx is the pattern file number.)
    • Extract (unzip) the lptxxx.zip pattern file into the Sysclean (C:\Sysclean) folder where you put SYSCLEAN.COM.
    • For information on how to extract a file if you are not sure how to do this, see How to create and extract a Zip File in Windows ME/XP/2003.
    • DO NOT scan yet.
  • Reboot your computer in SAFE MODE using the F8 method. To do this:
    • Restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears), press the F8 key repeatedly.
    • A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in Safe Mode.
  • Please disconnect from the Internet. Please close ALL browser windows (including this one). Some antivirus programs such as Avast will alert you to a virus attack when running "Sysclean" so disable them before going to the next step.
  • Scan with Sysclean as follows:
    • Open the Sysclean folder and double-click on sysclean.com to start the scanning process.
    • Put a check mark on the Automatically clean or delete infected files option by clicking in the check box.
    • Click the Advanced >> button.
    • The scan options appear. Select the Scan all local fixed drives.
    • Click the Scan button on the Trend Micro System Cleaner console.
    • It will take some time to complete. Be patient and let it clean whatever it finds.
    • Another MS-DOS window will appear containing the log file generated in the Trend Micro System Cleaner folder.
    • To view the log, click the View button on the Trend Micro System Cleaner console. The Trend Micro System Cleaner Log window appears.
      • The Files Detected section shows the viruses that were detected by Sysclean
      • The Files Clean section shows the viruses that were cleaned.
      • The Clean Fail section shows the viruses that were not cleaned.
    • This fix tool generates the log file, SYSCLEAN.LOG, in its current folder.
    • When the scan is finished, open your Sysclean folder and copy and paste the contents of sysclean.log in your next reply.
    • Exit when done, reboot normally and enable your antivirus program.
    This tool generates a log file (sysclean.log) in the same folder where the scan is completed. When using 'Sysclean", it is best to "use the Administrator's account" or an account with Administrative rights otherwise you will not have the rights to scan some locations. The scanning process may result in "Access Denied" messages for some files. This is normal because these files are protected by the system.
  • If needed, see Instructions With Screenshots.
  • Please post a new HijackThis log and the contents of the sysclean.log.

You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#5 suebaby41


    W.A.M. (Women Against Malware)

  • Malware Response Team
  • 6,248 posts
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:11:20 AM

Posted 27 December 2008 - 01:13 PM

This subject is now closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users