Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spyware files win32.banker.fs & trojan.spyagent.DA


  • This topic is locked This topic is locked
8 replies to this topic

#1 Nolimit4show

Nolimit4show

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:32 PM

Posted 20 February 2009 - 08:13 PM

So when i start up my CPU, my background screen is Grey in the back with a square filled with Blue, red , green, & yellow boxs. In my icon tray bar there is a red circle with a white x through it saying my computer is infected with spyware.
------------------------------------------------ POP UPs

- Sometimes Symantec Antivirus pops up with a blank screen, another pop up reads "Your computer is in danger!" - Windows security center has detected spyware/adware infection! It is strongly recommended to use special antispyware programs.

- Another pop up reads: Driver.sys disk space is full

- System Error: Access Violation at address 000000000000:00F754D2

- SVW: External exception C0000001D

- A windows security pop up reads: System files and register changing are detected! Your pc is under the thread of loss of the data! Its is recommended to start the guard scanner (Quality english right there)

- Internet explorer has pop ups saying that my system is infected, & another saying that the site im accessing is for mature adults only and i must be 18+...WHEN IM NOT EVEN USING INTERNET EXPLOERER.

- Another pop up that comes straight in the middle of the screen reads: SYSTEM CRASHED! CRITICAL ERROR! System halted as a result of the critical kernel error. Windows has detected spyware on your PC. It is recommended to remove spyware immediately to prevent your data and files from deleting.â€

- Then the main pop up reads: Warning! Spyware files win32.banker.fs & trojan.spyagent.DA and other detected on your computer, Its highly recommended to scan the system immediately to remove all spyware/adware.

I believe those are all the pop ups so far, now let me tell you what i did so far before i posted this...


1. I did a system restore back to my settings on 1/29/09
2. I ran CCleaner and removed what looked like cookies
3. Installed the spyware removal tool they had on this site: <hxxp://www.removeonline.com/remove-win32-banker-fs-trojan-spy-agent-da/comment-page-1/#comment-1993> Spyware quick removal instructions. I ran the program it scanned my cpu and found 4 visrus or what not, I clicked on remove spyware and it asked me to purchase the damn thing... $40, no thank you. Program is called SpyNoMore
4. Installed new version of Combofix, but did not run it yet.
----------------------------------------------------------------------------------------------------------------------------------------------------------

Here is the log from the program that i downloaded at this site DDS.txt

DDS (Ver_09-02-01.01) - NTFSx86
Run by G at 16:30:43.06 on Fri 02/20/2009
Internet Explorer: 7.0.5730.13

============== Pseudo HJT Report ===============

uStart Page = https://eagent.farmersinsurance.com/
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\ntos.exe,
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\acrobat\activex\AcroIEHelper.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [UpdateWin] c:\windows\system32\appmgrj.exe
uRun: [userinit] c:\windows\system32\ntos.exe
uRunServices: [UpdateWin] c:\windows\system32\appmgrj.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [LoadFujitsuQuickTouch] c:\program files\fujitsu\application panel\QuickTouch.exe
mRun: [LoadBtnHnd] c:\program files\fujitsu\btnhnd\BtnHnd.exe
mRun: [IndicatorUtility] c:\program files\fujitsu\fujitsu hotkey utility\IndicatorUty.exe
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [AzMixerSel] c:\program files\realtek\installshield\AzMixerSel.exe
mRun: [LoadFUJ02E3] c:\program files\fujitsu\fuj02e3\FUJ02E3.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [WinampAgent] "c:\program files\winamp\Winampa.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Agena] rundll32.exe "c:\windows\Agitus.dll",e
mRun: [odb] c:\windows\odb.exe
mRun: [UpdateWin] c:\windows\system32\appmgrj.exe
mRun: [vlc] c:\windows\vlc.exe
mRun: [netx] c:\windows\svx.exe
mRun: [wdmon] c:\windows\wdmon.exe
mRun: [netw] c:\windows\svw.exe
mRun: [netc] c:\windows\svc.exe
mRun: [netsv32] c:\windows\sv.exe
mRun: [runsql] c:\windows\runsql.exe
mRun: [netzip] c:\windows\svzip.exe
mRun: [SNM] c:\program files\spynomore\SNM.exe /startup
mRunServices: [UpdateWin] c:\windows\system32\appmgrj.exe
dRun: [userinit] c:\windows\system32\ntos.exe
uPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
uPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
uPolicies-system: DisableTaskMgr = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: DisableTaskMgr = 1 (0x1)
mPolicies-system: DisableRegistryTools = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: farmersinsurance.com\eagent
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} - hxxps://eagent.farmersinsurance.com/PLA/eAgent/eAuto/commonActiveX/smsx.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1233280502806
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1233283381901
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: igfxcui - igfxsrvc.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
STS: IPC Configuration Utility - No File
STS: Windows Installer Class: {020487cc-fc04-4b1e-863f-d9801796230b} - c:\docume~1\talal\locals~1\temp\wndutl32.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\talal\applic~1\mozilla\firefox\profiles\o9bt8a7p.default\
FF - prefs.js: browser.startup.homepage - Google.com

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-02-20 16:01 1,152 a------- c:\windows\system32\windrv.sys
2009-02-20 16:00 <DIR> --d----- c:\program files\SpyNoMore
2009-02-20 15:59 <DIR> --d----- c:\program files\common files\Download Manager
2009-02-20 15:48 <DIR> --d----- C:\ComboFix
2009-02-20 15:47 388,608 a------- c:\windows\system32\CF13187.exe
2009-02-20 14:59 280,576 a------- c:\windows\svhoster.exe
2009-02-20 14:59 282,112 a------- c:\windows\svzip.exe
2009-02-20 14:58 282,112 a------- c:\windows\runsql.exe
2009-02-20 14:58 282,112 a------- c:\windows\sv.exe
2009-02-20 14:58 233,984 a------- c:\windows\svc.exe
2009-02-20 14:58 233,984 a------- c:\windows\svw.exe
2009-02-20 14:58 234,496 a------- c:\windows\svx.exe
2009-02-20 14:58 233,472 a------- c:\windows\wdmon.exe
2009-02-20 14:58 233,984 a------- c:\windows\vlc.exe
2009-02-20 14:56 109 a--sh--- c:\windows\system32\618279448.dat
2009-02-20 14:56 40,960 ---shr-- c:\windows\system32\appmgrj.exe
2009-02-20 14:56 233,984 a------- c:\windows\odb.exe
2009-02-20 14:56 <DIR> --dsh--- c:\windows\system32\wsnpoem
2009-02-20 14:55 39,936 a------- c:\windows\Agitus.dll
2009-02-12 17:24 <DIR> --d----- c:\program files\Doremisoft
2009-02-12 17:19 <DIR> --d----- c:\program files\DVDVideoSoft
2009-02-12 17:19 <DIR> --d----- c:\program files\common files\DVDVideoSoft
2009-02-12 17:10 <DIR> --d----- c:\program files\Free Flash Flv MP3 Converter
2009-02-12 16:51 <DIR> --d----- c:\windows\system32\appmgmt
2009-02-12 12:11 <DIR> --d----- C:\Mp3 Output
2009-02-12 12:11 765,952 a------- c:\windows\system32\xvidcore.dll
2009-02-12 12:11 383,238 a------- c:\windows\system32\libmp3lame-0.dll
2009-02-12 11:58 274,432 a------- c:\windows\system32\TubeFinder.exe
2009-02-12 11:58 364,544 a------- c:\windows\system32\PropertyGrid.ocx
2009-02-12 11:58 208,500 a------- c:\windows\system32\ReyXpBasics.tlb
2009-02-12 11:58 119,568 a------- c:\windows\system32\VB6FR.DLL
2009-02-12 11:58 101,888 a------- c:\windows\system32\VB6STKIT.DLL
2009-02-12 11:58 84,512 a------- c:\windows\system32\PICCLP32.OCX
2009-02-12 11:58 1,081,616 a------- c:\windows\system32\mscomctl.ocx
2009-02-12 11:58 141,312 a------- c:\windows\system32\MSCMCFR.DLL
2009-02-12 11:58 9,728 a------- c:\windows\system32\PCCLPFR.DLL
2009-02-12 11:58 152,848 a------- c:\windows\system32\COMDLG32.OCX
2009-02-12 11:58 24,576 a------- c:\windows\system32\ControlSubX.ocx
2009-02-12 11:58 32,768 a------- c:\windows\system32\CMDLGFR.DLL
2009-02-12 11:58 <DIR> --d----- c:\program files\Free FLV Converter
2009-02-10 11:13 <DIR> --d----- c:\program files\Steam
2009-02-05 16:07 1,065 a------- c:\windows\winamp.ini
2009-02-05 16:03 <DIR> --d----- c:\program files\NCH Software
2009-02-05 16:01 <DIR> --d----- c:\program files\NCH Swift Sound
2009-02-02 16:08 <DIR> --d----- c:\docume~1\talal\applic~1\Any Video Converter
2009-02-02 16:08 <DIR> --d----- c:\program files\Any Video Converter
2009-02-02 13:34 <DIR> --d----- c:\program files\VideoLAN
2009-01-30 13:06 268,648 a------- c:\windows\system32\mucltui.dll
2009-01-30 13:06 27,496 a------- c:\windows\system32\mucltui.dll.mui
2009-01-30 13:03 <DIR> --d----- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-01-30 13:00 <DIR> --d----- c:\program files\MSXML 4.0
2009-01-30 12:54 <DIR> --d----- c:\program files\common files\HP
2009-01-30 12:50 626,960 a----r-- c:\windows\system32\hpvaut32.dll
2009-01-30 12:50 44,544 a----r-- c:\windows\system32\MSXML4a.dll
2009-01-30 12:50 487,424 a----r-- c:\windows\system32\hpvcp70.dll
2009-01-30 12:50 344,064 a----r-- c:\windows\system32\hpvcr70.dll
2009-01-30 12:48 <DIR> --d----- c:\program files\common files\Hewlett-Packard
2009-01-30 12:46 <DIR> --d----- c:\windows\system32\URTTemp
2009-01-30 12:42 61,440 a------- c:\windows\system32\HPZinw12.exe
2009-01-30 12:42 306,688 a------- c:\windows\IsUninst.exe
2009-01-30 12:42 278,584 a------- c:\windows\system32\HPZidr12.dll
2009-01-30 12:42 204,800 a------- c:\windows\system32\HPZipr12.dll
2009-01-30 12:42 94,208 a------- c:\windows\system32\HPZipt12.dll
2009-01-30 12:42 65,536 a------- c:\windows\system32\HPZipm12.exe
2009-01-30 12:42 57,344 a------- c:\windows\system32\HPZisn12.dll
2009-01-30 12:41 <DIR> --d----- c:\program files\HP
2009-01-30 12:34 104,312 a------- c:\windows\hpoins04.dat
2009-01-30 12:34 17,176 -------- c:\windows\hpomdl04.dat
2009-01-30 12:32 25,856 ac------ c:\windows\system32\dllcache\usbprint.sys
2009-01-30 12:32 25,856 a------- c:\windows\system32\drivers\usbprint.sys
2009-01-30 12:28 270,336 a----r-- c:\windows\system32\HPZc3212.dll
2009-01-30 12:28 581,632 a----r-- c:\windows\system32\hpotscl.dll
2009-01-30 12:28 90,112 a----r-- c:\windows\system32\hpovst08.dll
2009-01-30 12:28 278,528 a----r-- c:\windows\system32\hpgwiamd.dll
2009-01-30 12:28 15,104 ac------ c:\windows\system32\dllcache\usbscan.sys
2009-01-30 12:28 15,104 a------- c:\windows\system32\drivers\usbscan.sys
2009-01-30 12:27 12,160 ac------ c:\windows\system32\dllcache\mouhid.sys
2009-01-30 12:27 12,160 a------- c:\windows\system32\drivers\mouhid.sys
2009-01-30 12:26 31,616 ac------ c:\windows\system32\dllcache\usbccgp.sys
2009-01-30 12:26 31,616 a------- c:\windows\system32\drivers\usbccgp.sys
2009-01-30 12:26 9,600 ac------ c:\windows\system32\dllcache\hidusb.sys
2009-01-30 12:26 9,600 a------- c:\windows\system32\drivers\hidusb.sys
2009-01-29 23:41 <DIR> --d----- c:\windows\network diagnostic
2009-01-29 23:41 459,264 -c------ c:\windows\system32\dllcache\msfeeds.dll
2009-01-29 23:41 267,776 -c------ c:\windows\system32\dllcache\iertutil.dll
2009-01-29 23:41 52,224 -c------ c:\windows\system32\dllcache\msfeedsbs.dll
2009-01-29 23:41 383,488 -c------ c:\windows\system32\dllcache\ieapfltr.dll
2009-01-29 23:41 63,488 -c------ c:\windows\system32\dllcache\icardie.dll
2009-01-29 23:41 13,824 -c------ c:\windows\system32\dllcache\ieudinit.exe
2009-01-29 23:41 2,455,488 -c------ c:\windows\system32\dllcache\ieapfltr.dat
2009-01-29 23:41 991,232 -c------ c:\windows\system32\dllcache\ieframe.dll.mui
2009-01-29 23:40 6,066,688 -c------ c:\windows\system32\dllcache\ieframe.dll
2009-01-29 23:40 33,792 ac------ c:\windows\system32\dllcache\custsat.dll
2009-01-29 23:23 942 a------- c:\windows\CLARIS.INI
2009-01-29 23:23 <DIR> --d----- c:\documents and settings\talal\WINDOWS
2009-01-29 23:23 <DIR> a-d----- C:\FMPRO 0307
2009-01-29 17:58 146,650 a------- c:\windows\system32\BuzzingBee.wav
2009-01-29 17:58 940,794 a------- c:\windows\system32\LoopyMusic.wav
2009-01-29 17:58 <DIR> --d----- c:\windows\system32\Lang
2009-01-29 17:46 <DIR> --d----- c:\windows\system32\CatRoot_bak
2009-01-29 17:45 272,128 -c------ c:\windows\system32\dllcache\bthport.sys
2009-01-29 17:45 546,304 -c------ c:\windows\system32\dllcache\hhctrl.ocx
2009-01-29 17:45 1,846,016 -c------ c:\windows\system32\dllcache\win32k.sys
2009-01-29 17:45 2,136,064 -c------ c:\windows\system32\dllcache\ntkrnlmp.exe
2009-01-29 17:45 2,180,352 -c------ c:\windows\system32\dllcache\ntoskrnl.exe
2009-01-29 17:45 2,057,728 -c------ c:\windows\system32\dllcache\ntkrnlpa.exe
2009-01-29 17:45 2,015,744 -c------ c:\windows\system32\dllcache\ntkrpamp.exe
2009-01-29 17:43 453,632 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2009-01-29 17:43 333,184 -c------ c:\windows\system32\dllcache\srv.sys
2009-01-29 17:43 331,776 -c------ c:\windows\system32\dllcache\msadce.dll
2009-01-29 17:43 683,520 -c------ c:\windows\system32\dllcache\inetcomm.dll
2009-01-29 17:43 247,326 -c------ c:\windows\system32\dllcache\strmdll.dll
2009-01-29 17:43 332,800 -c------ c:\windows\system32\dllcache\netapi32.dll
2009-01-29 17:43 1,106,944 -c------ c:\windows\system32\dllcache\msxml3.dll
2009-01-29 17:41 <DIR> --d----- c:\windows\system32\PreInstall
2009-01-29 17:41 <DIR> --d-h--- c:\windows\$hf_mig$
2009-01-29 17:32 <DIR> --d----- c:\windows\system32\SoftwareDistribution
2009-01-29 17:31 <DIR> --dsh--- c:\documents and settings\talal\UserData
2009-01-29 17:04 4,096 ac------ c:\windows\system32\dllcache\ksuser.dll
2009-01-29 17:04 4,096 a------- c:\windows\system32\ksuser.dll
2009-01-29 17:04 130,048 ac------ c:\windows\system32\dllcache\ksproxy.ax
2009-01-29 17:04 60,288 ac------ c:\windows\system32\dllcache\drmk.sys
2009-01-29 17:04 130,048 a------- c:\windows\system32\ksproxy.ax
2009-01-29 17:04 60,288 a------- c:\windows\system32\drivers\drmk.sys
2009-01-29 17:02 69,632 a------- c:\windows\ALCMTR.EXE
2009-01-29 16:55 <DIR> --d----- c:\docume~1\talal\applic~1\Intel
2009-01-29 16:55 21,425 a------- c:\windows\system32\drivers\AegisP.sys
2009-01-29 16:54 2,732,032 a------- c:\windows\system32\Netw2r32.dll
2009-01-29 16:54 2,208,768 a------- c:\windows\system32\drivers\w29n51.sys
2009-01-29 16:54 557,056 a------- c:\windows\system32\Netw2c32.dll
2009-01-29 16:39 163,840 a------- c:\windows\system32\igfxres.dll
2009-01-29 16:37 <DIR> --ds---- c:\windows\system32\Microsoft
2009-01-29 16:26 1,245,184 a------- c:\windows\system32\igfxress.dll
2009-01-29 16:24 1,094,881 a------- c:\windows\system32\drivers\AGRSM.sys
2009-01-29 16:24 88,204 a------- c:\windows\AGRSMMSG.exe
2009-01-29 16:24 64,512 a------- c:\windows\agrsmdel.exe
2009-01-29 16:23 2,754,560 a------- c:\windows\ALCWZRD.EXE
2009-01-29 16:23 90,112 a------- c:\windows\SOUNDMAN.EXE
2009-01-29 16:23 13,783,040 a------- c:\windows\RTHDCPL.EXE
2009-01-29 16:23 9,682,432 a------- c:\windows\RTLCPL.EXE
2009-01-29 16:23 308,736 a------- c:\windows\system32\RTSndMgr.CPL
2009-01-29 16:23 294,912 a------- c:\windows\system32\ALSNDMGR.CPL
2009-01-29 16:23 156,672 a------- c:\windows\system32\RTLCPAPI.dll
2009-01-29 16:23 <DIR> --d----- c:\windows\system32\RTCOM
2009-01-29 16:23 40,960 -------- c:\windows\system32\ChCfg.exe
2009-01-29 16:23 2,522,560 a------- c:\windows\system32\drivers\RtkHDAud.sys
2009-01-29 16:22 <DIR> --d----- c:\program files\Realtek
2009-01-29 16:22 45,056 a----r-- c:\windows\system32\drivers\bcm4sbxp.sys
2009-01-29 16:22 <DIR> --d----- c:\program files\Broadcom
2009-01-29 16:19 103,391 a------- c:\windows\system32\drivers\Apfiltr.sys
2009-01-29 16:19 88,587 a------- c:\windows\system32\Vxdif.dll
2009-01-29 16:19 <DIR> --d----- c:\program files\Apoint2K
2009-01-29 16:15 307,712 a------- c:\windows\system32\QuickTouch.cpl
2009-01-29 16:15 <DIR> --d----- c:\program files\Fujitsu
2009-01-29 16:12 <DIR> --d----- c:\windows\Options
2009-01-29 16:11 172,032 a------- c:\windows\system32\rixdicon.dll
2009-01-29 16:11 90,112 a------- c:\windows\system32\snymsico.dll
2009-01-29 16:11 43,520 a------- c:\windows\system32\drivers\rimsptsk.sys
2009-01-29 16:11 38,912 a------- c:\windows\system32\drivers\risdptsk.sys
2009-01-29 16:11 38,400 a------- c:\windows\system32\drivers\rixdptsk.sys
2009-01-29 16:11 <DIR> --d----- c:\windows\system32\SDA
2009-01-29 16:11 <DIR> --d----- C:\drivers
2009-01-28 12:36 316,640 a------- c:\windows\WMSysPr9.prx
2009-01-28 12:36 96,768 -c------ c:\windows\system32\dllcache\dpcdll.dll
2009-01-28 12:36 53,248 -------- c:\windows\system32\vbicodec.ax
2009-01-28 12:36 40,832 -------- c:\windows\system32\drivers\irbus.sys
2009-01-28 12:36 9,728 -------- c:\windows\system32\comsdupd.exe
2009-01-28 12:36 239,616 -------- c:\windows\system32\wstrenderer.ax
2009-01-28 12:36 164,352 -------- c:\windows\system32\wstpager.ax
2009-01-28 12:31 <DIR> --d----- c:\windows\ServicePackFiles
2009-01-28 12:27 2,897,920 -------- c:\windows\system32\xpsp2res.dll
2009-01-28 12:26 19,528 a------- c:\windows\002245_.tmp
2009-01-28 12:25 <DIR> --d----- c:\windows\system32\ReinstallBackups
2009-01-28 12:25 22,752 a------- c:\windows\system32\spupdsvc.exe
2009-01-28 12:22 <DIR> --d----- c:\windows\EHome
2009-01-28 12:20 83,168 a------- c:\windows\system32\S32EVNT1.DLL
2009-01-28 12:20 82,832 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-01-28 12:20 <DIR> --d----- c:\program files\Symantec
2009-01-28 12:19 <DIR> --d----- c:\program files\Symantec AntiVirus
2009-01-28 12:19 <DIR> --d----- c:\program files\common files\Symantec Shared
2009-01-28 12:19 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Symantec
2009-01-28 11:43 <DIR> --dsh--- c:\windows\Installer
2009-01-28 11:43 <DIR> --d----- c:\documents and settings\Talal
2009-01-28 11:31 8,192 a------- c:\windows\REGLOCS.OLD
2009-01-28 11:29 77,824 ac------ c:\windows\system32\dllcache\quick.ime
2009-01-28 11:28 13,463,552 ac------ c:\windows\system32\dllcache\hwxjpn.dll
2009-01-28 11:27 <DIR> --d----- c:\windows\system32\xircom
2009-01-28 11:27 2,577 a------- c:\windows\system32\CONFIG.NT
2009-01-28 11:27 0 a------- c:\windows\control.ini
2009-01-28 11:27 25,065 a------- c:\windows\system32\wmpscheme.xml
2009-01-28 11:27 23,392 a------- c:\windows\system32\nscompat.tlb
2009-01-28 11:27 16,832 a------- c:\windows\system32\amcompat.tlb
2009-01-28 11:27 299,552 a------- c:\windows\WMSysPrx.prx
2009-01-28 11:26 <DIR> --dsh--- c:\documents and settings\all users\DRM
2009-01-28 11:26 <DIR> --d--r-- c:\windows\Offline Web Pages
2009-01-28 11:26 488 a---hr-- c:\windows\system32\WindowsLogon.manifest
2009-01-28 11:26 488 a---hr-- c:\windows\system32\logonui.exe.manifest
2009-01-28 11:26 <DIR> --ds---- c:\windows\Downloaded Program Files
2009-01-28 11:26 749 a---hr-- c:\windows\WindowsShell.Manifest
2009-01-28 11:26 749 a---hr-- c:\windows\system32\wuaucpl.cpl.manifest
2009-01-28 11:26 749 a---hr-- c:\windows\system32\sapi.cpl.manifest
2009-01-28 11:26 749 a---hr-- c:\windows\system32\nwc.cpl.manifest
2009-01-28 11:26 749 a---hr-- c:\windows\system32\ncpa.cpl.manifest
2009-01-28 11:26 749 a---hr-- c:\windows\system32\cdplayer.exe.manifest
2009-01-28 11:25 <DIR> --d----- c:\program files\common files\MSSoap
2009-01-28 11:23 <DIR> --d-h--- c:\program files\WindowsUpdate
2009-01-28 11:23 <DIR> --d----- c:\program files\Online Services
2009-01-28 11:23 <DIR> --d----- c:\program files\Messenger
2009-01-28 11:23 <DIR> --d----- c:\program files\MSN Gaming Zone
2009-01-28 11:23 <DIR> --d----- c:\program files\Windows NT
2009-01-28 03:16 <DIR> --d----- c:\program files\common files\ODBC
2009-01-28 03:15 <DIR> --d----- c:\program files\common files\SpeechEngines
2009-01-28 03:15 <DIR> --d--r-- c:\documents and settings\all users\Documents

==================== Find3M ====================

2009-01-28 12:40 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-01-28 11:27 558,142 a------- c:\windows\java\packages\63RVXFX7.ZIP
2009-01-28 11:27 2,678 a------- c:\windows\java\packages\data\UPZZFNBD.DAT
2009-01-28 11:27 155,995 a------- c:\windows\java\packages\4B9VT3P3.ZIP
2009-01-28 11:27 2,678 a------- c:\windows\java\packages\data\MHV5RD3B.DAT
2009-01-28 11:27 2,678 a------- c:\windows\java\packages\data\OHVV1VTV.DAT
2009-01-28 11:27 2,678 a------- c:\windows\java\packages\data\CUTJHRB1.DAT
2009-01-28 11:27 2,678 a------- c:\windows\java\packages\data\B1375NBB.DAT
2009-01-28 11:24 21,640 a------- c:\windows\system32\emptyregdb.dat
2008-12-20 15:15 826,368 a------- c:\windows\system32\wininet.dll

============= FINISH: 16:33:35.84 ===============


Thank you and i will be patiently (if possible, i might go and get hammered tonight for some stress relief) waiting for a reply back. Thanks for any help in advance

Attached Files


Edited by Orange Blossom, 11 February 2013 - 03:49 AM.
Deactivate link. ~ OB


BC AdBot (Login to Remove)

 


#2 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:04:32 PM

Posted 28 February 2009 - 11:40 PM

Hi,

Welcome to BleepingComputer HijackThis Logs and Malware Removal,Nolimit4show. :thumbup2:
My name is sundavis, I will be helping you to deal with your Malware problems today.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times. and we are trying our best to keep up.
In the meantime, please refrain from making any changes to your computer, and please do in the following:

Step1
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
Step2

Please download GMER Rootkit Scanner from Here or Here.
  • Extract the contents of the zipped file to desktop.
  • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish. For more info, go to Here for your reference.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" , and copy and paste the contents in your next reply.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


In your next reply, please post back:

1.RSIT log.txt and info.txt.
2.Gmer.txt

#3 Nolimit4show

Nolimit4show
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:32 PM

Posted 02 March 2009 - 03:38 PM

Sorry for the delay, but i dont see this computer during the weekends.

Ok here is the Scans from RSIT

Log.Txt


Logfile of random's system information tool 1.05 (written by random/random)
Run by Talal at 2009-03-02 11:47:19
Microsoft Windows XP Professional Service Pack 2
System drive C: has 63 GB (83%) free of 76 GB
Total RAM: 502 MB (9% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:47:54 AM, on 3/2/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\igfxext.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Winamp\Winampa.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Apoint2K\HidFind.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\odb.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Talal\Desktop\BleepingCpu Malware Programs\RSIT.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\trend micro\Talal.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://eagent.farmersinsurance.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WinGDI Class - {12c7290a-157b-4f43-b109-97e792c598ed} - C:\WINDOWS\iehost.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [LoadFujitsuQuickTouch] C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
O4 - HKLM\..\Run: [IndicatorUtility] C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [LoadFUJ02E3] C:\Program Files\Fujitsu\FUJ02E3\FUJ02E3.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Agena] rundll32.exe "C:\WINDOWS\Agitus.dll",e
O4 - HKLM\..\Run: [odb] C:\WINDOWS\odb.exe
O4 - HKLM\..\Run: [UpdateWin] C:\WINDOWS\system32\appmgrj.exe
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [Ovosapupiye] rundll32.exe "C:\WINDOWS\akugosulizego.dll",e
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\RunServices: [UpdateWin] C:\WINDOWS\system32\appmgrj.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [UpdateWin] C:\WINDOWS\system32\appmgrj.exe
O4 - HKCU\..\Run: [userinit] C:\WINDOWS\system32\ntos.exe
O4 - HKCU\..\RunServices: [UpdateWin] C:\WINDOWS\system32\appmgrj.exe
O4 - HKUS\S-1-5-18\..\Run: [userinit] C:\WINDOWS\system32\ntos.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [userinit] C:\WINDOWS\system32\ntos.exe (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - https://eagent.farmersinsurance.com/PLA/eAg...ctiveX/smsx.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1233280502806
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1233283381901
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: IPC Configuration Utility - IPC Configuration Utility - (no file)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 9379 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
AcroIEHlprObj Class - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll [2003-11-03 54248]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{12c7290a-157b-4f43-b109-97e792c598ed}]
WinGDI Class - C:\WINDOWS\iehost.dll [2009-02-23 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}]
AcroIEToolbarHelper Class - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll [2003-05-15 147456]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-02-27 35840]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-02-27 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{47833539-D0C5-4125-9FA8-0819E2EAAC93} - Adobe PDF - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll [2003-05-15 147456]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"ccApp"=C:\Program Files\Common Files\Symantec Shared\ccApp.exe [2004-02-29 66680]
"vptray"=C:\PROGRA~1\SYMANT~1\VPTray.exe [2004-03-12 124128]
"LoadFujitsuQuickTouch"=C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe [2005-02-25 242688]
"LoadBtnHnd"=C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe [2005-02-25 61440]
"IndicatorUtility"=C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe [2005-02-28 81920]
"Apoint"=C:\Program Files\Apoint2K\Apoint.exe [2004-07-02 163840]
"AzMixerSel"=C:\Program Files\Realtek\InstallShield\AzMixerSel.exe [2005-02-18 53248]
"LoadFUJ02E3"=C:\Program Files\Fujitsu\FUJ02E3\FUJ02E3.exe [2005-02-25 69632]
"HotKeysCmds"=C:\WINDOWS\System32\hkcmd.exe [2005-02-22 126976]
"IntelZeroConfig"=C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe [2006-10-18 802816]
"IntelWireless"=C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe [2006-10-18 696320]
"AGRSMMSG"=C:\WINDOWS\AGRSMMSG.exe [2005-05-11 88204]
"RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2005-02-21 13783040]
"Alcmtr"=C:\WINDOWS\ALCMTR.EXE [2005-02-20 69632]
"HP Software Update"=C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [2004-02-12 49152]
"HP Component Manager"=C:\Program Files\HP\hpcoretech\hpcmpmgr.exe [2004-05-12 241664]
"WinampAgent"=C:\Program Files\Winamp\Winampa.exe [2002-04-26 12288]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2009-01-05 413696]
"Agena"=C:\WINDOWS\Agitus.dll [2009-02-20 39936]
"odb"=C:\WINDOWS\odb.exe [2009-02-20 233984]
"UpdateWin"=C:\WINDOWS\system32\appmgrj.exe [2009-02-20 40960]
"SNM"=C:\Program Files\SpyNoMore\SNM.exe /startup []
"Ovosapupiye"=C:\WINDOWS\akugosulizego.dll [2009-02-25 134656]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-02-27 148888]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2004-08-04 15360]
"UpdateWin"=C:\WINDOWS\system32\appmgrj.exe [2009-02-20 40960]
"userinit"=C:\WINDOWS\system32\ntos.exe [2004-08-04 334336]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PoliceAV]
C:\Program Files\XPPoliceAntivirus\xppolice.exe []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2008-12-22 356352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxsrvc.dll [2005-02-22 348160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
C:\WINDOWS\System32\NavLogon.dll [2004-03-12 83176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2008-09-05 241704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\SharedTaskScheduler]
IPC Configuration Utility - IPC Configuration Utility

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=1
"DisableRegistryTools"=1

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"DisableTaskMgr"=1
"DisableRegistryTools"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
"NoSetActiveDesktop"=1
"NoActiveDesktopChanges"=1

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoSetActiveDesktop"=
"NoActiveDesktopChanges"=
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
shell\AutoRun\command - F:\wd_windows_tools\WDSetup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2c97e188-f165-11dd-a0b8-000b5dc48699}]
shell\AutoRun\command - F:\wd_windows_tools\WDSetup.exe


======List of files/folders created in the last 1 months======

2009-03-02 11:47:23 ----D---- C:\Program Files\trend micro
2009-03-02 11:47:19 ----D---- C:\rsit
2009-03-02 11:37:19 ----SHD---- C:\WINDOWS\system32\wsnpoem
2009-02-27 15:17:20 ----D---- C:\WINDOWS\Sun
2009-02-27 15:16:52 ----A---- C:\WINDOWS\system32\deploytk.dll
2009-02-27 15:16:51 ----A---- C:\WINDOWS\system32\javaws.exe
2009-02-27 15:16:51 ----A---- C:\WINDOWS\system32\javaw.exe
2009-02-27 15:16:51 ----A---- C:\WINDOWS\system32\java.exe
2009-02-27 15:16:18 ----D---- C:\Program Files\Java
2009-02-27 15:16:01 ----D---- C:\Documents and Settings\Talal\Application Data\Sun
2009-02-27 11:33:56 ----D---- C:\Program Files\Catan
2009-02-27 11:33:56 ----D---- C:\Program Files\BFG
2009-02-25 14:47:32 ----A---- C:\WINDOWS\akugosulizego.dll
2009-02-24 18:40:56 ----HDC---- C:\WINDOWS\$NtUninstallKB967715$
2009-02-24 13:28:45 ----D---- C:\AV-CLS
2009-02-24 12:45:58 ----D---- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2009-02-24 12:44:13 ----D---- C:\Program Files\SUPERAntiSpyware
2009-02-24 12:44:10 ----D---- C:\Documents and Settings\Talal\Application Data\SUPERAntiSpyware.com
2009-02-24 12:42:18 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2009-02-23 15:53:04 ----A---- C:\WINDOWS\VPC32.INI
2009-02-23 15:42:31 ----D---- C:\WINDOWS\pss
2009-02-23 11:38:06 ----A---- C:\WINDOWS\iehost.dll
2009-02-20 15:59:50 ----D---- C:\Program Files\Common Files\Download Manager
2009-02-20 15:48:00 ----D---- C:\ComboFix
2009-02-20 15:47:44 ----A---- C:\WINDOWS\system32\CF13187.exe
2009-02-20 15:47:10 ----A---- C:\Bug.txt
2009-02-20 14:59:08 ----A---- C:\WINDOWS\svhoster.exe
2009-02-20 14:59:01 ----A---- C:\WINDOWS\svzip.exe
2009-02-20 14:58:54 ----A---- C:\WINDOWS\runsql.exe
2009-02-20 14:58:51 ----A---- C:\WINDOWS\sv.exe
2009-02-20 14:58:38 ----A---- C:\WINDOWS\svc.exe
2009-02-20 14:58:35 ----A---- C:\WINDOWS\svw.exe
2009-02-20 14:58:21 ----A---- C:\WINDOWS\svx.exe
2009-02-20 14:58:16 ----A---- C:\WINDOWS\vlc.exe
2009-02-20 14:56:14 ----RSH---- C:\WINDOWS\system32\appmgrj.exe
2009-02-20 14:56:12 ----A---- C:\WINDOWS\odb.exe
2009-02-20 14:55:58 ----A---- C:\WINDOWS\Agitus.dll
2009-02-19 18:44:17 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe
2009-02-19 17:49:29 ----D---- C:\Program Files\Common Files\Adobe
2009-02-19 17:48:47 ----D---- C:\Program Files\Adobe
2009-02-13 13:01:56 ----HDC---- C:\WINDOWS\$NtUninstallKB960715$
2009-02-12 17:24:40 ----D---- C:\Program Files\Doremisoft
2009-02-12 17:19:29 ----D---- C:\Program Files\DVDVideoSoft
2009-02-12 17:19:29 ----D---- C:\Program Files\Common Files\DVDVideoSoft
2009-02-12 17:10:12 ----D---- C:\Program Files\Free Flash Flv MP3 Converter
2009-02-12 16:51:30 ----D---- C:\WINDOWS\system32\appmgmt
2009-02-12 12:11:36 ----D---- C:\Mp3 Output
2009-02-12 12:11:03 ----A---- C:\WINDOWS\system32\xvidcore.dll
2009-02-12 12:11:03 ----A---- C:\WINDOWS\system32\libmp3lame-0.dll
2009-02-12 11:58:16 ----A---- C:\WINDOWS\system32\TubeFinder.exe
2009-02-12 11:58:10 ----A---- C:\WINDOWS\system32\VB6STKIT.DLL
2009-02-12 11:58:10 ----A---- C:\WINDOWS\system32\VB6FR.DLL
2009-02-12 11:58:09 ----A---- C:\WINDOWS\system32\PCCLPFR.DLL
2009-02-12 11:58:09 ----A---- C:\WINDOWS\system32\MSCMCFR.DLL
2009-02-12 11:58:07 ----A---- C:\WINDOWS\system32\CMDLGFR.DLL
2009-02-12 11:58:06 ----D---- C:\Program Files\Free FLV Converter
2009-02-11 17:18:43 ----D---- C:\Program Files\QuickTime
2009-02-11 17:18:40 ----D---- C:\Documents and Settings\All Users\Application Data\Apple Computer
2009-02-05 16:07:02 ----A---- C:\WINDOWS\winamp.ini
2009-02-05 16:06:45 ----D---- C:\Program Files\Winamp
2009-02-05 16:03:20 ----D---- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2009-02-05 16:03:16 ----D---- C:\Program Files\NCH Software
2009-02-05 16:03:15 ----D---- C:\Documents and Settings\Talal\Application Data\NCH Swift Sound
2009-02-05 16:01:46 ----D---- C:\Program Files\NCH Swift Sound

======List of files/folders modified in the last 1 months======

2009-03-02 11:47:23 ----RD---- C:\Program Files
2009-03-02 11:38:52 ----D---- C:\Program Files\Mozilla Firefox
2009-03-02 11:38:13 ----D---- C:\WINDOWS
2009-03-02 11:37:29 ----D---- C:\WINDOWS\Temp
2009-03-02 11:37:19 ----D---- C:\WINDOWS\system32
2009-03-02 11:35:18 ----D---- C:\Program Files\Symantec AntiVirus
2009-02-27 18:56:39 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-02-27 15:18:42 ----D---- C:\WINDOWS\Prefetch
2009-02-27 15:17:02 ----SHD---- C:\WINDOWS\Installer
2009-02-27 15:17:02 ----HD---- C:\Config.Msi
2009-02-27 14:30:07 ----D---- C:\WINDOWS\system32\CatRoot2
2009-02-26 16:03:47 ----HD---- C:\WINDOWS\inf
2009-02-25 16:49:10 ----D---- C:\WINDOWS\system32\config
2009-02-24 18:41:01 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-02-24 16:48:36 ----A---- C:\WINDOWS\CLARIS.INI
2009-02-24 12:42:18 ----D---- C:\Program Files\Common Files
2009-02-24 12:16:31 ----RASH---- C:\boot.ini
2009-02-24 12:16:31 ----A---- C:\WINDOWS\win.ini
2009-02-24 12:16:31 ----A---- C:\WINDOWS\system.ini
2009-02-24 11:52:06 ----HD---- C:\WINDOWS\$hf_mig$
2009-02-23 13:45:33 ----D---- C:\WINDOWS\system32\Restore
2009-02-20 15:26:25 ----D---- C:\WINDOWS\Debug
2009-02-20 15:26:19 ----D---- C:\WINDOWS\Minidump
2009-02-20 15:14:46 ----RSD---- C:\WINDOWS\Fonts
2009-02-19 17:52:01 ----D---- C:\Documents and Settings\Talal\Application Data\Adobe
2009-02-17 15:25:23 ----D---- C:\Documents and Settings\Talal\Application Data\Any Video Converter
2009-02-13 13:10:39 ----D---- C:\Program Files\Internet Explorer
2009-02-13 13:01:01 ----D---- C:\WINDOWS\ie7updates
2009-02-10 17:49:14 ----SD---- C:\Documents and Settings\Talal\Application Data\Microsoft

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 intelppm;Intel Processor Driver; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2004-08-03 36096]
R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS []
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys []
R1 SAVRT;SAVRT; \??\C:\Program Files\Symantec AntiVirus\savrt.sys []
R1 SYMTDI;SYMTDI; C:\WINDOWS\System32\Drivers\SYMTDI.SYS [2004-03-11 263616]
R2 AegisP;AEGIS Protocol (IEEE 802.1x) v3.6.0.0; C:\WINDOWS\system32\DRIVERS\AegisP.sys [2009-01-29 21425]
R2 BtnHnd;BtnHnd; \??\C:\Program Files\Fujitsu\BtnHnd\BtnHnd.sys []
R2 FlashDrv;FlashDrv; \??\C:\PROGRA~1\Fujitsu\FlashAid\FlashDrv.sys []
R2 rimsptsk;rimsptsk; C:\WINDOWS\System32\DRIVERS\rimsptsk.sys [2006-12-20 43520]
R2 rismxdp;Ricoh xD-Picture Card Driver; C:\WINDOWS\System32\DRIVERS\rixdptsk.sys [2007-07-30 38400]
R2 s24trans;WLAN Transport; C:\WINDOWS\system32\DRIVERS\s24trans.sys [2006-10-19 12544]
R2 SAVRTPEL;SAVRTPEL; \??\C:\Program Files\Symantec AntiVirus\Savrtpel.sys []
R3 AgereSoftModem;Agere Systems Soft Modem; C:\WINDOWS\System32\DRIVERS\AGRSM.sys [2005-05-13 1094881]
R3 ApfiltrService;Alps Pointing-device Filter Driver; C:\WINDOWS\System32\DRIVERS\Apfiltr.sys [2004-07-05 103391]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\System32\DRIVERS\arp1394.sys [2004-08-03 60800]
R3 bcm4sbxp;Broadcom 440x 10/100 Integrated Controller XP Driver; C:\WINDOWS\System32\DRIVERS\bcm4sbxp.sys [2004-10-11 45056]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\WINDOWS\System32\DRIVERS\CmBatt.sys [2004-08-03 14080]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2004-08-12 137728]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\System32\DRIVERS\hidusb.sys [2001-08-17 9600]
R3 HPZid412;IEEE-1284.4 Driver HPZid412; C:\WINDOWS\system32\DRIVERS\HPZid412.sys [2004-03-21 51088]
R3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; C:\WINDOWS\system32\DRIVERS\HPZipr12.sys [2004-03-21 16496]
R3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; C:\WINDOWS\system32\DRIVERS\HPZius12.sys [2004-03-21 21744]
R3 ialm;ialm; C:\WINDOWS\System32\DRIVERS\ialmnt5.sys [2005-02-22 807742]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2005-02-22 2522560]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 NAVENG;NAVENG; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20090218.003\naveng.sys []
R3 NAVEX15;NAVEX15; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20090218.003\navex15.sys []
R3 NIC1394;1394 Net Driver; C:\WINDOWS\System32\DRIVERS\nic1394.sys [2004-08-03 61824]
R3 risdptsk;risdptsk; C:\WINDOWS\System32\DRIVERS\risdptsk.sys [2006-12-20 38912]
R3 SymEvent;SymEvent; \??\C:\Program Files\Symantec\SYMEVENT.SYS []
R3 SYMREDRV;SYMREDRV; C:\WINDOWS\System32\Drivers\SYMREDRV.SYS [2004-03-11 16288]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-03 31616]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2004-08-03 26624]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2004-08-03 57600]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 25856]
R3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 15104]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2004-08-03 20480]
R3 w29n51;Intel® PRO/Wireless 2915ABG Network Connection Driver for Windows XP; C:\WINDOWS\system32\DRIVERS\w29n51.sys [2006-10-25 2208768]
S3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS []
S3 sdbus;sdbus; C:\WINDOWS\System32\DRIVERS\sdbus.sys [2004-08-03 67584]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []
S4 sr;System Restore Filter Driver; C:\WINDOWS\System32\DRIVERS\sr.sys [2004-08-03 73472]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 ccEvtMgr;Symantec Event Manager; C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe [2004-02-29 255096]
R2 ccSetMgr;Symantec Settings Manager; C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe [2004-02-29 242808]
R2 DefWatch;Symantec AntiVirus Definition Watcher; C:\Program Files\Symantec AntiVirus\DefWatch.exe [2004-03-12 29928]
R2 EvtEng;Intel® PROSet/Wireless Event Log; C:\Program Files\Intel\Wireless\Bin\EvtEng.exe [2006-10-18 434176]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-02-27 152984]
R2 RegSrvc;Intel® PROSet/Wireless Registry Service; C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe [2006-10-18 327680]
R2 S24EventMonitor;Intel® PROSet/Wireless Service; C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe [2006-10-18 946176]
R2 Symantec AntiVirus;Symantec AntiVirus; C:\Program Files\Symantec AntiVirus\Rtvscan.exe [2004-03-12 1221864]
R3 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.exe [2004-03-18 65536]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe [2004-07-15 32768]
S3 ccPwdSvc;Symantec Password Validation; C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe [2004-02-29 87160]
S3 SavRoam;SAVRoam; C:\Program Files\Symantec AntiVirus\SavRoam.exe [2004-03-12 169192]
S3 SNDSrvc;Symantec Network Drivers Service; C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe [2004-03-11 193760]

-----------------EOF-----------------

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------


Info.Txt

info.txt logfile of random's system information tool 1.05 2009-03-02 11:48:04

======Uninstall list======

-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Adobe\PDF IFilter 6.0\Uninst.isu"
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DD4F051C-1A2B-4A91-B187-B093C597418C}\setup.exe" -l0x9 anything
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Acrobat - Reader 6.0.2 Update-->MsiExec.exe /I{AC76BA86-0000-0000-0000-6028747ADE01}
Adobe Acrobat 6.0.1 Professional-->MsiExec.exe /I{AC76BA86-1033-0000-7760-000000000001}
Adobe Acrobat and Reader 6.0.3 Update-->MsiExec.exe /I{AC76BA86-0000-7EC8-7489-000000000603}
Adobe Acrobat and Reader 6.0.4 Update-->MsiExec.exe /I{AC76BA86-0000-7EC8-7489-000000000604}
Adobe Acrobat and Reader 6.0.5 Update-->MsiExec.exe /I{AC76BA86-0000-7EC8-7489-000000000605}
Adobe Acrobat and Reader 6.0.6 Update-->MsiExec.exe /I{AC76BA86-0000-7EC8-7489-000000000606}
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe PDF IFilter 6.0-->C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Adobe\PDF IFilter 6.0\Uninst.isu"
Agere Systems HDA Modem-->agrsmdel
ALPS Touch Pad Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}\setup.exe" UNINSTALL
Any Video Converter 2.7.0-->"C:\Program Files\Any Video Converter\unins000.exe"
Broadcom 44x 10/100 Integrated Controller-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EC502085-5F63-41A2-A290-41F9F9574270}\Setup.exe" -l0x9 REMOVE
Catan (remove only)-->C:\Program Files\Catan\Uninstall.exe
Express Burn-->C:\Program Files\NCH Swift Sound\ExpressBurn\uninst.exe
Express Rip-->C:\Program Files\NCH Swift Sound\ExpressRip\uninst.exe
FlashAid-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5F9982B9-9C1E-45E7-B7EB-CD6E4787E39D}\setup.exe"
Free Video to Mp3 Converter version 3.1-->"C:\Program Files\DVDVideoSoft\Free Video to Mp3 Converter\unins000.exe"
Free YouTube to Mp3 Converter version 3.1-->"C:\Program Files\DVDVideoSoft\Free YouTube to Mp3 Converter\unins000.exe"
Fujitsu Hotkey Utility-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{675F445D-0944-48DC-962E-DE2E9707AE8E}\setup.exe"
Fujitsu System Extension Utility-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D48CCDB0-5EAB-4ED9-8D3E-8653EFFBFB84}\setup.exe"
High Definition Audio Driver Package - KB835221-->C:\WINDOWS\$NtUninstallKB835221WXP$\spuninst\spuninst.exe
HijackThis 2.0.2-->"C:\Program Files\trend micro\HijackThis.exe" /uninstall
Hotfix for Windows XP (KB914440)-->"C:\WINDOWS\$NtUninstallKB914440$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB915865)-->"C:\WINDOWS\$NtUninstallKB915865$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB935448)-->"C:\WINDOWS\$NtUninstallKB935448$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
HP Image Zone 4.2-->C:\Program Files\HP\Digital Imaging\uninstall\hpzscr01.exe -datfile hpqscr01.dat
HP PSC & OfficeJet 4.2-->"C:\Program Files\HP\Digital Imaging\{A1062847-0846-427A-92A1-BB8251A91E91}\setup\hpzscr01.exe" -datfile hposcr04.dat
HP Software Update-->MsiExec.exe /X{457791C5-D702-4143-A7B2-2744BE9573F2}
Intel® Graphics Media Accelerator Driver for Mobile-->RUNDLL32.EXE C:\WINDOWS\System32\ialmrem.dll,UninstallW2KIGfx2ID PCI\VEN_8086&DEV_2792 PCI\VEN_8086&DEV_2592
Intel® PROSet/Wireless Software-->C:\WINDOWS\Installer\iProInst.exe
Java™ 6 Update 12-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216012FF}
LifeBook Application Panel-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A3E762D5-87D1-468F-9942-58C31982E917}\setup.exe"
LiveUpdate 2.0 (Symantec Corporation)-->C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
mCore-->MsiExec.exe /I{E81667C6-2856-46D6-ABEA-6A2F42166779}
mDriver-->MsiExec.exe /I{A0F925BF-5C55-44C2-A4E7-5A4C59791C29}
mDrWiFi-->MsiExec.exe /I{90CC4231-94AC-45CD-991A-0253BFAC0650}
mHelp-->MsiExec.exe /I{8C6BB412-D3A8-4AAE-A01B-35B681789D68}
Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
mIWA-->MsiExec.exe /I{3E9D596A-61D4-4239-BD19-2DB984D2A16F}
mLogView-->MsiExec.exe /I{0E2B0B41-7E08-4F9F-B21F-41C4133F43B7}
mMHouse-->MsiExec.exe /I{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}
Mozilla Firefox (3.0.5)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
mPfMgr-->MsiExec.exe /I{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}
mPfWiz-->MsiExec.exe /I{90B0D222-8C21-4B35-9262-53B042F18AF9}
mProSafe-->MsiExec.exe /I{23FB368F-1399-4EAC-817C-4B83ECBE3D83}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
mWlsSafe-->MsiExec.exe /I{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}
mXML-->MsiExec.exe /I{9CC89556-3578-48DD-8408-04E66EBEF401}
mZConfig-->MsiExec.exe /I{94658027-9F16-4509-BBD7-A59FE57C3023}
QuickTime-->MsiExec.exe /I{216AB108-2AE1-4130-B3D5-20B2C4C80F8F}
Realtek High Definition Audio Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\setup.exe" REMOVE
Security Update for CAPICOM (KB931906)-->MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906)-->MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Windows Internet Explorer 7 (KB938127)-->"C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB938127-v2)-->"C:\WINDOWS\ie7updates\KB938127-v2-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB956390)-->"C:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB958215)-->"C:\WINDOWS\ie7updates\KB958215-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB960714)-->"C:\WINDOWS\ie7updates\KB960714-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB961260)-->"C:\WINDOWS\ie7updates\KB961260-IE7\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960715)-->"C:\WINDOWS\$NtUninstallKB960715$\spuninst\spuninst.exe"
SUPERAntiSpyware Free Edition-->MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Switch Sound File Converter-->C:\Program Files\NCH Swift Sound\Switch\uninst.exe
Symantec AntiVirus-->MsiExec.exe /I{848AC794-8B81-440A-81AE-6474337DB527}
Uninstall 1.0.0.1-->"C:\Program Files\Common Files\DVDVideoSoft\unins000.exe"
Update for Windows XP (KB898461)-->"C:\WINDOWS\$NtUninstallKB898461$\spuninst\spuninst.exe"
Update for Windows XP (KB904942)-->"C:\WINDOWS\$NtUninstallKB904942$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Update for Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
VLC media player 0.9.8a-->C:\Program Files\VideoLAN\VLC\uninstall.exe
Winamp (remove only)-->"C:\Program Files\Winamp\UninstWA.exe"
Windows Internet Explorer 7-->"C:\WINDOWS\ie7\spuninst\spuninst.exe"
Windows XP Service Pack 2-->C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe

======Hosts File======

127.0.0.1 mpa.one.microsoft.com

System event log

Computer Name: AAA-P52Q20WKGQ5
Event Code: 7035
Message: The Windows Firewall/Internet Connection Sharing (ICS) service was successfully sent a stop control.

Record Number: 5
Source Name: Service Control Manager
Time Written: 20090225170050.000000-480
Event Type: information
User: AAA-P52Q20WKGQ5\Talal

Computer Name: AAA-P52Q20WKGQ5
Event Code: 6005
Message: The Event log service was started.

Record Number: 4
Source Name: EventLog
Time Written: 20090225165939.000000-480
Event Type: information
User:

Computer Name: AAA-P52Q20WKGQ5
Event Code: 6009
Message: Microsoft ® Windows ® 5.01. 2600 Service Pack 2 Uniprocessor Free.

Record Number: 3
Source Name: EventLog
Time Written: 20090225165939.000000-480
Event Type: information
User:

Computer Name: AAA-P52Q20WKGQ5
Event Code: 6006
Message: The Event log service was stopped.

Record Number: 2
Source Name: EventLog
Time Written: 20090225165838.000000-480
Event Type: information
User:

Computer Name: AAA-P52Q20WKGQ5
Event Code: 7035
Message: The SASENUM service was successfully sent a start control.

Record Number: 1
Source Name: Service Control Manager
Time Written: 20090225164957.000000-480
Event Type: information
User: AAA-P52Q20WKGQ5\Talal

Application event log

Computer Name: AAA-P52Q20WKGQ5
Event Code: 26
Message: Application starting

Record Number: 5
Source Name: ccEvtMgr
Time Written: 20090225170008.000000-480
Event Type: information
User: NT AUTHORITY\SYSTEM

Computer Name: AAA-P52Q20WKGQ5
Event Code: 0
Message:
Record Number: 4
Source Name: RegSrvc
Time Written: 20090225165957.000000-480
Event Type: information
User:

Computer Name: AAA-P52Q20WKGQ5
Event Code: 1
Message: Application started

Record Number: 3
Source Name: ccSetMgr
Time Written: 20090225165954.000000-480
Event Type: information
User: NT AUTHORITY\SYSTEM

Computer Name: AAA-P52Q20WKGQ5
Event Code: 26
Message: Application starting

Record Number: 2
Source Name: ccSetMgr
Time Written: 20090225165954.000000-480
Event Type: information
User: NT AUTHORITY\SYSTEM

Computer Name: AAA-P52Q20WKGQ5
Event Code: 0
Message:
Record Number: 1
Source Name: EvtEng
Time Written: 20090225165943.000000-480
Event Type: information
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
"windir"=%SystemRoot%
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 13 Stepping 8, GenuineIntel
"PROCESSOR_REVISION"=0d08
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"FP_NO_HOST_CHECK"=NO
"CLASSPATH"=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip
"QTJAVA"=C:\Program Files\QuickTime\QTSystem\QTJava.zip

-----------------EOF-----------------


-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
GMER.Txt

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-03-02 12:30:21
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.14 ----

SSDT E1814350 ZwConnectPort

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

---- Registry - GMER 1.0.14 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Classes\CLSID\{020487CC-FC04-4B1E-863F-D9801796230B}\InProcServer32@ C:\DOCUME~1\Talal\LOCALS~1\Temp\wndutl32.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{020487CC-FC04-4B1E-863F-D9801796230B}\InProcServer32@ThreadingModel Apartment

---- Files - GMER 1.0.14 ----

File C:\Documents and Settings\Talal\Local Settings\Temporary Internet Files\Content.IE5\OS1S7OGC\iframes_awempire_com[1].htm 0 bytes
File C:\Documents and Settings\Talal\Local Settings\Temporary Internet Files\Content.IE5\T0N2QNA2\jasmin[1].css 0 bytes

---- EOF - GMER 1.0.14 ----



I also seem to have a program called XPpolice that acts as an Antivirus, but isnt. Its just on the computer messing with my Internet Explorer & timing out pages. Also im not sure if its a fake warning, but a box that says Symantec pops up saying there is a virus of some sort called Bloodhound.exploit & Downloader.Psyme that has been Quarantined. Ive used SUPERantispyware and got rid of the little round red box with the white X in the middle, but i still get script errors from internet explorer even though im not using it and sometimes sex sounds play randomly from out of no where.

Theres the logs :thumbup2:

Edited by Nolimit4show, 02 March 2009 - 04:08 PM.


#4 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:04:32 PM

Posted 04 March 2009 - 12:16 PM

Hi Nolimit4show,



Step1

Please print out and follow these instructions: "How to use SDFix". <- This program is for Windows 2000/XP ONLY.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Disconnect from the Internet and temporarily disable your anti-virus, script blocking and any real time protection programs before performing a scan.
  • When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt.
  • If SDFix is unable to run after rebooting from Safe Mode, run SDFix in either Mode, and type F, then press Enter for it to finish the final stage and produce the report.
  • Please copy and paste the contents of Report.txt in your next reply.
  • Be sure to renable you anti-virus and and other security programs before connecting to the Internet.
-- If the computer has been infected with the VirusAlert! malware warning from the clock and the Start Menu icons or drives are not visible, open the SDFix folder, right-click on either the XP_VirusAlert_Repair.inf or W2K VirusAlert_Repair.inf (depending on your version of Windows) and select Install from the Context menu. Then reboot to apply the changes.



Step2


1.Please run HijackThis! and click "Do a system scan only." Place checks next to the following entries,(if present):


F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: WinGDI Class - {12c7290a-157b-4f43-b109-97e792c598ed} - C:\WINDOWS\iehost.dll
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Agena] rundll32.exe "C:\WINDOWS\Agitus.dll",e
O4 - HKLM\..\Run: [odb] C:\WINDOWS\odb.exe
O4 - HKLM\..\Run: [UpdateWin] C:\WINDOWS\system32\appmgrj.exe
O4 - HKLM\..\Run: [Ovosapupiye] rundll32.exe "C:\WINDOWS\akugosulizego.dll",e
O4 - HKLM\..\RunServices: [UpdateWin] C:\WINDOWS\system32\appmgrj.exe
O4 - HKCU\..\Run: [UpdateWin] C:\WINDOWS\system32\appmgrj.exe
O4 - HKCU\..\Run: [userinit] C:\WINDOWS\system32\ntos.exe
O4 - HKCU\..\RunServices: [UpdateWin] C:\WINDOWS\system32\appmgrj.exe
O4 - HKUS\S-1-5-18\..\Run: [userinit] C:\WINDOWS\system32\ntos.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [userinit] C:\WINDOWS\system32\ntos.exe (User 'Default)
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O22 - SharedTaskScheduler: IPC Configuration Utility - IPC Configuration Utility - (no file)


Close all browsers and other windows except for HijackThis!, and click "Fix Checked".

Restart your pc.

2.
Navigate to Start | Run andcopy/paste the following into run box:

regedit /e c:\registrybackup.reg

Now click OK. It won't appear to be doing anything, that's normal. Your mouse pointer may turn to an hour glass for a minute. Please continue when it no longer has the hour glass.


3.
Download OTMoveIt3.exe by OldTimer and save it to your desktop.
  • Double click on OTMoveIt3.exe to run it
  • Copy & paste the contents of the Code box below into Paste Instructions for Items to be Moved
  • Note: Do not type it out to minimize the risk of typo error
    :Processes 
    explorer.exe
    odb.exe
    
    :Files
    C:\WINDOWS\system32\ntos.exe
    C:\WINDOWS\Agitus.dll
    C:\WINDOWS\odb.exe
    C:\WINDOWS\system32\appmgrj.exe
    C:\WINDOWS\akugosulizego.dll
    C:\Program Files\XPPoliceAntivirus
    C:\WINDOWS\iehost.dll
    C:\WINDOWS\system32\wsnpoem
    C:\WINDOWS\VPC32.INI
    
    :Reg
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PoliceAV]
    
    :Commands
    [EmptyTemp]
    [start explorer]
    [Reboot]
  • Click on MoveIt!
  • When done, click on Exit
  • Note: If a file or folder can't be moved immediately, you may be asked to restart your computer. Choose Yes.
  • A log will be produced at C:\_OTMoveIt\MovedFiles\date_time.log, where date_time are numbers. Post this log in your next reply.
  • You can refer to this tutorial

Step3

Please download Malwarebytes' Anti-Malware from Here or Here
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.or you can find from here:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
Copy&Paste the entire report in your next reply

Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.




In you next reply, please post back:

1.OTmoveIT log
2.MBAM log
3.SDFix log
4.New HJT log

Tell me how your pc is running now.

#5 Nolimit4show

Nolimit4show
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:32 PM

Posted 05 March 2009 - 08:04 PM

Computer is running quicker, I can now use the Application Manager (aka Ctrl+Alt+Delete) and i can use Internet explorer without script errors or Timed Out errors marketing Xp Police...which really helps me a lot cause i can do my insurance work. (FireFox doesnt open up the insurance programs)

2 Errors i found so far though, 1st a small window that popped up after doing the OTMoveIt step & rebooting was: ERROR Loading c:\Windows\akugosalizego.dll, The specified module could not be found.
But after i did Maleware and rebooted i didnt see the message again.

Also I have a window on my desktop that states: You may be a victim of software counterfeiting. This copy of windows did not pass genuine windows validation.

Other than that everything is peachy.


OTMoveIT Log

========== PROCESSES ==========
Process explorer.exe killed successfully.
Unable to kill process: odb.exe
========== FILES ==========
File/Folder C:\WINDOWS\system32\ntos.exe not found.
DllUnregisterServer procedure not found in C:\WINDOWS\Agitus.dll
C:\WINDOWS\Agitus.dll NOT unregistered.
C:\WINDOWS\Agitus.dll moved successfully.
C:\WINDOWS\odb.exe moved successfully.
File/Folder C:\WINDOWS\system32\appmgrj.exe not found.
C:\WINDOWS\akugosulizego.dll NOT unregistered.
Unable to move file C:\WINDOWS\akugosulizego.dll.
File/Folder C:\Program Files\XPPoliceAntivirus not found.
File/Folder C:\WINDOWS\iehost.dll not found.
File/Folder C:\WINDOWS\system32\wsnpoem not found.
Unable to move file C:\WINDOWS\VPC32.INI.
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PoliceAV\\ deleted successfully.
========== COMMANDS ==========
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_6b8.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:\Documents and Settings\Talal\Local Settings\Application Data\Mozilla\Firefox\Profiles\o9bt8a7p.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Talal\Local Settings\Application Data\Mozilla\Firefox\Profiles\o9bt8a7p.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Talal\Local Settings\Application Data\Mozilla\Firefox\Profiles\o9bt8a7p.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Talal\Local Settings\Application Data\Mozilla\Firefox\Profiles\o9bt8a7p.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Talal\Local Settings\Application Data\Mozilla\Firefox\Profiles\o9bt8a7p.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Talal\Local Settings\Application Data\Mozilla\Firefox\Profiles\o9bt8a7p.default\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 03052009_160222

Files moved on Reboot...
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
File C:\WINDOWS\temp\Perflib_Perfdata_6b8.dat not found!
C:\Documents and Settings\Talal\Local Settings\Application Data\Mozilla\Firefox\Profiles\o9bt8a7p.default\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\Talal\Local Settings\Application Data\Mozilla\Firefox\Profiles\o9bt8a7p.default\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\Talal\Local Settings\Application Data\Mozilla\Firefox\Profiles\o9bt8a7p.default\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\Talal\Local Settings\Application Data\Mozilla\Firefox\Profiles\o9bt8a7p.default\Cache\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\Talal\Local Settings\Application Data\Mozilla\Firefox\Profiles\o9bt8a7p.default\urlclassifier3.sqlite moved successfully.
C:\Documents and Settings\Talal\Local Settings\Application Data\Mozilla\Firefox\Profiles\o9bt8a7p.default\XUL.mfl moved successfully.


MBAM Log

Malwarebytes' Anti-Malware 1.34
Database version: 1822
Windows 5.1.2600 Service Pack 2

3/5/2009 4:26:35 PM
mbam-log-2009-03-05 (16-26-35).txt

Scan type: Quick Scan
Objects scanned: 63457
Time elapsed: 5 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\wingdiapp.wingdi (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\wingdiapp.wingdi.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{020487cc-fc04-4b1e-863f-d9801796230b} (Trojan.FakeAlert) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{12c7290a-157b-4f43-b109-97e792c598ed} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XP Police Antivirus (Rogue.XP-Police-Antivirus) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{f710fa10-2031-3106-8872-93a2b5c5c620} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ovosapupiye (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Talal\Application Data\config.cfg (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Talal\Application Data\~tmp.html (Malware.Trace) -> Quarantined and deleted successfully.

SDfix Log

SDFix: Version 1.240
Run by Talal on Thu 03/05/2009 at 02:48 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\sdfix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\appmgrj.exe - Deleted
C:\WINDOWS\runsql.exe - Deleted
C:\WINDOWS\sv.exe - Deleted
C:\WINDOWS\svc.exe - Deleted
C:\WINDOWS\svhoster.exe - Deleted
C:\WINDOWS\svw.exe - Deleted
C:\WINDOWS\svx.exe - Deleted
C:\WINDOWS\svzip.exe - Deleted
C:\WINDOWS\vlc.exe - Deleted
C:\WINDOWS\system32\ntos.exe - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-05 14:56:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Mon 7 Apr 1997 1,640,259 A..H. --- "C:\FMPRO 0307\CLARIS\ClarisWorks Translators\FMPRO\FMPRO.EXE"
Mon 7 Apr 1997 1,640,259 A..H. --- "C:\Documents and Settings\Talal\Desktop\ALL INSURANCE FILES ALL CO\ZFM FMPRO FILE MAKER\FMPRO 0307\CLARIS\ClarisWorks Translators\FMPRO\FMPRO.EXE"

Finished!

HJThis Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:33:28 PM, on 3/5/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Winamp\Winampa.exe
C:\WINDOWS\System32\igfxext.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint2K\HidFind.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\trend micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://eagent.farmersinsurance.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [LoadFujitsuQuickTouch] C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
O4 - HKLM\..\Run: [IndicatorUtility] C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [LoadFUJ02E3] C:\Program Files\Fujitsu\FUJ02E3\FUJ02E3.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - https://eagent.farmersinsurance.com/PLA/eAg...ctiveX/smsx.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1233280502806
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1233283381901
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 7863 bytes


Thanks for all your help!

#6 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:04:32 PM

Posted 06 March 2009 - 03:00 AM

Hi Nolimit4show,


As to the error message, please go to Here for you reference. The logs look good. but we still need to check you status one more time. Until then, You should be good to go. Please be patient and do the following.


Step1


Let's clean some temp files. Please do the following:

Please download ATF Cleaner by Atribune.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.


If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.


Step2


Please do an online scan with Kaspersky Online Scanner.
  • Please go to Kaspersky Online Scanner and perform an online antivirus scan.
  • Click Accept button on the "Requirements and limitations".
  • When Java warning " The applcation digital signature has been verified. Do you want to run the application " appears, Click on "Run" button.
  • It will be Downloading and installing the program and Updating the database.
  • When Updating the database have finished, click on Settings.
  • Make sure all boxes are checked. then click on the Save button.
  • Click on My Computer under Scan menu. It will start scanning, so be patient and let it run.
  • Once the scan is completed, Click on View Scan Report.
  • You may see a list of infected items over there. Click on Save Report As.
  • Click "Desktop" , Name the file as "KAS", Change the Files of type to Text file (.txt) and Click on Save button.
  • Please post the contents in your next reply.
  • You can refer to this animation
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.



Please post back the logs in your next reply.


1.KAS Scan Report
2.New RIST log(Before running Rist, delete the folder in C:\rist)

Tell me how your pc is running now.

#7 Nolimit4show

Nolimit4show
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:32 PM

Posted 06 March 2009 - 09:04 PM

I didnt reboot after i finished both steps, but 2 weird things i see is:

1. My desktop backround is all black and has that stupid Advantage Notification (I think its doing that to my background on purpose)

2. This sites interface is gone, i dont see boxs or borders...looks weird.

KAS LOG!

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Friday, March 6, 2009
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, March 06, 2009 21:45:50
Records in database: 1875325
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Files scanned: 43102
Threat name: 13
Infected objects: 116
Suspicious objects: 0
Duration of the scan: 01:50:22


File name / Threat name / Threats count
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01900000.VBN Infected: Exploit.JS.XMLPars.y 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01900001.VBN Infected: Exploit.JS.XMLPars.y 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04600000.VBN Infected: Exploit.JS.XMLPars.y 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04600001.VBN Infected: Exploit.JS.XMLPars.y 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04600002.VBN Infected: Exploit.JS.XMLPars.y 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04600003.VBN Infected: Exploit.JS.XMLPars.y 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04600004.VBN Infected: Exploit.JS.XMLPars.y 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04600005.VBN Infected: Exploit.JS.XMLPars.y 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04600006.VBN Infected: Exploit.JS.XMLPars.y 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04600007.VBN Infected: Exploit.JS.XMLPars.y 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04600008.VBN Infected: Exploit.JS.XMLPars.y 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04600009.VBN Infected: Exploit.JS.XMLPars.y 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0460000A.VBN Infected: Exploit.JS.XMLPars.y 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0460000B.VBN Infected: Exploit.JS.XMLPars.y 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0460000C.VBN Infected: Exploit.JS.XMLPars.y 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0460000D.VBN Infected: Exploit.JS.XMLPars.y 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0460000E.VBN Infected: Exploit.JS.XMLPars.y 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0460000F.VBN Infected: Exploit.JS.XMLPars.y 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04600010.VBN Infected: Exploit.JS.ADODB.Stream.ac 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04600011.VBN Infected: Exploit.Win32.Pidief.gx 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04600012.VBN Infected: Exploit.JS.XMLPars.y 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04600013.VBN Infected: Exploit.JS.XMLPars.y 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04600014.VBN Infected: Exploit.JS.XMLPars.y 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04600015.VBN Infected: Exploit.JS.XMLPars.y 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04600016.VBN Infected: Exploit.JS.XMLPars.y 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04600017.VBN Infected: Exploit.JS.ADODB.Stream.ac 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04600018.VBN Infected: Exploit.Win32.Pidief.gx 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04600019.VBN Infected: Exploit.JS.XMLPars.y 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0460001A.VBN Infected: Exploit.JS.XMLPars.y 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0460001B.VBN Infected: Exploit.JS.XMLPars.y 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0460001C.VBN Infected: Exploit.JS.XMLPars.y 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04680000.VBN Infected: Exploit.JS.XMLPars.y 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04680001.VBN Infected: Exploit.JS.XMLPars.y 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04680002.VBN Infected: Exploit.JS.XMLPars.y 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\046C0000.VBN Infected: Exploit.JS.XMLPars.y 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\046C0001.VBN Infected: Exploit.JS.XMLPars.y 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04DC0000.VBN Infected: Trojan.Win32.Agent.braw 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04E80000.VBN Infected: Exploit.JS.XMLPars.y 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04E80001.VBN Infected: Exploit.JS.ADODB.Stream.ac 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04E80002.VBN Infected: Exploit.JS.ADODB.Stream.ac 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04E80003.VBN Infected: Exploit.Win32.Pidief.gx 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05980000.VBN Infected: Trojan-Downloader.Win32.FraudLoad.vkwp 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05D80000.VBN Infected: Exploit.JS.XMLPars.y 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05D80001.VBN Infected: Exploit.JS.XMLPars.y 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05D80002.VBN Infected: Exploit.JS.XMLPars.y 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05D80003.VBN Infected: Exploit.JS.XMLPars.y 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05D80004.VBN Infected: Exploit.JS.XMLPars.y 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05D80005.VBN Infected: Exploit.JS.XMLPars.y 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05D80006.VBN Infected: Exploit.JS.ADODB.Stream.ac 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05D80007.VBN Infected: Exploit.Win32.Pidief.gx 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05D80008.VBN Infected: Exploit.JS.XMLPars.y 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05D80009.VBN Infected: Exploit.JS.XMLPars.y 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05D8000A.VBN Infected: Exploit.JS.XMLPars.y 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05D8000B.VBN Infected: Exploit.JS.XMLPars.y 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05D8000C.VBN Infected: Exploit.JS.XMLPars.y 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05D8000D.VBN Infected: Exploit.JS.XMLPars.y 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05D8000E.VBN Infected: Exploit.JS.XMLPars.y 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05D8000F.VBN Infected: Exploit.JS.XMLPars.y 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05D80010.VBN Infected: Exploit.JS.XMLPars.y 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05D80011.VBN Infected: Exploit.JS.XMLPars.y 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05D80012.VBN Infected: Exploit.JS.XMLPars.y 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05D80013.VBN Infected: Exploit.JS.XMLPars.y 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05D80014.VBN Infected: Exploit.JS.XMLPars.y 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05D80015.VBN Infected: Exploit.JS.XMLPars.y 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05D80016.VBN Infected: Exploit.JS.XMLPars.y 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05D80017.VBN Infected: Exploit.JS.XMLPars.y 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05D80018.VBN Infected: Exploit.JS.XMLPars.y 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05D80019.VBN Infected: Exploit.JS.XMLPars.y 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05D8001A.VBN Infected: Exploit.JS.XMLPars.y 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05D8001B.VBN Infected: Exploit.JS.XMLPars.y 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05D8001C.VBN Infected: Exploit.JS.XMLPars.y 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05D8001D.VBN Infected: Exploit.JS.XMLPars.y 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05D8001E.VBN Infected: Exploit.JS.XMLPars.y 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05D8001F.VBN Infected: Exploit.JS.XMLPars.y 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05D80020.VBN Infected: Exploit.JS.XMLPars.y 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05D80021.VBN Infected: Exploit.JS.XMLPars.y 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05D80022.VBN Infected: Exploit.JS.XMLPars.y 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05D80023.VBN Infected: Exploit.JS.XMLPars.y 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05D80024.VBN Infected: Exploit.JS.XMLPars.y 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05D80025.VBN Infected: Exploit.JS.XMLPars.y 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05D80026.VBN Infected: Exploit.JS.XMLPars.y 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05D80027.VBN Infected: Exploit.JS.XMLPars.y 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05D80028.VBN Infected: Exploit.JS.XMLPars.y 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05D80029.VBN Infected: Exploit.JS.XMLPars.y 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05D8002A.VBN Infected: Exploit.JS.XMLPars.y 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05D8002B.VBN Infected: Exploit.JS.XMLPars.y 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05D8002C.VBN Infected: Exploit.JS.XMLPars.y 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05D8002D.VBN Infected: Exploit.JS.XMLPars.y 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05D8002E.VBN Infected: Exploit.JS.XMLPars.y 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05D8002F.VBN Infected: Exploit.JS.XMLPars.y 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05D80030.VBN Infected: Exploit.JS.XMLPars.y 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05D80031.VBN Infected: Exploit.JS.XMLPars.y 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05D80032.VBN Infected: Exploit.JS.XMLPars.y 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05D80033.VBN Infected: Exploit.JS.XMLPars.y 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05D80034.VBN Infected: Exploit.JS.XMLPars.y 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05D80035.VBN Infected: Exploit.JS.XMLPars.y 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05D80036.VBN Infected: Exploit.JS.XMLPars.y 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05D80037.VBN Infected: Exploit.JS.XMLPars.y 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07880001.VBN Infected: Exploit.JS.ADODB.Stream.ac 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C240000.VBN Infected: Exploit.JS.XMLPars.y 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C240001.VBN Infected: Exploit.JS.XMLPars.y 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C240002.VBN Infected: Exploit.JS.XMLPars.y 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C240003.VBN Infected: Exploit.JS.XMLPars.y 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C240004.VBN Infected: Exploit.JS.XMLPars.y 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C240005.VBN Infected: Exploit.JS.XMLPars.y 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C2C0000.VBN Infected: Exploit.JS.XMLPars.y 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C2C0001.VBN Infected: Exploit.JS.XMLPars.y 1
C:\SDFix\backups\backups.zip Infected: Trojan-Dropper.Win32.Agent.ahpg 1
C:\SDFix\backups\backups.zip Infected: Trojan-Downloader.Win32.Banload.abpm 1
C:\SDFix\backups\backups.zip Infected: Trojan-Clicker.Win32.Agent.gtt 1
C:\SDFix\backups\backups.zip Infected: Trojan-Clicker.Win32.Agent.gsa 1
C:\SDFix\backups\backups.zip Infected: Trojan-Clicker.Win32.Agent.gsc 1
C:\SDFix\backups\backups.zip Infected: Trojan-Clicker.Win32.Delf.caj 1
C:\SDFix\backups\backups.zip Infected: Trojan-Clicker.Win32.Delf.cah 1
C:\_OTMoveIt\MovedFiles\03052009_160222\WINDOWS\Agitus.dll Infected: Trojan-Dropper.Win32.Agent.ahwk 1
C:\_OTMoveIt\MovedFiles\03052009_160222\WINDOWS\odb.exe Infected: Trojan-Dropper.Win32.Agent.ahpg 1

The selected area was scanned.







---------------------------------------------------------------------------------------------------------------------------

RSIT LOG.txt

Logfile of random's system information tool 1.05 (written by random/random)
Run by Talal at 2009-03-06 16:00:09
Microsoft Windows XP Professional Service Pack 2
System drive C: has 63 GB (82%) free of 76 GB
Total RAM: 502 MB (18% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:00:23 PM, on 3/6/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Winamp\Winampa.exe
C:\WINDOWS\System32\igfxext.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Apoint2K\HidFind.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Talal\Desktop\BleepingCpu Malware Programs\Step 1\RSIT.exe
C:\Program Files\trend micro\HijackThis\Talal.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://eagent.farmersinsurance.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [LoadFujitsuQuickTouch] C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
O4 - HKLM\..\Run: [IndicatorUtility] C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [LoadFUJ02E3] C:\Program Files\Fujitsu\FUJ02E3\FUJ02E3.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - https://eagent.farmersinsurance.com/PLA/eAg...ctiveX/smsx.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1233280502806
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1233283381901
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 8080 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
AcroIEHlprObj Class - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll [2003-11-03 54248]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}]
AcroIEToolbarHelper Class - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll [2003-05-15 147456]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-02-27 35840]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-02-27 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{47833539-D0C5-4125-9FA8-0819E2EAAC93} - Adobe PDF - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll [2003-05-15 147456]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"ccApp"=C:\Program Files\Common Files\Symantec Shared\ccApp.exe [2004-02-29 66680]
"vptray"=C:\PROGRA~1\SYMANT~1\VPTray.exe [2004-03-12 124128]
"LoadFujitsuQuickTouch"=C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe [2005-02-25 242688]
"LoadBtnHnd"=C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe [2005-02-25 61440]
"IndicatorUtility"=C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe [2005-02-28 81920]
"Apoint"=C:\Program Files\Apoint2K\Apoint.exe [2004-07-02 163840]
"AzMixerSel"=C:\Program Files\Realtek\InstallShield\AzMixerSel.exe [2005-02-18 53248]
"LoadFUJ02E3"=C:\Program Files\Fujitsu\FUJ02E3\FUJ02E3.exe [2005-02-25 69632]
"HotKeysCmds"=C:\WINDOWS\System32\hkcmd.exe [2005-02-22 126976]
"IntelZeroConfig"=C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe [2006-10-18 802816]
"IntelWireless"=C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe [2006-10-18 696320]
"AGRSMMSG"=C:\WINDOWS\AGRSMMSG.exe [2005-05-11 88204]
"RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2005-02-21 13783040]
"HP Software Update"=C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [2004-02-12 49152]
"HP Component Manager"=C:\Program Files\HP\hpcoretech\hpcmpmgr.exe [2004-05-12 241664]
"WinampAgent"=C:\Program Files\Winamp\Winampa.exe [2002-04-26 12288]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2009-01-05 413696]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-02-27 148888]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2004-08-04 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2008-12-22 356352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxsrvc.dll [2005-02-22 348160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
C:\WINDOWS\System32\NavLogon.dll [2004-03-12 83176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2008-09-05 241704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2c97e188-f165-11dd-a0b8-000b5dc48699}]
shell\AutoRun\command - F:\wd_windows_tools\WDSetup.exe


======List of files/folders created in the last 1 months======

2009-03-06 16:00:09 ----D---- C:\rsit
2009-03-05 16:13:26 ----D---- C:\Documents and Settings\Talal\Application Data\Malwarebytes
2009-03-05 16:13:10 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-03-05 16:13:09 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-03-05 16:02:22 ----D---- C:\_OTMoveIt
2009-03-05 15:29:48 ----D---- C:\Documents and Settings\Talal\Application Data\AdobeUM
2009-03-05 14:41:58 ----D---- C:\WINDOWS\ERUNT
2009-03-05 14:35:14 ----D---- C:\SDFix
2009-03-05 14:26:10 ----A---- C:\WINDOWS\ntbtlog.txt
2009-03-05 14:13:16 ----HD---- C:\WINDOWS\system32\GroupPolicy
2009-03-02 12:01:59 ----A---- C:\WINDOWS\gmer.ini
2009-03-02 12:01:55 ----A---- C:\WINDOWS\gmer_uninstall.cmd
2009-03-02 12:01:54 ----A---- C:\WINDOWS\gmer.exe
2009-03-02 12:01:54 ----A---- C:\WINDOWS\gmer.dll
2009-03-02 11:47:23 ----D---- C:\Program Files\trend micro
2009-02-27 15:17:20 ----D---- C:\WINDOWS\Sun
2009-02-27 15:16:52 ----A---- C:\WINDOWS\system32\deploytk.dll
2009-02-27 15:16:51 ----A---- C:\WINDOWS\system32\javaws.exe
2009-02-27 15:16:51 ----A---- C:\WINDOWS\system32\javaw.exe
2009-02-27 15:16:51 ----A---- C:\WINDOWS\system32\java.exe
2009-02-27 15:16:18 ----D---- C:\Program Files\Java
2009-02-27 15:16:01 ----D---- C:\Documents and Settings\Talal\Application Data\Sun
2009-02-27 11:33:56 ----D---- C:\Program Files\Catan
2009-02-24 18:40:56 ----HDC---- C:\WINDOWS\$NtUninstallKB967715$
2009-02-24 12:45:58 ----D---- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2009-02-24 12:44:13 ----D---- C:\Program Files\SUPERAntiSpyware
2009-02-24 12:44:10 ----D---- C:\Documents and Settings\Talal\Application Data\SUPERAntiSpyware.com
2009-02-24 12:42:18 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2009-02-23 15:53:04 ----A---- C:\WINDOWS\VPC32.INI
2009-02-23 15:42:31 ----D---- C:\WINDOWS\pss
2009-02-20 15:59:50 ----D---- C:\Program Files\Common Files\Download Manager
2009-02-20 15:47:44 ----A---- C:\WINDOWS\system32\CF13187.exe
2009-02-20 15:47:10 ----A---- C:\Bug.txt
2009-02-19 18:44:17 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe
2009-02-19 17:49:29 ----D---- C:\Program Files\Common Files\Adobe
2009-02-19 17:48:47 ----D---- C:\Program Files\Adobe
2009-02-13 13:01:56 ----HDC---- C:\WINDOWS\$NtUninstallKB960715$
2009-02-12 17:24:40 ----D---- C:\Program Files\Doremisoft
2009-02-12 17:19:29 ----D---- C:\Program Files\DVDVideoSoft
2009-02-12 17:19:29 ----D---- C:\Program Files\Common Files\DVDVideoSoft
2009-02-12 17:10:12 ----D---- C:\Program Files\Free Flash Flv MP3 Converter
2009-02-12 16:51:30 ----D---- C:\WINDOWS\system32\appmgmt
2009-02-12 12:11:36 ----D---- C:\Mp3 Output
2009-02-12 12:11:03 ----A---- C:\WINDOWS\system32\xvidcore.dll
2009-02-12 12:11:03 ----A---- C:\WINDOWS\system32\libmp3lame-0.dll
2009-02-12 11:58:16 ----A---- C:\WINDOWS\system32\TubeFinder.exe
2009-02-12 11:58:10 ----A---- C:\WINDOWS\system32\VB6STKIT.DLL
2009-02-12 11:58:10 ----A---- C:\WINDOWS\system32\VB6FR.DLL
2009-02-12 11:58:09 ----A---- C:\WINDOWS\system32\PCCLPFR.DLL
2009-02-12 11:58:09 ----A---- C:\WINDOWS\system32\MSCMCFR.DLL
2009-02-12 11:58:07 ----A---- C:\WINDOWS\system32\CMDLGFR.DLL
2009-02-12 11:58:06 ----D---- C:\Program Files\Free FLV Converter
2009-02-11 17:18:43 ----D---- C:\Program Files\QuickTime
2009-02-11 17:18:40 ----D---- C:\Documents and Settings\All Users\Application Data\Apple Computer

======List of files/folders modified in the last 1 months======

2009-03-06 13:43:03 ----D---- C:\WINDOWS\Temp
2009-03-06 13:05:55 ----D---- C:\WINDOWS\Prefetch
2009-03-06 12:33:23 ----D---- C:\Program Files\Mozilla Firefox
2009-03-06 11:31:01 ----D---- C:\WINDOWS
2009-03-06 11:29:57 ----D---- C:\Program Files\Symantec AntiVirus
2009-03-05 19:14:23 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-03-05 18:57:18 ----D---- C:\WINDOWS\system32
2009-03-05 18:53:19 ----A---- C:\WINDOWS\CLARIS.INI
2009-03-05 17:38:03 ----D---- C:\WINDOWS\system32\CatRoot2
2009-03-05 16:30:25 ----RD---- C:\Program Files
2009-03-05 16:30:25 ----D---- C:\WINDOWS\system32\drivers
2009-03-05 15:30:21 ----D---- C:\Documents and Settings\Talal\Application Data\Adobe
2009-03-05 14:47:18 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-03-05 14:26:42 ----D---- C:\Documents and Settings
2009-03-05 14:25:21 ----D---- C:\WINDOWS\security
2009-02-27 15:17:02 ----SHD---- C:\WINDOWS\Installer
2009-02-27 15:17:02 ----HD---- C:\Config.Msi
2009-02-26 16:03:47 ----HD---- C:\WINDOWS\inf
2009-02-25 16:49:10 ----D---- C:\WINDOWS\system32\config
2009-02-24 12:42:18 ----D---- C:\Program Files\Common Files
2009-02-24 12:16:31 ----RASH---- C:\boot.ini
2009-02-24 12:16:31 ----A---- C:\WINDOWS\win.ini
2009-02-24 12:16:31 ----A---- C:\WINDOWS\system.ini
2009-02-24 11:52:06 ----HD---- C:\WINDOWS\$hf_mig$
2009-02-23 13:45:33 ----D---- C:\WINDOWS\system32\Restore
2009-02-20 15:26:25 ----D---- C:\WINDOWS\Debug
2009-02-20 15:26:19 ----D---- C:\WINDOWS\Minidump
2009-02-20 15:14:46 ----RSD---- C:\WINDOWS\Fonts
2009-02-17 18:45:21 ----A---- C:\WINDOWS\winamp.ini
2009-02-17 15:25:23 ----D---- C:\Documents and Settings\Talal\Application Data\Any Video Converter
2009-02-13 13:10:39 ----D---- C:\Program Files\Internet Explorer
2009-02-13 13:01:01 ----D---- C:\WINDOWS\ie7updates
2009-02-10 17:49:14 ----SD---- C:\Documents and Settings\Talal\Application Data\Microsoft

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 intelppm;Intel Processor Driver; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2004-08-03 36096]
R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS []
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys []
R1 SAVRT;SAVRT; \??\C:\Program Files\Symantec AntiVirus\savrt.sys []
R1 SYMTDI;SYMTDI; C:\WINDOWS\System32\Drivers\SYMTDI.SYS [2004-03-11 263616]
R2 AegisP;AEGIS Protocol (IEEE 802.1x) v3.6.0.0; C:\WINDOWS\system32\DRIVERS\AegisP.sys [2009-01-29 21425]
R2 BtnHnd;BtnHnd; \??\C:\Program Files\Fujitsu\BtnHnd\BtnHnd.sys []
R2 FlashDrv;FlashDrv; \??\C:\PROGRA~1\Fujitsu\FlashAid\FlashDrv.sys []
R2 rimsptsk;rimsptsk; C:\WINDOWS\System32\DRIVERS\rimsptsk.sys [2006-12-20 43520]
R2 rismxdp;Ricoh xD-Picture Card Driver; C:\WINDOWS\System32\DRIVERS\rixdptsk.sys [2007-07-30 38400]
R2 s24trans;WLAN Transport; C:\WINDOWS\system32\DRIVERS\s24trans.sys [2006-10-19 12544]
R2 SAVRTPEL;SAVRTPEL; \??\C:\Program Files\Symantec AntiVirus\Savrtpel.sys []
R3 AgereSoftModem;Agere Systems Soft Modem; C:\WINDOWS\System32\DRIVERS\AGRSM.sys [2005-05-13 1094881]
R3 ApfiltrService;Alps Pointing-device Filter Driver; C:\WINDOWS\System32\DRIVERS\Apfiltr.sys [2004-07-05 103391]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\System32\DRIVERS\arp1394.sys [2004-08-03 60800]
R3 bcm4sbxp;Broadcom 440x 10/100 Integrated Controller XP Driver; C:\WINDOWS\System32\DRIVERS\bcm4sbxp.sys [2004-10-11 45056]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\WINDOWS\System32\DRIVERS\CmBatt.sys [2004-08-03 14080]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2004-08-12 137728]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\System32\DRIVERS\hidusb.sys [2001-08-17 9600]
R3 HPZid412;IEEE-1284.4 Driver HPZid412; C:\WINDOWS\system32\DRIVERS\HPZid412.sys [2004-03-21 51088]
R3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; C:\WINDOWS\system32\DRIVERS\HPZipr12.sys [2004-03-21 16496]
R3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; C:\WINDOWS\system32\DRIVERS\HPZius12.sys [2004-03-21 21744]
R3 ialm;ialm; C:\WINDOWS\System32\DRIVERS\ialmnt5.sys [2005-02-22 807742]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2005-02-22 2522560]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 NAVENG;NAVENG; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20090304.017\naveng.sys []
R3 NAVEX15;NAVEX15; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20090304.017\navex15.sys []
R3 NIC1394;1394 Net Driver; C:\WINDOWS\System32\DRIVERS\nic1394.sys [2004-08-03 61824]
R3 risdptsk;risdptsk; C:\WINDOWS\System32\DRIVERS\risdptsk.sys [2006-12-20 38912]
R3 SymEvent;SymEvent; \??\C:\Program Files\Symantec\SYMEVENT.SYS []
R3 SYMREDRV;SYMREDRV; C:\WINDOWS\System32\Drivers\SYMREDRV.SYS [2004-03-11 16288]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-03 31616]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2004-08-03 26624]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2004-08-03 57600]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 25856]
R3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 15104]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2004-08-03 20480]
R3 w29n51;Intel® PRO/Wireless 2915ABG Network Connection Driver for Windows XP; C:\WINDOWS\system32\DRIVERS\w29n51.sys [2006-10-25 2208768]
S3 catchme;catchme; \??\C:\DOCUME~1\Talal\LOCALS~1\Temp\catchme.sys []
S3 gmer;gmer; C:\WINDOWS\System32\DRIVERS\gmer.sys [2009-03-02 85969]
S3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS []
S3 sdbus;sdbus; C:\WINDOWS\System32\DRIVERS\sdbus.sys [2004-08-03 67584]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []
S4 sr;System Restore Filter Driver; C:\WINDOWS\System32\DRIVERS\sr.sys [2004-08-03 73472]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 ccEvtMgr;Symantec Event Manager; C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe [2004-02-29 255096]
R2 ccSetMgr;Symantec Settings Manager; C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe [2004-02-29 242808]
R2 DefWatch;Symantec AntiVirus Definition Watcher; C:\Program Files\Symantec AntiVirus\DefWatch.exe [2004-03-12 29928]
R2 EvtEng;Intel® PROSet/Wireless Event Log; C:\Program Files\Intel\Wireless\Bin\EvtEng.exe [2006-10-18 434176]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-02-27 152984]
R2 RegSrvc;Intel® PROSet/Wireless Registry Service; C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe [2006-10-18 327680]
R2 S24EventMonitor;Intel® PROSet/Wireless Service; C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe [2006-10-18 946176]
R2 Symantec AntiVirus;Symantec AntiVirus; C:\Program Files\Symantec AntiVirus\Rtvscan.exe [2004-03-12 1221864]
R3 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.exe [2004-03-18 65536]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe [2004-07-15 32768]
S3 ccPwdSvc;Symantec Password Validation; C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe [2004-02-29 87160]
S3 SavRoam;SAVRoam; C:\Program Files\Symantec AntiVirus\SavRoam.exe [2004-03-12 169192]
S3 SNDSrvc;Symantec Network Drivers Service; C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe [2004-03-11 193760]

-----------------EOF-----------------






---------------------------------------------------------------------------------------------------------------------------

RSIT Info.txt


info.txt logfile of random's system information tool 1.05 2009-03-06 16:00:28

======Uninstall list======

-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Adobe\PDF IFilter 6.0\Uninst.isu"
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DD4F051C-1A2B-4A91-B187-B093C597418C}\setup.exe" -l0x9 anything
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Acrobat - Reader 6.0.2 Update-->MsiExec.exe /I{AC76BA86-0000-0000-0000-6028747ADE01}
Adobe Acrobat 6.0.1 Professional-->MsiExec.exe /I{AC76BA86-1033-0000-7760-000000000001}
Adobe Acrobat and Reader 6.0.3 Update-->MsiExec.exe /I{AC76BA86-0000-7EC8-7489-000000000603}
Adobe Acrobat and Reader 6.0.4 Update-->MsiExec.exe /I{AC76BA86-0000-7EC8-7489-000000000604}
Adobe Acrobat and Reader 6.0.5 Update-->MsiExec.exe /I{AC76BA86-0000-7EC8-7489-000000000605}
Adobe Acrobat and Reader 6.0.6 Update-->MsiExec.exe /I{AC76BA86-0000-7EC8-7489-000000000606}
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe PDF IFilter 6.0-->C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Adobe\PDF IFilter 6.0\Uninst.isu"
Agere Systems HDA Modem-->agrsmdel
ALPS Touch Pad Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}\setup.exe" UNINSTALL
Any Video Converter 2.7.0-->"C:\Program Files\Any Video Converter\unins000.exe"
Broadcom 44x 10/100 Integrated Controller-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EC502085-5F63-41A2-A290-41F9F9574270}\Setup.exe" -l0x9 REMOVE
Catan (remove only)-->C:\Program Files\Catan\Uninstall.exe
Catan Online World-->C:\Program Files\Catan\Catan Online World\uninst.exe
Express Burn-->C:\Program Files\NCH Swift Sound\ExpressBurn\uninst.exe
Express Rip-->C:\Program Files\NCH Swift Sound\ExpressRip\uninst.exe
FlashAid-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5F9982B9-9C1E-45E7-B7EB-CD6E4787E39D}\setup.exe"
Free Video to Mp3 Converter version 3.1-->"C:\Program Files\DVDVideoSoft\Free Video to Mp3 Converter\unins000.exe"
Free YouTube to Mp3 Converter version 3.1-->"C:\Program Files\DVDVideoSoft\Free YouTube to Mp3 Converter\unins000.exe"
Fujitsu Hotkey Utility-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{675F445D-0944-48DC-962E-DE2E9707AE8E}\setup.exe"
Fujitsu System Extension Utility-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D48CCDB0-5EAB-4ED9-8D3E-8653EFFBFB84}\setup.exe"
High Definition Audio Driver Package - KB835221-->C:\WINDOWS\$NtUninstallKB835221WXP$\spuninst\spuninst.exe
HijackThis 2.0.2-->"C:\Program Files\trend micro\HijackThis.exe" /uninstall
Hotfix for Windows XP (KB914440)-->"C:\WINDOWS\$NtUninstallKB914440$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB915865)-->"C:\WINDOWS\$NtUninstallKB915865$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB935448)-->"C:\WINDOWS\$NtUninstallKB935448$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
HP Image Zone 4.2-->C:\Program Files\HP\Digital Imaging\uninstall\hpzscr01.exe -datfile hpqscr01.dat
HP PSC & OfficeJet 4.2-->"C:\Program Files\HP\Digital Imaging\{A1062847-0846-427A-92A1-BB8251A91E91}\setup\hpzscr01.exe" -datfile hposcr04.dat
HP Software Update-->MsiExec.exe /X{457791C5-D702-4143-A7B2-2744BE9573F2}
Intel® Graphics Media Accelerator Driver for Mobile-->RUNDLL32.EXE C:\WINDOWS\System32\ialmrem.dll,UninstallW2KIGfx2ID PCI\VEN_8086&DEV_2792 PCI\VEN_8086&DEV_2592
Intel® PROSet/Wireless Software-->C:\WINDOWS\Installer\iProInst.exe
Java™ 6 Update 12-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216012FF}
LifeBook Application Panel-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A3E762D5-87D1-468F-9942-58C31982E917}\setup.exe"
LiveUpdate 2.0 (Symantec Corporation)-->C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
mCore-->MsiExec.exe /I{E81667C6-2856-46D6-ABEA-6A2F42166779}
mDriver-->MsiExec.exe /I{A0F925BF-5C55-44C2-A4E7-5A4C59791C29}
mDrWiFi-->MsiExec.exe /I{90CC4231-94AC-45CD-991A-0253BFAC0650}
mHelp-->MsiExec.exe /I{8C6BB412-D3A8-4AAE-A01B-35B681789D68}
Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
mIWA-->MsiExec.exe /I{3E9D596A-61D4-4239-BD19-2DB984D2A16F}
mLogView-->MsiExec.exe /I{0E2B0B41-7E08-4F9F-B21F-41C4133F43B7}
mMHouse-->MsiExec.exe /I{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}
Mozilla Firefox (3.0.5)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
mPfMgr-->MsiExec.exe /I{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}
mPfWiz-->MsiExec.exe /I{90B0D222-8C21-4B35-9262-53B042F18AF9}
mProSafe-->MsiExec.exe /I{23FB368F-1399-4EAC-817C-4B83ECBE3D83}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
mWlsSafe-->MsiExec.exe /I{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}
mXML-->MsiExec.exe /I{9CC89556-3578-48DD-8408-04E66EBEF401}
mZConfig-->MsiExec.exe /I{94658027-9F16-4509-BBD7-A59FE57C3023}
QuickTime-->MsiExec.exe /I{216AB108-2AE1-4130-B3D5-20B2C4C80F8F}
Realtek High Definition Audio Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\setup.exe" REMOVE
Security Update for CAPICOM (KB931906)-->MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906)-->MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Windows Internet Explorer 7 (KB938127)-->"C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB938127-v2)-->"C:\WINDOWS\ie7updates\KB938127-v2-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB956390)-->"C:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB958215)-->"C:\WINDOWS\ie7updates\KB958215-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB960714)-->"C:\WINDOWS\ie7updates\KB960714-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB961260)-->"C:\WINDOWS\ie7updates\KB961260-IE7\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960715)-->"C:\WINDOWS\$NtUninstallKB960715$\spuninst\spuninst.exe"
SUPERAntiSpyware Free Edition-->MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Switch Sound File Converter-->C:\Program Files\NCH Swift Sound\Switch\uninst.exe
Symantec AntiVirus-->MsiExec.exe /I{848AC794-8B81-440A-81AE-6474337DB527}
Uninstall 1.0.0.1-->"C:\Program Files\Common Files\DVDVideoSoft\unins000.exe"
Update for Windows XP (KB898461)-->"C:\WINDOWS\$NtUninstallKB898461$\spuninst\spuninst.exe"
Update for Windows XP (KB904942)-->"C:\WINDOWS\$NtUninstallKB904942$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Update for Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
VLC media player 0.9.8a-->C:\Program Files\VideoLAN\VLC\uninstall.exe
Winamp (remove only)-->"C:\Program Files\Winamp\UninstWA.exe"
Windows Internet Explorer 7-->"C:\WINDOWS\ie7\spuninst\spuninst.exe"
Windows XP Service Pack 2-->C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe

=====HijackThis Backups=====

O22 - SharedTaskScheduler: IPC Configuration Utility - IPC Configuration Utility - (no file)
O4 - HKLM\..\Run: [Agena] rundll32.exe "C:\WINDOWS\Agitus.dll",e
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O2 - BHO: WinGDI Class - {12c7290a-157b-4f43-b109-97e792c598ed} - C:\WINDOWS\iehost.dll
O4 - HKLM\..\Run: [Ovosapupiye] rundll32.exe "C:\WINDOWS\akugosulizego.dll",e
O4 - HKLM\..\Run: [odb] C:\WINDOWS\odb.exe
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [Ovosapupiye] rundll32.exe "C:\WINDOWS\akugosulizego.dll",e

======Hosts File======

127.0.0.1 localhost

System event log

Computer Name: AAA-P52Q20WKGQ5
Event Code: 7035
Message: The Windows Firewall/Internet Connection Sharing (ICS) service was successfully sent a stop control.

Record Number: 5
Source Name: Service Control Manager
Time Written: 20090225170050.000000-480
Event Type: information
User: AAA-P52Q20WKGQ5\Talal

Computer Name: AAA-P52Q20WKGQ5
Event Code: 6005
Message: The Event log service was started.

Record Number: 4
Source Name: EventLog
Time Written: 20090225165939.000000-480
Event Type: information
User:

Computer Name: AAA-P52Q20WKGQ5
Event Code: 6009
Message: Microsoft ® Windows ® 5.01. 2600 Service Pack 2 Uniprocessor Free.

Record Number: 3
Source Name: EventLog
Time Written: 20090225165939.000000-480
Event Type: information
User:

Computer Name: AAA-P52Q20WKGQ5
Event Code: 6006
Message: The Event log service was stopped.

Record Number: 2
Source Name: EventLog
Time Written: 20090225165838.000000-480
Event Type: information
User:

Computer Name: AAA-P52Q20WKGQ5
Event Code: 7035
Message: The SASENUM service was successfully sent a start control.

Record Number: 1
Source Name: Service Control Manager
Time Written: 20090225164957.000000-480
Event Type: information
User: AAA-P52Q20WKGQ5\Talal

Application event log

Computer Name: AAA-P52Q20WKGQ5
Event Code: 26
Message: Application starting

Record Number: 5
Source Name: ccEvtMgr
Time Written: 20090225170008.000000-480
Event Type: information
User: NT AUTHORITY\SYSTEM

Computer Name: AAA-P52Q20WKGQ5
Event Code: 0
Message:
Record Number: 4
Source Name: RegSrvc
Time Written: 20090225165957.000000-480
Event Type: information
User:

Computer Name: AAA-P52Q20WKGQ5
Event Code: 1
Message: Application started

Record Number: 3
Source Name: ccSetMgr
Time Written: 20090225165954.000000-480
Event Type: information
User: NT AUTHORITY\SYSTEM

Computer Name: AAA-P52Q20WKGQ5
Event Code: 26
Message: Application starting

Record Number: 2
Source Name: ccSetMgr
Time Written: 20090225165954.000000-480
Event Type: information
User: NT AUTHORITY\SYSTEM

Computer Name: AAA-P52Q20WKGQ5
Event Code: 0
Message:
Record Number: 1
Source Name: EvtEng
Time Written: 20090225165943.000000-480
Event Type: information
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
"windir"=%SystemRoot%
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 13 Stepping 8, GenuineIntel
"PROCESSOR_REVISION"=0d08
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"FP_NO_HOST_CHECK"=NO
"CLASSPATH"=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip
"QTJAVA"=C:\Program Files\QuickTime\QTSystem\QTJava.zip

-----------------EOF-----------------


So, Thanks for the time spent on helping me clean this crap. I probably wont see this computer till next Monday, so dont give up on me, i just dont work Weekends. In the mean time the CPU will be turned off and unplugged from the internet.

THANKS!

#8 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:04:32 PM

Posted 07 March 2009 - 04:57 AM

Hi Nolimit4show,



The Kas online scan only displayed some infected files in Symantec Quarantine, SDFix backups and OTMoveIT folder. Please do the following:

Please show all files and navigate to the following filepath to empty the contents in Symantec Quarantine folder.

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine

After that, please use Windows Explorer to find and delete the following files:

C:\WINDOWS\VPC32.INI
C:\WINDOWS\system32\CF13187.exe

Other than that, you are all clean now. :thumbup2: Let's do some tideup.



Step1

1. Double click OTMoveIt3.exe to launch it.
2. Click on the CleanUp! button.
3. OTMoveIt will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
4. You will be prompted to allow the clean up procedure, click Yes.
5. When finished. OT will remove itself. If not, delete it by youself.

Remember to delete RSIT including the folder in C:\rsit and all the logs we have been used.

Step2

Click Start>Run>Type or Copy/paste the following command in the run box, then hit Enter to uninstall gmer.

%systemroot%\gmer_uninstall.cmd

Now that your system is clean, kindly follow these simple steps in order to keep your computer clean and secure:


  • Flush system restore---Don't skip this step

    Please go to Windows XP System Restore Guide

    Flush system restore points as instructed on Windows XP System Restore Guide. The infected files would be removed automatically

    NOTE: only do this ONCE,not on a regular basis

  • Reconfigure Windows XP to hide hidden files:

    Click Start. Open My Computer.
    Select the "Tools menu" and click "Folder Options". Select the "View Tab".
    Under the Hidden files and folders heading deselect "Show hidden files and folders".
    Check the "Hide protected operating system files (recommended)" option.
    Click Yes to confirm. Click OK.

  • Update your antivirus programs

    Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system. You can use one of these sites to check if any updates are needed for your pc.
    Secunia Software Inspector
    F-secure Health Check

  • Update your Your Adobe Acrobat Reader

    Old versions may render vulnerabilities that malware can use to infect your system. Please download Adobe Reader 9 to your desktop.

    Uninstall the old Adobe Reader from Start > Control Panel > Add/Remove Programs. Install the new one.

  • Keep your system updated

    Visit Microsoft's Windows Update Site Frequently.

  • Update SP3

    Microsoft has released the latest upgrades to the XP OS platform, which can be referenced HERE. It is critical to stay up to date with the latest upgrades to your Operating System, as this can help prevent future problems. Windows XP Service Pack 3 (SP3) includes all previously released updates for the operating system. I recommend that you visit the link above and apply the SP3 patch.

  • Make your Internet Explorer more secure

    Please referring this thread to configure Internet Explorer 7 properly.

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Install a-squared Free -a-squared free is a product from Emsi Software provided free for private use that can detect and remove a variety of malicious software. If you have a dialup internet connection, you may also like to install a-squared Anti-Dialer which provides some real time protection against premium rate dialers

    A tutorial on installing & using this product can be found here:

    Clean your PC with a-squared Free

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Please check out Tony Klein's article "How did I get infected in the first place?"
Read some information Here how to prevent Malware.


Glad to be of help. Safe surfing!!

#9 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:32 AM

Posted 09 March 2009 - 01:13 PM

Since this issue appears resolved ... this Topic is closed. Glad we could help.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users