Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Winfixer, Definite Ameana.com Infection


  • This topic is locked This topic is locked
9 replies to this topic

#1 Thiobas

Thiobas

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:01 PM

Posted 10 July 2006 - 11:20 AM

I am getting browser redirections to ameana.com (or amaena.com ?). Spent last day scanning my system but haven't gotten rid of it yet. The past few hours I followed directions in http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/
and some more things were found and deleted. Could someone check my HJT-log to see if I'm safe?


Logfile of HijackThis v1.99.1
Scan saved at 18:15:22, on 10/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Avast4\aswUpdSv.exe
C:\Program Files\Avast4\ashServ.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Spyware\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NetLimiter 2 Pro\nlsvc.exe
C:\Program Files\No-IP\DUC20.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Avast4\ashMaiSv.exe
C:\Program Files\Avast4\ashWebSv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\NetLimiter 2 Pro\NLClient.exe
C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraMD.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\UltraMon\UltraMon.exe
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\Program Files\Mystify Claw\MystifyClaw.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\PROGRA~1\Avast4\ashDisp.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Spyware\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\TaskInfo 6.x\TaskInfo.exe
C:\Program Files\uTorrent\utorrent.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Roboform AI\RoboTaskBarIcon.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Chameleon Clock\ChamClock.exe
C:\Program Files\Dirkey2\dirkey.exe
C:\Program Files\Gilly Messenger\GillyMessenger.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Launchy\Launchy.exe
C:\Program Files\Rainlendar\Rainlendar.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\SlimBrowser\sbrowser.exe
C:\Program Files\xplorer2\xplorer2_UC.exe
C:\Program Files\Real\RealPlayer\realplay.exe
C:\Program Files\Spyware\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = (value not

set)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = (value not

set)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = (value not set)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.google.be/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = (value not set)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = (value not

set)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = (value not

set)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = (value not

set)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1

\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program

Files\Roboform AI\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program

Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program

Files\Roboform AI\roboform.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe"

runtime -Delay
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [HydraVisionDesktopManager] C:\Program Files\ATI Technologies\ATI

HYDRAVISION\HydraDM.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06

\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -

atboottime
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper

Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft

IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [HydraVisionViewPort] C:\Program Files\ATI Technologies\ATI

HYDRAVISION\HydraMD.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang

1033
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common

Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [UltraMon] "C:\Program Files\UltraMon\UltraMon.exe" /auto
O4 - HKLM\..\Run: [MystifyClaw] C:\Program Files\Mystify Claw\MystifyClaw.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program

Files\Unlocker\UnlockerAssistant.exe" -H
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program

Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program

Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common

Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [WMan] C:\Program Files\Watchman\watchman.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common

Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\Spyware\ewido anti-spyware 4.0

\ewido.exe" /minimized
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone

Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [TaskInfo.exe] "C:\Program Files\TaskInfo 6.x\TaskInfo.exe"
O4 - HKCU\..\Run: [µTorrent] "C:\Program Files\uTorrent\utorrent.exe"
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Roboform AI\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program

Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [HomeAlarm] C:\Program Files\Chameleon Clock\ChamClock.exe
O4 - HKCU\..\Run: [Active Desktop Calendar] C:\Program Files\Active Desktop

Calendar\ADC.exe
O4 - HKCU\..\Run: [Dirkey] C:\Program Files\Dirkey2\dirkey.exe
O4 - HKCU\..\Run: [Gilly Messenger] "C:\Program Files\Gilly

Messenger\GillyMessenger.exe" /startup
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash

/minimized
O4 - HKCU\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe
O4 - HKCU\..\Run: [XPize Reloader] C:\WINDOWS\XPize\XPizeReloader.exe /S
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search &

Destroy\TeaTimer.exe
O4 - Startup: Rainlendar.lnk = C:\Program Files\Rainlendar\Rainlendar.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat

7.0\Reader\reader_sl.exe
O4 - Global Startup: Launchy.lnk = C:\Program Files\Launchy\Launchy.exe
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Roboform

AI\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1

\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Roboform

AI\RoboFormComFillForms.html
O8 - Extra context menu item: Open Client to monitor &1 -

C:\WINDOWS\web\AOpenClient.htm
O8 - Extra context menu item: Open Client to monitor &2 -

C:\WINDOWS\web\AOpenClient.htm
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Roboform

AI\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Roboform

AI\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-

00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} -

file://C:\Program Files\Roboform AI\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} -

file://C:\Program Files\Roboform AI\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program

Files\Roboform AI\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} -

file://C:\Program Files\Roboform AI\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} -

file://C:\Program Files\Roboform AI\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-

00400523e39a} - file://C:\Program Files\Roboform AI\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%

\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-

48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1

\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-

00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.edpnet.be
O15 - Trusted Zone: http://www.edpnet.net
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) -

http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) -

http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent

6.5) - http://eu-housecall.trendmicro-

europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -

http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C9B50434-6FF1-4B1E-9750-9FDAC0E8C1F7}:

NameServer = 10.0.0.138,212.71.0.2
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1

\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program

Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program

Files\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32

\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Avast4

\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Avast4

\ashWebSv.exe" /service (file missing)
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper

Corporation\Diskeeper\DkService.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. -

C:\Program Files\Spyware\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation -

C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NetLimiter (nlsvc) - Locktime Software - C:\Program Files\NetLimiter 2

Pro\nlsvc.exe
O23 - Service: NoIPDUCService - Vitalwerks LLC - C:\Program Files\No-IP\DUC20.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC -

C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\TightVNC-

unstable\WinVNC.exe" -service (file missing)

Edited by Thiobas, 10 July 2006 - 11:57 AM.


BC AdBot (Login to Remove)

 


#2 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 12 July 2006 - 03:50 PM

Hi Thiobas and Welcome to the Bleeping Computer!


Download ComboFix to your desktop.
Doubleclick combo.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot, it should open a log, combofix.txt.

Post the contents of combofix.txt into the next reply.

#3 Thiobas

Thiobas
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  

Posted 12 July 2006 - 05:35 PM

It's nice to be here and I appreciate the service which is being provided. You all should be earning a million dollars aday.

Here is the logfile. It opened in notepad after the scan. I did not reboot, I didn't need to reboot, I wasn't prompted to do so.

The last line of the log states :"ComboFix ver 06.07.08 - This logfile is located at C:\ComboFix.txt" but I found that the logfile was located on E:\ComboFix.txt

---------------------------------------------------------
Start Time= do 13/07/2006 0:29:02,15

QuickScan did not find any signs of infected files

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-07-10 21:23:40 ( .D... ) "C:\Program Files\ResourceHacker"
2006-07-10 18:06:32 ( .D... ) "C:\Program Files\Zone Labs"
2006-07-10 16:39:44 ( .D... ) "C:\Program Files\Spybot - Search & Destroy"
2006-07-09 21:05:10 5137 ( A.... ) "C:\Documents and Settings\Gerd Loos\Application Data\Cabos.plist"
2006-07-09 15:11:26 ( .D... ) "C:\Program Files\JDiskReport 1.2.5"
2006-07-09 15:10:42 ( .D... ) "C:\Program Files\System Info"
2006-07-09 12:26:58 ( .D... ) "C:\Documents and Settings\Gerd Loos\Application Data\Lavasoft"
2006-07-09 12:26:46 ( .D... ) "C:\Program Files\Spyware"
2006-07-09 12:03:34 ( .D... ) "C:\Program Files\Common Files\xing shared"
2006-07-09 12:03:30 176167 ( A.... ) "C:\WINDOWS\system32\rmoc3260.dll"
2006-07-09 12:03:26 6656 ( A.... ) "C:\WINDOWS\system32\pndx5016.dll"
2006-07-09 12:03:26 5632 ( A.... ) "C:\WINDOWS\system32\pndx5032.dll"
2006-07-09 12:03:22 278528 ( A.... ) "C:\WINDOWS\system32\pncrt.dll"
2006-07-09 08:20:38 ( .D... ) "C:\Documents and Settings\Gerd Loos\Application Data\3M"
2006-07-09 08:20:08 ( .D... ) "C:\Program Files\3M"
2006-07-08 18:19:12 176167 ( A.... ) "C:\WINDOWS\system32\rmocx.dll"
2006-07-08 13:06:42 ( .D... ) "C:\Program Files\Microsoft Bootvis"
2006-07-08 09:42:06 1179136 ( A.... ) "C:\WINDOWS\system32\AutoPartNt.exe"
2006-07-08 09:22:44 ( .D... ) "C:\Program Files\Common Files\Acronis"
2006-07-08 09:22:44 ( .D... ) "C:\Program Files\Acronis"
2006-07-07 20:30:30 ( .D... ) "C:\Program Files\Cabos"
2006-07-07 20:21:32 ( .D... ) "C:\Program Files\Mplayer"
2006-07-07 20:05:04 ( .D... ) "C:\Program Files\Launchy"
2006-07-07 19:46:44 ( .D... ) "C:\Program Files\Evil Player"
2006-07-07 19:43:26 ( .D... ) "C:\Program Files\Avast4"
2006-07-07 19:32:16 ( .D... ) "C:\Program Files\Unlocker"
2006-07-07 18:25:06 ( .D... ) "C:\Documents and Settings\Gerd Loos\Application Data\Rainlendar"
2006-07-07 18:25:00 ( .D... ) "C:\Program Files\Rainlendar"
2006-07-07 18:02:18 ( .D... ) "C:\Program Files\TaskSwitchXP"
2006-07-07 18:00:46 218624 ( A.... ) "C:\WINDOWS\system32\uxtheme.dll"
2006-07-07 17:52:36 ( .D... ) "C:\Program Files\Rainmeter"
2006-07-07 17:41:36 ( .D... ) "C:\Program Files\X-Setup Pro"
2006-07-07 17:29:36 ( .D... ) "C:\Program Files\TuneXP"
2006-07-07 17:29:30 720896 ( A.... ) "C:\WINDOWS\iun6002.exe"
2006-07-07 17:23:50 ( .D... ) "C:\Program Files\Windows Cleaner 2005"
2006-07-06 19:19:42 ( .D... ) "C:\Program Files\Expresso"
2006-07-06 11:32:02 ( .D... ) "C:\Program Files\Magic File Renamer"
2006-07-03 22:58:18 ( .D... ) "C:\Program Files\Collectorz.com"
2006-07-03 14:46:48 5488 ( A.... ) "C:\Documents and Settings\Gerd Loos\Application Data\mpauth.dat"
2006-06-29 20:56:22 ( .D... ) "C:\Program Files\Common Files\Stardock"
2006-06-29 20:19:28 ( .D... ) "C:\Program Files\Stardock"
2006-06-29 19:06:04 8704 ( A.... ) "C:\WINDOWS\system32\relog_ap.dll"
2006-06-28 19:20:04 ( .D... ) "C:\Program Files\samsung"
2006-06-28 10:47:26 ( .D... ) "C:\Program Files\Monoff4"
2006-06-26 15:39:30 200704 ( A.... ) "C:\WINDOWS\system32\snapapi.dll"
2006-06-18 17:54:58 394872 ( A.... ) "C:\WINDOWS\system32\vsdatant.sys"
2006-06-18 17:54:58 394872 ( A.... ) "C:\WINDOWS\system32\vsdatant.sys"
2006-06-18 17:54:26 83960 ( A.... ) "C:\WINDOWS\system32\zlcomm.dll"
2006-06-18 17:54:26 71672 ( A.... ) "C:\WINDOWS\system32\zlcommdb.dll"
2006-06-18 17:54:24 100344 ( A.... ) "C:\WINDOWS\system32\vsxml.dll"
2006-06-18 17:54:24 59384 ( A.... ) "C:\WINDOWS\system32\vswmi.dll"
2006-06-18 17:54:22 440312 ( A.... ) "C:\WINDOWS\system32\vsutil.dll"
2006-06-18 17:54:22 71672 ( A.... ) "C:\WINDOWS\system32\vsregexp.dll"
2006-06-18 17:54:20 268280 ( A.... ) "C:\WINDOWS\system32\vspubapi.dll"
2006-06-18 17:54:20 157688 ( A.... ) "C:\WINDOWS\system32\vsinit.dll"
2006-06-18 17:54:20 104440 ( A.... ) "C:\WINDOWS\system32\vsmonapi.dll"
2006-06-18 17:54:18 83960 ( A.... ) "C:\WINDOWS\system32\vsdata.dll"
2006-06-18 17:54:08 796584 ( A.... ) "C:\WINDOWS\system32\libeay32_0.9.6l.dll"
2006-06-12 14:20:20 73 ( A.... ) "C:\WINDOWS\system32\ssprs.dll"
2006-06-12 14:20:10 205 ( A.... ) "C:\WINDOWS\system32\lsprst7.dll"
2006-06-06 08:34:24 ( .D... ) "C:\Documents and Settings\Gerd Loos\Application Data\Chameleon Calendar"
2006-06-03 19:00:56 ( .D... ) "C:\Documents and Settings\Gerd Loos\Application Data\Mozilla"
2006-06-03 19:00:12 ( .D... ) "C:\Program Files\Mozilla Firefox"
2006-06-03 16:45:16 ( .D... ) "C:\Program Files\thriXXX"
2006-05-31 11:02:04 624640 ( A.... ) "C:\WINDOWS\system32\aswBoot.exe"
2006-05-31 10:54:36 90112 ( A.... ) "C:\WINDOWS\system32\AVASTSS.scr"
2006-05-27 17:39:48 88064 ( A.... ) "C:\WINDOWS\system32\bmp2jpeg.dll"
2006-05-27 17:18:44 ( .D... ) "C:\Program Files\Gilly Messenger"
2006-05-25 18:22:34 ( .D.H. ) "C:\Program Files\Zero G Registry"
2006-05-25 01:22:06 53248 ( A.... ) "C:\WINDOWS\bdoscandel.exe"
2006-05-21 10:16:56 ( .D... ) "C:\Program Files\Mystify Claw"
2006-05-20 19:40:16 ( .D... ) "C:\Program Files\AutoUnpack"
2006-05-20 17:06:56 ( .D... ) "C:\Program Files\Newsgroup-XPAT-Search"
2006-05-18 15:48:36 ( .D... ) "C:\Program Files\Dirkey2"
2006-05-18 15:28:54 ( .D... ) "C:\Program Files\AudioShell"
2006-05-17 12:25:34 ( .D... ) "C:\Program Files\No-IP"
2006-05-17 09:38:52 1025 ( A.... ) "C:\WINDOWS\system32\sysprs7.dll"
2006-05-17 09:38:52 1025 ( A.... ) "C:\WINDOWS\system32\clauth2.dll"
2006-05-17 09:38:52 1025 ( A.... ) "C:\WINDOWS\system32\clauth1.dll"
2006-05-17 09:35:30 ( .D... ) "C:\Program Files\SPSS"
2006-05-15 23:00:52 ( .D... ) "C:\Documents and Settings\Gerd Loos\Application Data\Google"
2006-05-15 23:00:32 ( .D... ) "C:\Program Files\Google"
2006-05-15 07:22:08 ( .D... ) "C:\Documents and Settings\Gerd Loos\Application Data\Help"
2006-05-07 13:06:38 13299 ( A.... ) "C:\Documents and Settings\Gerd Loos\Application Data\SlimBrowser.rar"
2006-04-22 22:11:24 568850 ( A.... ) "C:\WINDOWS\system32\x264vfw.dll"
2006-04-20 20:09:10 5120 ( A.... ) "C:\WINDOWS\system32\ff_vfw.dll"
2006-04-20 16:00:02 856064 ( A.... ) "C:\WINDOWS\system32\xvidcore.dll"
2006-04-19 22:09:20 619156 ( A.... ) "C:\WINDOWS\system32\divx.dll"
2006-04-15 12:50:00 60416 ( A.... ) "C:\WINDOWS\ALCFDRTM.EXE"
2006-04-15 00:09:18 62 ( A.SH. ) "C:\Documents and Settings\Gerd Loos\Application Data\desktop.ini"
2006-04-14 22:23:16 0 ( A.... ) "C:\AUTOEXEC.BAT"


(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))


2006-07-10 18:31 21.312 C:\WINDOWS\choice.exe
2006-07-10 18:06 83.960 C:\WINDOWS\system32\zlcomm.dll
2006-07-10 18:06 796.584 C:\WINDOWS\system32\libeay32_0.9.6l.dll
2006-07-10 18:06 71.672 C:\WINDOWS\system32\zlcommdb.dll
2006-07-10 18:06 71.672 C:\WINDOWS\system32\vsregexp.dll
2006-07-10 18:06 59.384 C:\WINDOWS\system32\vswmi.dll
2006-07-10 18:06 394.872 C:\WINDOWS\system32\vsdatant.sys
2006-07-10 18:06 268.280 C:\WINDOWS\system32\vspubapi.dll
2006-07-10 18:06 104.440 C:\WINDOWS\system32\vsmonapi.dll
2006-07-10 18:06 100.344 C:\WINDOWS\system32\vsxml.dll
2006-07-10 18:05 83.960 C:\WINDOWS\system32\vsdata.dll
2006-07-10 18:05 440.312 C:\WINDOWS\system32\vsutil.dll
2006-07-10 18:05 157.688 C:\WINDOWS\system32\vsinit.dll
2006-07-09 09:13 684.032 C:\WINDOWS\libeay32.dll
2006-07-09 09:13 478.720 C:\WINDOWS\WRUninstall.dll
2006-07-09 09:13 155.648 C:\WINDOWS\ssleay32.dll
2006-07-08 18:19 176.167 C:\WINDOWS\system32\rmocx.dll
2006-07-08 09:42 1.179.136 C:\WINDOWS\system32\AutoPartNt.exe
2006-07-07 19:43 90.112 C:\WINDOWS\system32\AVASTSS.scr
2006-07-07 19:43 624.640 C:\WINDOWS\system32\aswBoot.exe
2006-07-07 18:02 130.560 C:\WINDOWS\system32\XPize_Logon.exe
2006-07-07 17:29 720.896 C:\WINDOWS\iun6002.exe
2006-07-07 14:21 90.112 C:\WINDOWS\system32\dpl100.dll
2006-07-07 14:21 856.064 C:\WINDOWS\system32\xvidcore.dll
2006-07-07 14:21 619.156 C:\WINDOWS\system32\divx.dll
2006-07-07 14:21 568.850 C:\WINDOWS\system32\x264vfw.dll
2006-07-07 14:21 5.120 C:\WINDOWS\system32\ff_vfw.dll
2006-07-07 14:21 3.596.288 C:\WINDOWS\system32\qt-dx331.dll
2006-07-07 14:21 286.720 C:\WINDOWS\system32\3ivxVfWCodec.dll
2006-07-07 14:21 217.088 C:\WINDOWS\system32\xvidvfw.dll
2006-07-07 14:21 200.704 C:\WINDOWS\system32\ssldivx.dll
2006-07-07 14:21 200.704 C:\WINDOWS\system32\dtu100.dll
2006-07-07 14:21 1.415.680 C:\WINDOWS\system32\WMV9VCM.dll
2006-07-07 14:21 1.044.480 C:\WINDOWS\system32\libdivx.dll
2006-07-07 14:21 1.024.000 C:\WINDOWS\system32\3ivx.dll
2006-07-04 18:11 6.656 C:\WINDOWS\system32\pndx5016.dll
2006-07-04 18:11 5.632 C:\WINDOWS\system32\pndx5032.dll
2006-07-04 18:11 176.167 C:\WINDOWS\system32\rmoc3260.dll
2006-06-29 19:06 8.704 C:\WINDOWS\system32\relog_ap.dll
2006-06-28 19:19 303.616 C:\WINDOWS\IsUninst.exe
2006-06-28 17:05 73.728 C:\WINDOWS\system32\Monoff4.scr
2006-06-26 15:39 200.704 C:\WINDOWS\system32\snapapi.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SoundMan"="SOUNDMAN.EXE"
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime -Delay"
"LVCOMSX"="C:\\WINDOWS\\system32\\LVCOMSX.EXE"
"HydraVisionDesktopManager"="C:\\Program Files\\ATI Technologies\\ATI HYDRAVISION\\HydraDM.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"DiskeeperSystray"="\"C:\\Program Files\\Diskeeper Corporation\\Diskeeper\\DkIcon.exe\""
"IntelliPoint"="\"C:\\Program Files\\Microsoft IntelliPoint\\point32.exe\""
"HydraVisionViewPort"="C:\\Program Files\\ATI Technologies\\ATI HYDRAVISION\\HydraMD.exe"
"DAEMON Tools"="\"C:\\Program Files\\DAEMON Tools\\daemon.exe\" -lang 1033"
"type32"="\"C:\\Program Files\\Microsoft IntelliType Pro\\type32.exe\""
"NeroFilterCheck"="C:\\Program Files\\Common Files\\Ahead\\Lib\\NeroCheck.exe"
"UltraMon"="\"C:\\Program Files\\UltraMon\\UltraMon.exe\" /auto"
"MystifyClaw"="C:\\Program Files\\Mystify Claw\\MystifyClaw.exe"
"UnlockerAssistant"="\"C:\\Program Files\\Unlocker\\UnlockerAssistant.exe\" -H"
"avast!"="C:\\PROGRA~1\\Avast4\\ashDisp.exe"
"TrueImageMonitor.exe"="C:\\Program Files\\Acronis\\TrueImageHome\\TrueImageMonitor.exe"
"AcronisTimounterMonitor"="C:\\Program Files\\Acronis\\TrueImageHome\\TimounterMonitor.exe"
"Acronis Scheduler2 Service"="\"C:\\Program Files\\Common Files\\Acronis\\Schedule2\\schedhlp.exe\""
"WMan"="C:\\Program Files\\Watchman\\watchman.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"!ewido"="\"C:\\Program Files\\Spyware\\ewido anti-spyware 4.0\\ewido.exe\" /minimized"
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"TaskInfo.exe"="\"C:\\Program Files\\TaskInfo 6.x\\TaskInfo.exe\""
"µTorrent"="\"C:\\Program Files\\uTorrent\\utorrent.exe\""
"RoboForm"="\"C:\\Program Files\\Roboform AI\\RoboTaskBarIcon.exe\""
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="\"C:\\Program Files\\Common Files\\Ahead\\lib\\NMBgMonitor.exe\""
"HomeAlarm"="C:\\Program Files\\Chameleon Clock\\ChamClock.exe"
"Active Desktop Calendar"="C:\\Program Files\\Active Desktop Calendar\\ADC.exe"
"Dirkey"="C:\\Program Files\\Dirkey2\\dirkey.exe"
"Gilly Messenger"="\"C:\\Program Files\\Gilly Messenger\\GillyMessenger.exe\" /startup"
"Skype"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"
"TaskSwitchXP"="C:\\Program Files\\TaskSwitchXP\\TaskSwitchXP.exe"
"XPize Reloader"="C:\\WINDOWS\\XPize\\XPizeReloader.exe /S"
"SpybotSD TeaTimer"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000004

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,69,01,00,00,00,04,00,00,00,04,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:40000004
"OriginalStateInfo"=hex:18,00,00,00,30,01,00,00,69,01,00,00,d0,03,00,00,00,04,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,30,01,00,00,f5,01,00,00,d0,03,00,00,00,04,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"
"{81559C35-8464-49F7-BB0E-07A383BEF910}"=""



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Ad-Aware SE Personal.job
C:\WINDOWS\tasks\newsLeecher.job
C:\WINDOWS\tasks\Spybot - Search & Destroy.job

Completion time: do 13/07/2006 0:29:13,01
ComboFix ver 06.07.08 - This logfile is located at C:\ComboFix.txt

Edited by Thiobas, 12 July 2006 - 05:39 PM.


#4 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 13 July 2006 - 01:21 AM

If you will,go to the HijackThis folder and right click HijackThis.exe

Select rename and rename it to look.exe

Double Click look.exe to launch HijackThis

Do a System Scan and Save a Logfile.

Post those results in the next reply please.

#5 Thiobas

Thiobas
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:01 PM

Posted 13 July 2006 - 08:08 AM

Here you go. I renamed HJT to lookatit.exe

-----------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 15:06:02, on 13/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Avast4\aswUpdSv.exe
C:\Program Files\Avast4\ashServ.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Spyware\ewido anti-spyware 4.0\guard.exe
C:\Program Files\NetLimiter 2 Pro\nlsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\No-IP\DUC20.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NetLimiter 2 Pro\NLClient.exe
C:\Program Files\Avast4\ashMaiSv.exe
C:\Program Files\Avast4\ashWebSv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraMD.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\UltraMon\UltraMon.exe
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\Program Files\Mystify Claw\MystifyClaw.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\PROGRA~1\Avast4\ashDisp.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Spyware\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\TaskInfo 6.x\TaskInfo.exe
C:\Program Files\uTorrent\utorrent.exe
C:\Program Files\Roboform AI\RoboTaskBarIcon.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Chameleon Clock\ChamClock.exe
C:\Program Files\Dirkey2\dirkey.exe
C:\Program Files\Gilly Messenger\GillyMessenger.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Launchy\Launchy.exe
C:\Program Files\Rainlendar\Rainlendar.exe
C:\Program Files\Spyware\SpywareGuard\sgmain.exe
C:\Program Files\Spyware\SpywareGuard\sgbhp.exe
C:\Program Files\SlimBrowser\sbrowser.exe
C:\Program Files\NewsLeecher\newsLeecher.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\xplorer2\xplorer2_UC.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Spyware\hijackthis\Lookatit.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = (value not

set)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = (value not

set)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = (value not set)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.google.be/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = (value not set)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = (value not

set)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = (value not

set)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = (value not

set)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} -

C:\Program Files\Spyware\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1

\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program

Files\Roboform AI\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program

Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program

Files\Roboform AI\roboform.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe"

runtime -Delay
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [HydraVisionDesktopManager] C:\Program Files\ATI Technologies\ATI

HYDRAVISION\HydraDM.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06

\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -

atboottime
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper

Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft

IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [HydraVisionViewPort] C:\Program Files\ATI Technologies\ATI

HYDRAVISION\HydraMD.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang

1033
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common

Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [UltraMon] "C:\Program Files\UltraMon\UltraMon.exe" /auto
O4 - HKLM\..\Run: [MystifyClaw] C:\Program Files\Mystify Claw\MystifyClaw.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program

Files\Unlocker\UnlockerAssistant.exe" -H
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program

Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program

Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common

Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [WMan] C:\Program Files\Watchman\watchman.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common

Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\Spyware\ewido anti-spyware 4.0

\ewido.exe" /minimized
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone

Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [TaskInfo.exe] "C:\Program Files\TaskInfo 6.x\TaskInfo.exe"
O4 - HKCU\..\Run: [µTorrent] "C:\Program Files\uTorrent\utorrent.exe"
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Roboform AI\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program

Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [HomeAlarm] C:\Program Files\Chameleon Clock\ChamClock.exe
O4 - HKCU\..\Run: [Active Desktop Calendar] C:\Program Files\Active Desktop

Calendar\ADC.exe
O4 - HKCU\..\Run: [Dirkey] C:\Program Files\Dirkey2\dirkey.exe
O4 - HKCU\..\Run: [Gilly Messenger] "C:\Program Files\Gilly

Messenger\GillyMessenger.exe" /startup
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash

/minimized
O4 - HKCU\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe
O4 - HKCU\..\Run: [XPize Reloader] C:\WINDOWS\XPize\XPizeReloader.exe /S
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search &

Destroy\TeaTimer.exe
O4 - Startup: Rainlendar.lnk = C:\Program Files\Rainlendar\Rainlendar.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\Spyware\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat

7.0\Reader\reader_sl.exe
O4 - Global Startup: Launchy.lnk = C:\Program Files\Launchy\Launchy.exe
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Roboform

AI\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1

\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Roboform

AI\RoboFormComFillForms.html
O8 - Extra context menu item: Open Client to monitor &1 -

C:\WINDOWS\web\AOpenClient.htm
O8 - Extra context menu item: Open Client to monitor &2 -

C:\WINDOWS\web\AOpenClient.htm
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Roboform

AI\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Roboform

AI\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-

00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} -

file://C:\Program Files\Roboform AI\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} -

file://C:\Program Files\Roboform AI\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program

Files\Roboform AI\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} -

file://C:\Program Files\Roboform AI\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} -

file://C:\Program Files\Roboform AI\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-

00400523e39a} - file://C:\Program Files\Roboform AI\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%

\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-

48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1

\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-

00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.edpnet.be
O15 - Trusted Zone: http://www.edpnet.net
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage

Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) -

http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) -

http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent

6.5) - http://eu-housecall.trendmicro-

europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -

http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C9B50434-6FF1-4B1E-9750-9FDAC0E8C1F7}:

NameServer = 10.0.0.138,212.71.0.2
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1

\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program

Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program

Files\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32

\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Avast4

\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Avast4

\ashWebSv.exe" /service (file missing)
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper

Corporation\Diskeeper\DkService.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. -

C:\Program Files\Spyware\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation -

C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NetLimiter (nlsvc) - Locktime Software - C:\Program Files\NetLimiter 2

Pro\nlsvc.exe
O23 - Service: NoIPDUCService - Vitalwerks LLC - C:\Program Files\No-IP\DUC20.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC -

C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\TightVNC-

unstable\WinVNC.exe" -service (file missing)

#6 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 13 July 2006 - 06:00 PM

So far so good,Im not seeing much of anything.

Are you still having the Ameana pop ups?


Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!
  • Follow the Instruction on the F-Secure page for proper installation.
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report in your next reply.


#7 Thiobas

Thiobas
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  

Posted 14 July 2006 - 03:23 AM

I haven't seen those Ameana's anymore, so that's very good news. I hope they stay away and that we caught it all.

F-Secure found 3 items, one of them the Eicar-Test-Virus though.

--------------------------------------------------------------

Scanning Report
Friday, July 14, 2006 09:25:10 - 10:17:13
Computer name: STUBBLE
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\ E:\ F:\


--------------------------------------------------------------------------------

Result: 3 malware found
EICAR-Test-File (virus)
C:\RECYCLER\S-1-5-21-1078081533-602162358-725345543-1003\DC7\EICAR.COM (Renamed)
Tracking Cookie (spyware)
System (Disinfected)
Trojan-Dropper.Win32.Delf.yb (virus)
F:\DOWNLOADS\WINDOWSFX\WINDOWFX_PUBLIC.EXE (Renamed & Submitted)

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 22155
System: 5934
Not scanned: 6
Actions:
Disinfected: 1
Renamed: 2
Deleted: 0
None: 0
Submitted: 1
Files not scanned:
C:\HIBERFIL.SYS
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\DRIVERS\DTSCSI.SYS
C:\WINDOWS\SYSTEM32\DRIVERS\SPTD.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SOFTWAREDISTRIBUTION\EVENTCACHE\{42368B9D-3EEA-49CE-8481-E88B06773FA8}.BIN

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure AVP: 6.0.171, 2006-07-13
F-Secure Libra: 2.4.1, 2006-07-12
F-Secure Blacklight: 1.0.31, 0000-00-00
F-Secure Orion: 1.2.37, 2006-07-13
F-Secure Pegasus: 1.19.0, 2006-06-05
F-Secure Draco: 1.0.35, 0259-24-212
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX
Use Advanced heuristics

#8 Thiobas

Thiobas
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:01 PM

Posted 10 August 2006 - 10:27 AM

Okay, sofar I have been totally free from any spy, ad or malware.

Yippie


Thanks

#9 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,504 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA

Posted 23 August 2006 - 10:40 AM

I am very sorry the helper who was working on this log has not responded. I have no idea why they have not done so. Do you still require help?

#10 Thiobas

Thiobas
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:01 PM

Posted 23 August 2006 - 06:09 PM

No further help needed. My last post and pm was to thank him and Bleeping Computer for services rendered.

You guys really are very professional

Thanks again, keep up the good work

Thiobas




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users