Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Emergeny!: I Can't Remove Winlogonhook; Smitfraud-c.toolbar888


  • Please log in to reply
12 replies to this topic

#1 Emil

Emil

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:29 PM

Posted 29 March 2007 - 01:29 AM

I am completely screwed up. I have probably more security software installed on my computer than any of you guys:

ProcessGuard, SpySweeper, NOD32, Agnitum Outpost Firewall. Recently, after I got infected, I added: SpyBot, AVG Antispyware, Ad-Aware SE Professional, BlackLight Rootkit remover, VundoFix, AFT-Cleaner.

Frankly, I am furious. How the hell is it possible that after having all these programs, which are the BEST in their kind, to get not only infected with a trojan horse but in addition to be impotent to remove it?

I have disabled systems restore, have run ALL of the programs I listed in their full system scan in safe mode (I have windows XP professional). The only program that detects the trojan is SpySweeper. It removes it every time but no matter how many scans I run, it always still reappears. Same thing with Smitfraud-C.Toolbar888. SpyBot removes it, but it still stays. I have no idea what else to do.

I am in an emergency situtaiton: I have a lot of account information on my computer and I can't afford some F****er gaining access to my personal numbers. I will get robbed dry. In addition, I have to do my taxes but I'm afraid to even look at my account because someone might be right up behind me watching the screen. I'm so desperate that I am considering trashing this windows and doing a clean install. All of these programs are CRAP. What the hell is their point? How could I get infected? The log is below. I hope you can help, but I am not optimistic:






Logfile of HijackThis v1.99.1
Scan saved at 11:26:28 PM, on 3/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
C:\Program Files\ProcessGuard\dcsuserprot.exe
C:\Program Files\Logitech\Easy Synchronization\servicestub.exe
C:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\oodag.exe
C:\Program Files\Agnitum\Outpost Firewall\outpost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Logitech\SetPoint\LBTWiz.exe
C:\Program Files\Creative Professional\Digital Audio System\E-MU PatchMix DSP\EmuPatchMixDSP.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Lexmark 8300 Series\lxcjmon.exe
C:\Program Files\Lexmark 8300 Series\ezprint.exe
C:\WINDOWS\system32\lxcjcoms.exe
C:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe
C:\Program Files\ProcessGuard\pgaccount.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\ProcessGuard\procguard.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Fugue\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Logitech BT Wizard] LBTWiz.exe -silent
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [Outpost Firewall] "C:\Program Files\Agnitum\Outpost Firewall\outpost.exe" /waitservice
O4 - HKLM\..\Run: [OutpostFeedBack] "C:\Program Files\Agnitum\Outpost Firewall\feedback.exe" /dump:os_startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [lxcjmon.exe] "C:\Program Files\Lexmark 8300 Series\lxcjmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 8300 Series\ezprint.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Easy Synchronization] "C:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe"
O4 - HKLM\..\Run: [!1_pgaccount] "C:\Program Files\ProcessGuard\pgaccount.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\RunOnce: [Easy Synchronization] C:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe --ports
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [!1_ProcessGuard_Startup] "C:\Program Files\ProcessGuard\procguard.exe" -minimize
O4 - Startup: BOINC Manager.lnk = C:\Program Files\BOINC\boincmgr.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: Spy Sweeper Updater V 2.0.0.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1167696604062
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - Winlogon Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winlgs32 - C:\WINDOWS\SYSTEM32\winlgs32.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: DiamondCS Process Guard Service v3.000 (DCSPGSRV) - DiamondCS - C:\Program Files\ProcessGuard\dcsuserprot.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
O23 - Service: Logitech Easy Synchronization - Unknown owner - C:\Program Files\Logitech\Easy Synchronization\servicestub.exe
O23 - Service: lxcj_device - - C:\WINDOWS\system32\lxcjcoms.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum Ltd. - C:\Program Files\Agnitum\Outpost Firewall\outpost.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

BC AdBot (Login to Remove)

 


m

#2 Emil

Emil
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:29 PM

Posted 29 March 2007 - 03:47 AM

I read one of the posts and I updated my Java to 6 (uninstalled all previous versions).

I ran AVG in safe mode again. As always, it detects nothing, but Spybot and Spy Sweeper still detect the same infections.

Logfile of HijackThis v1.99.1
Scan saved at 1:44:12 AM, on 3/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\ProcessGuard\dcsuserprot.exe
C:\Program Files\Logitech\Easy Synchronization\servicestub.exe
C:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\oodag.exe
C:\Program Files\Agnitum\Outpost Firewall\outpost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Logitech\SetPoint\LBTWiz.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Lexmark 8300 Series\lxcjmon.exe
C:\Program Files\Lexmark 8300 Series\ezprint.exe
C:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe
C:\Program Files\ProcessGuard\pgaccount.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\ProcessGuard\procguard.exe
C:\Program Files\Creative Professional\Digital Audio System\E-MU PatchMix DSP\EmuPatchMixDSP.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\BOINC\boincmgr.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\system32\lxcjcoms.exe
C:\Program Files\BOINC\boinc.exe
C:\Program Files\BOINC\projects\einstein.phys.uwm.edu\einstein_S5RI_4.24_windows_intelx86.exe
C:\Program Files\BOINC\projects\einstein.phys.uwm.edu\einstein_S5RI_4.24_windows_intelx86.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Eset\nod32.exe
C:\Documents and Settings\Fugue\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Logitech BT Wizard] LBTWiz.exe -silent
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [Outpost Firewall] "C:\Program Files\Agnitum\Outpost Firewall\outpost.exe" /waitservice
O4 - HKLM\..\Run: [OutpostFeedBack] "C:\Program Files\Agnitum\Outpost Firewall\feedback.exe" /dump:os_startup
O4 - HKLM\..\Run: [lxcjmon.exe] "C:\Program Files\Lexmark 8300 Series\lxcjmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 8300 Series\ezprint.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Easy Synchronization] "C:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe"
O4 - HKLM\..\Run: [!1_pgaccount] "C:\Program Files\ProcessGuard\pgaccount.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [Easy Synchronization] "C:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe" --ports
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [!1_ProcessGuard_Startup] "C:\Program Files\ProcessGuard\procguard.exe" -minimize
O4 - Startup: BOINC Manager.lnk = C:\Program Files\BOINC\boincmgr.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: Spy Sweeper Updater V 2.0.0.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1167696604062
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - Winlogon Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winlgs32 - C:\WINDOWS\SYSTEM32\winlgs32.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: DiamondCS Process Guard Service v3.000 (DCSPGSRV) - DiamondCS - C:\Program Files\ProcessGuard\dcsuserprot.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
O23 - Service: Logitech Easy Synchronization - Unknown owner - C:\Program Files\Logitech\Easy Synchronization\servicestub.exe
O23 - Service: lxcj_device - - C:\WINDOWS\system32\lxcjcoms.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum Ltd. - C:\Program Files\Agnitum\Outpost Firewall\outpost.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

#3 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:29 AM

Posted 29 March 2007 - 09:25 AM

Welcome to the BleepingComputer HijackThis forum Emil :thumbsup:

Download KillBox,unzip/extract it to your desktop.
http://download.bleepingcomputer.com/spyware/KillBox.zip
Start up Killbox and place a check in 'Delete on Reboot'.
In the 'Full path of file to delete' box,copy and paste:

C:\WINDOWS\SYSTEM32\winlgs32.dll

Then press the red button with the white cross.
It will then provide a window for you to confirm the delete.
Next it will ask if you now wish to reboot,select YES.
Allow it to reboot.
If it does'nt reboot automatically,reboot manually.

******************************

Download SmitfraudFix (by S!Ri), to your desktop.
Double click on Smitfraudfix.cmd
Select option #1 – Search, by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

******************************

Please download Combofix and save to the desktop:
http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the SmitfraudFix report,the C:\ComboFix.txt,and a new Hijackthis log into your next reply please.
Note:
Do not mouseclick combofix's window whilst it's running.
That may cause the program to freeze/hang.

Posted Image
Posted Image

#4 Emil

Emil
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:29 PM

Posted 29 March 2007 - 09:56 AM

I did everything. Here are the 3 logs:

SmitFraudFix v2.159

Scan done at 7:45:50.09, Thu 03/29/2007
Run from C:\Documents and Settings\Fugue\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Logitech\SetPoint\LBTWiz.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Lexmark 8300 Series\lxcjmon.exe
C:\Program Files\Lexmark 8300 Series\ezprint.exe
C:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe
C:\Program Files\ProcessGuard\pgaccount.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\ProcessGuard\dcsuserprot.exe
C:\Program Files\ProcessGuard\procguard.exe
C:\Program Files\Logitech\Easy Synchronization\servicestub.exe
C:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\oodag.exe
C:\Program Files\Agnitum\Outpost Firewall\outpost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\BOINC\boincmgr.exe
C:\Program Files\Creative Professional\Digital Audio System\E-MU PatchMix DSP\EmuPatchMixDSP.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\system32\lxcjcoms.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\BOINC\boinc.exe
C:\Program Files\BOINC\projects\einstein.phys.uwm.edu\einstein_S5RI_4.24_windows_intelx86.exe
C:\Program Files\BOINC\projects\einstein.phys.uwm.edu\einstein_S5RI_4.24_windows_intelx86.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Fugue


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Fugue\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Fugue\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End




















"Fugue" - 07-03-29 7:47:53 Service Pack 2
ComboFix 07-03-29 - Running from: "C:\Documents and Settings\Fugue\Desktop"


((((((((((((((((((((((((((((((( Files Created from 2007-02-28 to 2007-03-29 ))))))))))))))))))))))))))))))))))


2007-03-29 07:46 3,446 --a------ C:\WINDOWS\system32\tmp.reg
2007-03-29 07:45 79,360 --a------ C:\WINDOWS\system32\swxcacls.exe
2007-03-29 07:45 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-03-29 07:45 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-03-29 07:45 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2007-03-29 07:45 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-03-29 07:45 135,168 --a------ C:\WINDOWS\system32\swreg.exe
2007-03-29 07:40 <DIR> d-------- C:\!KillBox
2007-03-28 23:49 <DIR> d-------- C:\Program Files\Common Files\Java
2007-03-28 22:25 <DIR> d-------- C:\DOCUME~1\Fugue\APPLIC~1\Lavasoft
2007-03-28 22:24 <DIR> d-------- C:\Program Files\Lavasoft
2007-03-28 22:19 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-03-28 17:34 <DIR> d-------- C:\VundoFix Backups
2007-03-27 23:25 <DIR> d-------- C:\DOCUME~1\NETWOR~1\APPLIC~1\Webroot
2007-03-27 23:20 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-03-24 21:14 <DIR> d-------- C:\Program Files\DVD-RB PRO
2007-03-24 21:13 <DIR> d-------- C:\Program Files\AviSynth 2.5
2007-03-24 21:09 <DIR> d-------- C:\Program Files\DVD Decrypter
2007-03-23 01:47 93,504 -ra------ C:\WINDOWS\QTW16DEL.EXE
2007-03-23 01:47 8,304 -ra------ C:\WINDOWS\system\QTHNDLR.DLL
2007-03-23 01:47 74,496 -ra------ C:\WINDOWS\PLAYER.EXE
2007-03-23 01:47 73,712 -ra------ C:\WINDOWS\system\QTOLE.DLL
2007-03-23 01:47 61,568 -ra------ C:\WINDOWS\VIEWER.EXE
2007-03-23 01:47 429,424 -ra------ C:\WINDOWS\system\QTIM.DLL
2007-03-23 01:47 4,320 -ra------ C:\WINDOWS\system\MCIQTENU.DLL
2007-03-23 01:47 4,176 -ra------ C:\WINDOWS\system\QTNOTIFY.EXE
2007-03-23 01:47 2,037,248 -ra------ C:\WINDOWS\QTINSTAL.EXE
2007-03-23 01:47 17,536 -ra------ C:\WINDOWS\VIEWENU.DLL
2007-03-23 01:47 16,928 -ra------ C:\WINDOWS\PLAYENU.DLL
2007-03-23 01:47 14,544 -ra------ C:\WINDOWS\system\QTIMCMGR.DLL
2007-03-23 01:45 969,216 --a------ C:\WINDOWS\system32\qd3d.dll
2007-03-23 01:45 596,992 --a------ C:\WINDOWS\system32\rave.dll
2007-03-23 01:45 27,136 --a------ C:\WINDOWS\system32\QTUninst.dll
2007-03-23 01:45 126,976 --a------ C:\WINDOWS\system32\3DViewer.dll
2007-03-23 01:44 299,008 --a------ C:\WINDOWS\uninst.exe
2007-03-20 22:27 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-03-20 22:22 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-03-20 22:22 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-03-18 17:31 94,208 --a------ C:\WINDOWS\system32\PSCL109P.dll
2007-03-18 17:31 49,152 --a------ C:\WINDOWS\system32\pscVSWIA.dll
2007-03-18 17:31 40,960 --a------ C:\WINDOWS\system32\pscN109P.exe
2007-03-18 17:31 339,968 --a------ C:\WINDOWS\system32\pscU109P.dll
2007-03-18 17:31 <DIR> d-------- C:\Program Files\Canon
2007-03-06 12:10 149,600 --a------ C:\WINDOWS\system32\pguard.dat
2007-03-06 12:10 122,240 --a------ C:\WINDOWS\system32\pghash.dat
2007-03-06 12:07 24,911 --a------ C:\WINDOWS\system32\drivers\procguard.sys
2007-03-06 12:07 106,496 --a------ C:\WINDOWS\system32\procguard.dll
2007-03-06 12:07 <DIR> d-------- C:\Program Files\ProcessGuard
2007-03-06 00:40 <DIR> d-------- C:\DOCUME~1\Fugue\Bluetooth Software
2007-03-06 00:37 47,104 --a------ C:\WINDOWS\system32\drivers\vserial.sys
2007-03-06 00:37 18,167 --a------ C:\WINDOWS\system32\drivers\vsb.sys
2007-03-06 00:37 127,034 -r------- C:\WINDOWS\bwUnin-8.1.1.50-8876480SL.exe
2007-03-06 00:37 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Logitech
2007-03-06 00:36 34,576 --a------ C:\WINDOWS\system32\drivers\LHidFilt.Sys
2007-03-06 00:36 33,296 --a------ C:\WINDOWS\system32\drivers\LMouFilt.Sys
2007-03-06 00:36 1,419,024 --a------ C:\WINDOWS\system32\WdfCoInstaller01005.dll
2007-03-06 00:36 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-03-06 00:36 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Logitech
2007-03-06 00:35 329,901 --a------ C:\WINDOWS\system32\drivers\btaudio.sys
2007-03-06 00:35 30,459 --a------ C:\WINDOWS\system32\drivers\btport.sys
2007-03-06 00:35 30,285 --a------ C:\WINDOWS\system32\drivers\btwmodem.sys
2007-03-06 00:35 149,123 --a------ C:\WINDOWS\system32\drivers\btwdndis.sys
2007-03-06 00:35 <DIR> d-------- C:\Program Files\WIDCOMM
2007-03-06 00:08 99,866 --a------ C:\WINDOWS\system32\VB5DE.dll
2007-03-06 00:08 72,704 --a------ C:\WINDOWS\ST5UNST.EXE
2007-03-06 00:08 29,696 --a------ C:\WINDOWS\system32\VB5StKit.dll
2007-03-02 09:29 <DIR> d-------- C:\WINDOWS\pss


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-03-29 07:48 -------- d-------- C:\Program Files\boinc
2007-03-28 23:49 -------- d-------- C:\Program Files\java
2007-03-27 23:04 -------- d-------- C:\Program Files\quicken
2007-03-27 22:17 -------- d-------- C:\Program Files\exact audio copy
2007-03-27 18:32 -------- d-------- C:\Program Files\emule
2007-03-23 01:45 -------- d-------- C:\Program Files\quicktime
2007-03-22 01:33 -------- d-------- C:\Program Files\starry night pro plus 6
2007-03-14 11:08 -------- d-------- C:\Program Files\hot cpu tester pro 4
2007-03-06 00:37 -------- d--h----- C:\Program Files\installshield installation information
2007-03-06 00:37 -------- d-------- C:\Program Files\logitech
2007-03-06 00:36 -------- d-------- C:\Program Files\Common Files\logitech
2007-02-15 22:56 -------- d-------- C:\Program Files\winamp
2007-02-08 22:35 -------- d-------- C:\Program Files\google
2007-02-08 17:27 -------- d-------- C:\DOCUME~1\Fugue\APPLIC~1\opera
2007-02-01 18:47 -------- d-------- C:\Program Files\gpl mpeg decoder
2007-02-01 18:45 -------- d-------- C:\DOCUME~1\Fugue\APPLIC~1\divx
2007-02-01 18:43 -------- d-------- C:\Program Files\divx
2007-01-30 02:46 69632 --a------ C:\WINDOWS\system32\kemxml.dll
2007-01-30 02:46 163840 --a------ C:\WINDOWS\system32\kemutb.dll
2007-01-30 02:46 135168 --a------ C:\WINDOWS\system32\kemutil.dll
2007-01-30 02:46 110592 --a------ C:\WINDOWS\system32\kemwnd.dll
2007-01-25 18:19 524288 --a------ C:\WINDOWS\system32\divxsm.exe
2007-01-25 18:19 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-01-25 18:19 129784 --------- C:\WINDOWS\system32\pxafs.dll
2007-01-25 18:19 118520 --------- C:\WINDOWS\system32\pxinsi64.exe
2007-01-25 18:19 116472 --------- C:\WINDOWS\system32\pxcpyi64.exe
2007-01-25 18:18 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-01-25 18:18 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-01-25 18:13 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-01-25 18:13 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-01-25 18:13 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-01-25 18:13 738906 --a------ C:\WINDOWS\system32\divx.dll
2007-01-25 18:13 73728 --a------ C:\WINDOWS\system32\dpl100.dll
2007-01-25 18:13 593920 --a------ C:\WINDOWS\system32\dpugui11.dll
2007-01-25 18:13 57344 --a------ C:\WINDOWS\system32\dpv11.dll
2007-01-25 18:13 53248 --a------ C:\WINDOWS\system32\dpugui10.dll
2007-01-25 18:13 344064 --a------ C:\WINDOWS\system32\dpus11.dll
2007-01-25 18:13 294912 --a------ C:\WINDOWS\system32\dpu11.dll
2007-01-25 18:13 294912 --a------ C:\WINDOWS\system32\dpu10.dll
2007-01-25 18:13 196608 --a------ C:\WINDOWS\system32\dtu100.dll
2007-01-23 16:44 101136 --a------ C:\WINDOWS\khalmnpr.exe
2007-01-02 20:41 1485 --a------ C:\WINDOWS\mozver.dat
2007-01-01 20:36 356352 --a------ C:\WINDOWS\esellerateengine.dll
2007-01-01 20:26 5 --ahs---- C:\WINDOWS\system32\ebedbfdb1_d.dll
2007-01-01 19:28 809 --a------ C:\WINDOWS\system32\spoonuninstall-dmc accuraterip.dat
2007-01-01 19:28 130048 --a------ C:\WINDOWS\system32\spoonuninstall.exe
2007-01-01 18:21 299392 --a------ C:\WINDOWS\system32\imon.dll
2007-01-01 16:58 0 --a--c--- C:\WINDOWS\nsreg.dat
2007-01-01 16:31 81920 --a------ C:\WINDOWS\system32\openal32.dll
2007-01-01 16:31 233472 --a------ C:\WINDOWS\system32\wrap_oal.dll
2006-12-31 18:54 0 -rahs---- C:\MSDOS.SYS
2006-12-31 18:54 0 -rahs---- C:\IO.SYS
2006-12-31 18:54 0 --a------ C:\CONFIG.SYS
2006-12-31 18:54 0 --a------ C:\AUTOEXEC.BAT
2006-12-31 18:50 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2006-12-31 10:38 62 --ahs---- C:\DOCUME~1\Fugue\APPLIC~1\desktop.ini


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"SetDefaultMIDI"="MIDIDef.exe"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="\"C:\\Program Files\\Common Files\\Ahead\\lib\\NMBgMonitor.exe\""
"!1_ProcessGuard_Startup"="\"C:\\Program Files\\ProcessGuard\\procguard.exe\" -minimize"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="\"RUNDLL32.EXE\" C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"NvMediaCenter"="\"RUNDLL32.EXE\" C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"CTHelper"="CTHELPER.EXE"
"UpdReg"="C:\\WINDOWS\\UpdReg.EXE"
"Logitech BT Wizard"="LBTWiz.exe -silent"
"nod32kui"="\"C:\\Program Files\\Eset\\nod32kui.exe\" /WAITSERVICE"
"SpySweeper"="\"C:\\Program Files\\Webroot\\Spy Sweeper\\SpySweeperUI.exe\" /startintray"
"Outpost Firewall"="\"C:\\Program Files\\Agnitum\\Outpost Firewall\\outpost.exe\" /waitservice"
"OutpostFeedBack"="\"C:\\Program Files\\Agnitum\\Outpost Firewall\\feedback.exe\" /dump:os_startup"
"lxcjmon.exe"="\"C:\\Program Files\\Lexmark 8300 Series\\lxcjmon.exe\""
"EzPrint"="\"C:\\Program Files\\Lexmark 8300 Series\\ezprint.exe\""
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE"
"Easy Synchronization"="\"C:\\Program Files\\Logitech\\Easy Synchronization\\LogitechEasySync.exe\""
"!1_pgaccount"="\"C:\\Program Files\\ProcessGuard\\pgaccount.exe\""
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"Easy Synchronization"="\"C:\\Program Files\\Logitech\\Easy Synchronization\\LogitechEasySync.exe\" --ports"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Acrobat Speed Launcher.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Acrobat Speed Launcher.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\WINDOWS\\Installer\\{AC76BA86-1033-F400-7760-0000003D0002}\\SC_Acrobat.exe "
"item"="Adobe Acrobat Speed Launcher"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Gamma.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Gamma.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\COMMON~1\\Adobe\\CALIBR~1\\ADOBEG~1.EXE "
"item"="Adobe Gamma"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Spy Sweeper Updater V 2.0.0.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Spy Sweeper Updater V 2.0.0.lnk"
"backup"="C:\\WINDOWS\\pss\\Spy Sweeper Updater V 2.0.0.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\SPYSWE~1.EXE "
"item"="Spy Sweeper Updater V 2.0.0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Acrotray"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Distillr\\Acrotray.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="daemon"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\DAEMON Tools\\daemon.exe\" -lang 1033"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="googletalk"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Google\\Google Talk\\googletalk.exe\" /autostart"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nwiz"
"hkey"="HKLM"
"command"="nwiz.exe /install"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{FE24CD78-7C63-465D-8787-4EDF7FC79895}"="ShellExecuteHook class"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winlgs32

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WdfLoadGroup
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WebrootSpySweeperService

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\wrSpySweeper_0F56DA73C07146BCB678A7D723483800.job


********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-03-29 7:50:56
















Logfile of HijackThis v1.99.1

Scan saved at 7:52:07 AM, on 3/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\ProcessGuard\dcsuserprot.exe
C:\Program Files\Logitech\Easy Synchronization\servicestub.exe
C:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\oodag.exe
C:\Program Files\Agnitum\Outpost Firewall\outpost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Logitech\SetPoint\LBTWiz.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Lexmark 8300 Series\lxcjmon.exe
C:\Program Files\Lexmark 8300 Series\ezprint.exe
C:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe
C:\Program Files\ProcessGuard\pgaccount.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\ProcessGuard\procguard.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Creative Professional\Digital Audio System\E-MU PatchMix DSP\EmuPatchMixDSP.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\system32\lxcjcoms.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Documents and Settings\Fugue\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Logitech BT Wizard] LBTWiz.exe -silent
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [Outpost Firewall] "C:\Program Files\Agnitum\Outpost Firewall\outpost.exe" /waitservice
O4 - HKLM\..\Run: [OutpostFeedBack] "C:\Program Files\Agnitum\Outpost Firewall\feedback.exe" /dump:os_startup
O4 - HKLM\..\Run: [lxcjmon.exe] "C:\Program Files\Lexmark 8300 Series\lxcjmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 8300 Series\ezprint.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Easy Synchronization] "C:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe"
O4 - HKLM\..\Run: [!1_pgaccount] "C:\Program Files\ProcessGuard\pgaccount.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [Easy Synchronization] "C:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe" --ports
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [!1_ProcessGuard_Startup] "C:\Program Files\ProcessGuard\procguard.exe" -minimize
O4 - Startup: BOINC Manager.lnk = C:\Program Files\BOINC\boincmgr.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: Spy Sweeper Updater V 2.0.0.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1167696604062
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - Winlogon Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winlgs32 - winlgs32.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: DiamondCS Process Guard Service v3.000 (DCSPGSRV) - DiamondCS - C:\Program Files\ProcessGuard\dcsuserprot.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
O23 - Service: Logitech Easy Synchronization - Unknown owner - C:\Program Files\Logitech\Easy Synchronization\servicestub.exe
O23 - Service: lxcj_device - - C:\WINDOWS\system32\lxcjcoms.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum Ltd. - C:\Program Files\Agnitum\Outpost Firewall\outpost.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

#5 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:29 AM

Posted 29 March 2007 - 10:27 AM

Copy and paste the following bold blue text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as..Save as Type: 'All Files' File name: fix.reg to your desktop.
Then double click on the fix.reg file on your desktop and agree to merge it into the registry,then reboot.

REGEDIT4
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winlgs32]

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O20 - Winlogon Notify: winlgs32 - winlgs32.dll (file missing)

Exit Hijackthis.

***********************************

Please run the F-Secure online virus/spyware scan using Internet Explorer:
http://support.f-secure.com/enu/home/ols3.shtml
Follow the directions in the F-Secure page for proper Installation.
Accept the License Agreement.
Once the ActiveX installs,Click ‘Custom Scan’ and be sure the following are checked:
1.Scan whole System
2.Scan all files
3.Scan whole system for rootkits
4.Scan whole system for spyware
5.Scan inside archives
6.Use advanced heuristics
Once the download completes,the scan will begin automatically.
The scan will take some time to finish,so please be patient.
When the scan completes, click the ‘I want to decide item by item’ button.
For each item found,Select ‘Disinfect’ and click ‘Next’.
Click the ‘Show Report’ button,then copy and paste the entire report into your next reply.
Also post a new Hijackthis log please,and let me know how your pc is running now.
Posted Image
Posted Image

#6 Emil

Emil
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:29 PM

Posted 30 March 2007 - 09:14 AM

The reports are below. I don't know why killbox showed up as a virus. Also, are viruses inside archives dangerous? Can I just delete them from the archive? I am submitting highjackthis because I am not sure whether my PC is clean or not yet.

Also, isn't NOD32 considered to be the best one out there? From this report it seems that now I need to trash stupid NOD32 and get an F-secure. Please advise.





Scanning Report
Thursday, March 29, 2007 21:30:50 - 06:59:39
Computer name: BACH
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\ D:\ E:\
________________________________________
Result: 3 malware found
Email-Worm.Win32.Klez.h (virus)
• E:\Johann Sebastian Bach - Complete Cantatas - Vol 15 - 3CD - Ton Koopman - APE.rar\demo.pif
Trojan.Win32.Agent.qt (virus)
• C:\!KillBox\winlgs32.dll (Renamed & Submitted)
W32/HackSrvany.A.dropper (virus)
• E:\Microsoft Windows Xp (Works).rar\WinXp\reset5setup.exe
________________________________________
Statistics
Scanned:
• Files: 398345
• System: 4966
• Not scanned: 9105
Actions:
• Disinfected: 0
• Renamed: 1
• Deleted: 0
• None: 2
• Submitted: 1
Files not scanned:
€dÆ
H
________________________________________
Options
Scanning engines:
• F-Secure Libra: 2.4.2, 2007-03-28
• F-Secure AVP: 7.0.171, 2007-03-30
• F-Secure Orion: 1.2.37, 2007-03-30
• F-Secure Blacklight: 1.0.53, 0000-00-00
• F-Secure Draco: 1.0.35, 0260-02-44
• F-Secure Pegasus: 1.19.0, 2007-02-14
Scanning options:
• Scan all files
• Scan inside archives
• Use Advanced heuristics
________________________________________
Copyright © 1998-2006 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.




Logfile of HijackThis v1.99.1
Scan saved at 7:11:51 AM, on 3/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Logitech\SetPoint\LBTWiz.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Lexmark 8300 Series\lxcjmon.exe
C:\Program Files\Lexmark 8300 Series\ezprint.exe
C:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe
C:\Program Files\ProcessGuard\pgaccount.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\ProcessGuard\procguard.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\BOINC\boincmgr.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\Program Files\Creative Professional\Digital Audio System\E-MU PatchMix DSP\EmuPatchMixDSP.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\ProcessGuard\dcsuserprot.exe
C:\Program Files\Logitech\Easy Synchronization\servicestub.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\oodag.exe
C:\Program Files\Agnitum\Outpost Firewall\outpost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\BOINC\boinc.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\system32\lxcjcoms.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\BOINC\projects\einstein.phys.uwm.edu\einstein_S5RI_4.24_windows_intelx86.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\BOINC\projects\einstein.phys.uwm.edu\einstein_S5RI_4.24_windows_intelx86.exe
C:\Documents and Settings\Fugue\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Logitech BT Wizard] LBTWiz.exe -silent
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [Outpost Firewall] "C:\Program Files\Agnitum\Outpost Firewall\outpost.exe" /waitservice
O4 - HKLM\..\Run: [OutpostFeedBack] "C:\Program Files\Agnitum\Outpost Firewall\feedback.exe" /dump:os_startup
O4 - HKLM\..\Run: [lxcjmon.exe] "C:\Program Files\Lexmark 8300 Series\lxcjmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 8300 Series\ezprint.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Easy Synchronization] "C:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe"
O4 - HKLM\..\Run: [!1_pgaccount] "C:\Program Files\ProcessGuard\pgaccount.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [Easy Synchronization] "C:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe" --ports
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [!1_ProcessGuard_Startup] "C:\Program Files\ProcessGuard\procguard.exe" -minimize
O4 - Startup: BOINC Manager.lnk = C:\Program Files\BOINC\boincmgr.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: Spy Sweeper Updater V 2.0.0.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1167696604062
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - Winlogon Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: DiamondCS Process Guard Service v3.000 (DCSPGSRV) - DiamondCS - C:\Program Files\ProcessGuard\dcsuserprot.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
O23 - Service: Logitech Easy Synchronization - Unknown owner - C:\Program Files\Logitech\Easy Synchronization\servicestub.exe
O23 - Service: lxcj_device - - C:\WINDOWS\system32\lxcjcoms.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum Ltd. - C:\Program Files\Agnitum\Outpost Firewall\outpost.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

#7 Emil

Emil
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:29 PM

Posted 30 March 2007 - 09:18 AM

I deleted
• E:\Microsoft Windows Xp (Works).rar\WinXp\reset5setup.exe

I opened
• E:\Johann Sebastian Bach - Complete Cantatas - Vol 15 - 3CD - Ton Koopman - APE.rar\demo.pif

without decompressing anything (just looking inside the archive). I could not find demo.pif

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:29 AM

Posted 30 March 2007 - 09:29 AM

Also, isn't NOD32 considered to be the best one out there?
From this report it seems that now I need to trash stupid NOD32 and get an F-secure.
Please advise.


Although NOD32 is very good,in my opinion Kaspersky Anti-Virus 6.0 is much better.
You might want to consider giving the free 30 day trial of Kaspersky Anti-Virus 6.0 a go:
http://usa.kaspersky.com/downloads/trial-versions.php
If you do decide to try Kaspersky,download the trial from the above link,then disconnect from the internet.
Uninstall NOD32 via Add or Remove Programs,then reboot.
Install Kaspersky,reconnect to the internet,update Kaspersky's virus definitions and run a full system virus scan.


******************************

Your log is clean :thumbsup:
If all's ok,please do the following:

Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click on the 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description\name for the Restore Point,then click on 'Create',wait,then click 'Close'.
The date and time will be created automatically.

Next click on Start/All Programs/Accessories/System Tools/Disk Cleanup.
The 'Select Drive' box will appear,click on Ok.
The 'Disk Cleanup for [C:]' box will appear,click on the 'More Options' tab.
At the bottom in the 'System Restore' window,click on the 'Clean up...' button.
A box will pop up 'Are you sure you want to delete all but the most recent restore point?',click on 'Yes'.
Click on 'Yes' at 'Are you sure you want to perform these actions?'.
Now wait until 'Disk Cleanup' finishes and the box disappears.

Read through the information found here,to help you prevent any possible future infections.
Simple and easy ways to keep your computer safe and secure on the Internet:
http://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/
Posted Image
Posted Image

#9 Emil

Emil
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:29 PM

Posted 30 March 2007 - 09:30 AM

Is there going to be an end to this? I just ran SpyBot:

Company:
Product: Win32.Agent.yr
Threat: Trojan

Description
Win32.Agent.yr runs in the background and stores executable files in the Windows directory without user consent.

It seems that Spybot was able to fix it. Quick scan by Sweeper returned no results, so now I'm doing a custom scan.

#10 Emil

Emil
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:29 PM

Posted 30 March 2007 - 09:37 AM

Richie,

First, thank you for all your help. Second, please tell me what security I should get for my computer to avoid this problem in the future. This is what I have now:

ProcessGuard, SpySweeper, NOD32, Agnitum Outpost Firewall, Windows Defender.

Please give me the best ones possible in each of these departments regardless of cost. If I need more security, then let me know.

#11 Emil

Emil
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:29 PM

Posted 30 March 2007 - 09:39 AM

I am also now bewildered. What should I do now? Should I cancel all my credit card? Change banking information? What is you experience with this Trojan?

#12 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:29 AM

Posted 30 March 2007 - 10:09 AM

Second, please tell me what security I should get for my computer to avoid this problem in the future.
This is what I have now:
ProcessGuard, SpySweeper, NOD32, Agnitum Outpost Firewall, Windows Defender.
Please give me the best ones possible in each of these departments regardless of cost.
If I need more security,then let me know.

Your defences are very good as they are,but as i posted earlier i would go with Kasperky Anti-Virus 6.0 instead of NOD32.

Should I cancel all my credit card? Change banking information?

Thats entirely up to you but it's not really necessary.
Its threats such as Backdoor Trojans,Password Stealing Trojans and Keyloggers etc you should take precautionary measures against,just in case your passwords,credit card information,banking details have been compromised.
If you still feel unsure/insecure then go ahead.
Posted Image
Posted Image

#13 Emil

Emil
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:29 PM

Posted 30 March 2007 - 11:49 AM

Thank you very much. Spybot found no threats and custom search of SpySweeper cam out empty as well.

I will change NOD32 to Kaspersky. I guess the functions of the rest of the applications is not clear cut. For example, AVG (AKA Ewido) found almost 5 tracking spwyare/cookies that Sweeper did not. On the other hand, AVG did not even detect the Torjan that sweeper kept bringing up.

Maybe just in case I should always have spybot nearby. Ad-aware on the other hand seems to have no quality these days. It detected absolutely nothing.

I am hoping no credit information was stolen because the infection lasted only a few days.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users