Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Xpdt.sys Shutdown


  • This topic is locked This topic is locked
34 replies to this topic

#1 lemco

lemco

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:06 PM

Posted 05 June 2007 - 01:27 PM

Logfile of HijackThis v1.99.1
Scan saved at 12:13:39 PM, on 6/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
C:\Program Files\TrojanHunter 4.6\THGuard.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Program Files\Ad Muncher\AdMunch.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\FlashGet\Flashget.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\BandwidthMonitor\BWMonitor.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Malicious Software Removal Tool\KB890830-ENU.exe
c:\8ddccdc26cccaf15b3d899d4297c\mrtstub.exe
C:\WINDOWS\system32\MRT.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O1 - Hosts: The IP address and the host name should be separated by at least one
O2 - BHO: IE7pro BHO - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IE7pro\IE7pro.dll
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: ImageShack Toolbar - {6932D140-ABC4-4073-A44C-D4A541665E35} - C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll
O4 - HKLM\..\Run: [FinePrint Dispatcher v5] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" /source=HKLM
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SmcService] "C:\PROGRA~1\Sygate\SPF\smc.exe" -startgui
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Babylon Client] "C:\Program Files\Babylon\Babylon-Pro\Babylon.exe" -AutoStart
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [Ad Muncher] C:\Program Files\Ad Muncher\AdMunch.exe /bt
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [Flashget] C:\PROGRA~1\FlashGet\Flashget.exe /min
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ProtoWall] "C:\Program Files\Bluetack\ProtoWall\ProtoWall.exe"
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [BandwidthMonitor] C:\Program Files\BandwidthMonitor\BWMonitor.exe
O4 - HKCU\..\Run: [WWW File Share Pro] C:\Program Files\WWW File Share Pro\WWWFileSharePro.exe /1
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Open Selected URL - C:\Program Files\RightClickGoogleSearchOpenSelectedURL\openselectedurl.htm
O8 - Extra context menu item: Search &Google - C:\Program Files\RightClickGoogleSearchOpenSelectedURL\google.htm
O8 - Extra context menu item: Translate with &Babylon - res://C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
O9 - Extra button: IE7pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IE7pro\IE7pro.dll
O9 - Extra 'Tools' menuitem: IE7pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IE7pro\IE7pro.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://toolbar.imageshack.us
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan.com/as/v1/cabs/ascstubie.cab
O16 - DPF: {6932D140-ABC4-4073-A44C-D4A541665E35} (ImageShack Toolbar) - http://toolbar.imageshack.us/toolbar/ImageShackToolbar.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1162873201218
O16 - DPF: {8436FE12-31DB-48BF-83BF-FE682F9160B4} (NanoInstaller Class) - http://www.nanoscan.com/cabs/nanoinst.cab
O16 - DPF: {BDEE1959-AB6B-4745-A29B-F492861102CC} -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4ADA8CDD-664C-4790-8AD2-21B7B89256B6}: NameServer = 208.67.222.222,208.67.220.220
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: PFW - C:\WINDOWS\SYSTEM32\UmxWnp.Dll
O20 - Winlogon Notify: RegCompact - C:\WINDOWS\SYSTEM32\RegCompact.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: IAA Event Monitor (IAANTMon) - Intel - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RichVideo - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe

BC AdBot (Login to Remove)

 


#2 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:06 AM

Posted 09 June 2007 - 05:49 AM

Download ComboFix from Here or Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

#3 lemco

lemco
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:06 PM

Posted 09 June 2007 - 11:46 AM

Here are the log files you requested and thank you


"Larry" - 2007-06-09 10:29:52 Service Pack 2 NTFS
ComboFix 07-06-3B - Running from: "C:\Documents and Settings\Larry\Desktop\DOWNLOADS\"

Rootkit driver xpdt is present. ... attempting disinfection
xpdt ...... driver unloaded successfully.
ADS removed - system32: deleted 78580 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_NM
-------\LEGACY_NPF
-------\nm


((((((((((((((((((((((((( Files Created from 2007-05-09 to 2007-06-09 )))))))))))))))))))))))))))))))


2007-06-08 11:06 87,552 --a------ C:\WINDOWS\system32\commonfx.dll
2007-06-08 11:06 81,920 --a------ C:\WINDOWS\system32\ctcoinst.dll
2007-06-08 11:06 8,192 --a------ C:\WINDOWS\system32\drivers\pfmodnt.sys
2007-06-08 11:06 78,336 --a------ C:\WINDOWS\system32\drivers\emupia2k.sys
2007-06-08 11:06 766,976 --a------ C:\WINDOWS\system32\drivers\ha10kx2k.sys
2007-06-08 11:06 73,728 --a------ C:\WINDOWS\system32\piaproxy.dll
2007-06-08 11:06 71,680 --a------ C:\WINDOWS\system32\ctdproxy.dll
2007-06-08 11:06 7,168 --a------ C:\WINDOWS\system32\drivers\ctprxy2k.sys
2007-06-08 11:06 61,952 --a------ C:\WINDOWS\system32\CTHWIUT.DLL
2007-06-08 11:06 548,352 --a------ C:\WINDOWS\system32\ctsblfx.dll
2007-06-08 11:06 536,576 --a------ C:\WINDOWS\system32\ctaudfx.dll
2007-06-08 11:06 53,932 --a------ C:\WINDOWS\system32\ctdaught.dat
2007-06-08 11:06 44,567 --a------ C:\WINDOWS\system32\ctdnlstr.dat
2007-06-08 11:06 340,704 --a------ C:\WINDOWS\system32\drivers\ctdvda2k.sys
2007-06-08 11:06 33,792 --a------ C:\WINDOWS\system32\a3d.dll
2007-06-08 11:06 323,640 --a------ C:\WINDOWS\system32\ctdlang.dat
2007-06-08 11:06 313,207 --a------ C:\WINDOWS\system32\ctstatic.dat
2007-06-08 11:06 265,042 --a------ C:\WINDOWS\system32\ctsbas2w.dat
2007-06-08 11:06 21,504 --a------ C:\WINDOWS\system32\sfman32.dll
2007-06-08 11:06 180,224 --a------ C:\WINDOWS\system32\drivers\haP17v2k.sys
2007-06-08 11:06 160,768 --a------ C:\WINDOWS\system32\cteapsfx.dll
2007-06-08 11:06 158,720 --a------ C:\WINDOWS\system32\CT20XUT.DLL
2007-06-08 11:06 154,112 --a------ C:\WINDOWS\system32\drivers\haP16v2k.sys
2007-06-08 11:06 146,432 --a------ C:\WINDOWS\system32\ctdvinst.dll
2007-06-08 11:06 143,872 --a------ C:\WINDOWS\system32\drivers\ctsfm2k.sys
2007-06-08 11:06 140,643 --a------ C:\WINDOWS\system32\ctbas2w.dat
2007-06-08 11:06 116,224 --a------ C:\WINDOWS\system32\drivers\ctoss2k.sys
2007-06-08 11:06 108,032 --a------ C:\WINDOWS\system32\ctemupia.dll
2007-06-08 11:06 1,170,432 --a------ C:\WINDOWS\system32\CTEXFIFX.dll
2007-06-08 11:06 1,110,016 --a------ C:\WINDOWS\system32\drivers\ha20x2k.sys
2007-06-08 11:05 60,288 --a------ C:\WINDOWS\system32\drivers\drmk.sys
2007-06-08 11:05 502,272 --a------ C:\WINDOWS\system32\drivers\ctac32k.sys
2007-06-08 11:05 499,584 --a------ C:\WINDOWS\system32\drivers\ctaud2k.sys
2007-06-08 11:05 48,640 --a------ C:\WINDOWS\system32\drivers\stream.sys
2007-06-08 11:05 4,096 --a------ C:\WINDOWS\system32\ksuser.dll
2007-06-08 11:05 145,792 --a------ C:\WINDOWS\system32\drivers\portcls.sys
2007-06-08 11:05 140,928 --a------ C:\WINDOWS\system32\drivers\ks.sys
2007-06-08 11:05 10,240 --a------ C:\WINDOWS\CTDCRES.DLL
2007-06-07 20:35 <DIR> d-------- C:\Program Files\XYplorer
2007-06-07 16:25 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-06-07 15:08 <DIR> d-------- C:\Vdefs
2007-06-07 14:13 2,277,888 --a------ C:\WINDOWS\system32\LOGOOS.EXE
2007-06-07 14:02 25,088 --a------ C:\WINDOWS\system32\shfolder.dll
2007-06-07 14:01 <DIR> d-------- C:\Program Files\SureThing CD Labeler 5
2007-06-07 14:01 <DIR> d-------- C:\Program Files\Common Files\SureThing Shared
2007-06-06 20:49 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\NVIDIA
2007-06-06 20:34 <DIR> d-------- C:\WINDOWS\nview
2007-06-06 20:33 208,896 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2007-06-06 20:33 <DIR> d-------- C:\NVIDIA
2007-06-06 15:11 <DIR> d-------- C:\Program Files\Advanced MP3 Converter
2007-06-06 10:50 <DIR> d-------- C:\DOCUME~1\Larry\APPLIC~1\Babylon
2007-06-06 10:50 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Babylon
2007-06-05 19:20 <DIR> d-------- C:\Program Files\DirectX Happy Uninstall
2007-06-05 13:59 <DIR> d-------- C:\1386
2007-06-05 13:51 77,824 --a------ C:\WINDOWS\system32\mplaw7.dll
2007-06-05 13:51 77,824 --a------ C:\WINDOWS\system32\mplaa6.dll
2007-06-05 13:51 761,856 --a------ C:\WINDOWS\system32\xvidcore.dll
2007-06-05 13:51 65,536 --a------ C:\WINDOWS\system32\mplapx.dll
2007-06-05 13:51 65,536 --a------ C:\WINDOWS\system32\mplam6.dll
2007-06-05 13:51 19,968 --a------ C:\WINDOWS\system32\cpuinf32.dll
2007-06-05 13:51 152,064 --a------ C:\WINDOWS\system32\unrar.dll
2007-06-05 13:51 1,650,688 --a------ C:\WINDOWS\system32\mplva6.dll
2007-06-05 13:51 1,581,056 --a------ C:\WINDOWS\system32\mplvw7.dll
2007-06-05 13:51 1,552,384 --a------ C:\WINDOWS\system32\mplvm6.dll
2007-06-05 13:51 1,122,304 --a------ C:\WINDOWS\system32\mplvpx.dll
2007-06-05 13:51 <DIR> d-------- C:\Program Files\ACE Mega CoDecS Pack
2007-06-05 10:56 <DIR> d-------- C:\WINDOWS\system32\Panda Software
2007-06-05 09:55 77,312 --a------ C:\WINDOWS\ua2.dll
2007-06-04 21:28 <DIR> d-------- C:\DOCUME~1\Larry\APPLIC~1\vlc
2007-06-04 21:10 83,456 --a------ C:\WINDOWS\system32\OLEPRO32.DLL
2007-06-04 21:10 65,024 --a------ C:\WINDOWS\system32\ASYCFILT.DLL
2007-06-04 21:10 553,472 --a------ C:\WINDOWS\system32\OLEAUT32.DLL
2007-06-04 21:10 3,584 --a------ C:\WINDOWS\system32\COMCAT.DLL
2007-06-04 21:10 1,386,496 --a------ C:\WINDOWS\system32\MSVBVM60.DLL
2007-06-04 20:53 <DIR> d-------- C:\Program Files\Uniblue
2007-06-04 20:47 266,293 --a------ C:\WINDOWS\system\MSVCRT.DLL
2007-06-04 19:14 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-06-04 18:51 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2007-06-04 15:18 9,344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-06-04 15:17 8,320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-06-04 15:14 6,272 --a------ C:\WINDOWS\system32\drivers\AWRTPD.sys
2007-06-03 13:48 <DIR> d-------- C:\Program Files\LottoPlus
2007-06-03 13:22 22,528 --a------ C:\WINDOWS\system32\WNASPI32.DLL
2007-06-03 13:22 16,512 --a------ C:\WINDOWS\system32\drivers\ASPI32.SYS
2007-06-02 09:11 <DIR> d-------- C:\Program Files\You've Got Mail
2007-06-02 08:47 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Geek Squad
2007-06-02 08:32 <DIR> d-------- C:\Program Files\Duplicate File Remover
2007-06-01 15:53 <DIR> d-------- C:\Program Files\DiskTrix
2007-06-01 08:11 <DIR> d-------- C:\Program Files\WWW File Share Pro
2007-05-31 21:04 96,968 --a------ C:\WINDOWS\system32\drivers\AnyDVD.sys
2007-05-30 22:30 <DIR> d-------- C:\Administrator
2007-05-30 22:29 <DIR> d-------- C:\BigBird
2007-05-30 21:21 <DIR> d-------- C:\Program Files\BandwidthMonitor
2007-05-30 21:21 <DIR> d-------- C:\DOCUME~1\Larry\APPLIC~1\BWMonitor
2007-05-30 10:20 <DIR> d-------- C:\Program Files\Common Files\eSellerate
2007-05-30 09:43 614,400 --a------ C:\WINDOWS\system32\ExButton.dll
2007-05-30 09:43 585,728 --a------ C:\WINDOWS\system32\ExMenu.dll
2007-05-30 09:43 507,904 --a------ C:\WINDOWS\system32\ExTab.dll
2007-05-30 09:43 368,912 --a------ C:\WINDOWS\system32\vbar332.dll
2007-05-30 09:43 356,352 --a------ C:\WINDOWS\system32\eSellerateEngine.dll


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-09 16:32:41 -------- d-----w C:\Program Files\FlashGet
2007-06-09 00:31:19 -------- d-----w C:\DOCUME~1\Larry\APPLIC~1\Vso
2007-06-08 17:27:03 685,816 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-06-08 17:06:54 -------- d-----w C:\Program Files\Creative
2007-06-08 17:05:53 86,016 ----a-w C:\WINDOWS\system32\OpenAL32.dll
2007-06-08 17:05:53 409,600 ----a-w C:\WINDOWS\system32\wrap_oal.dll
2007-06-08 17:03:26 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-08 02:13:40 -------- d-----w C:\Program Files\XoftSpySE
2007-06-07 22:25:51 -------- d-----w C:\Program Files\Lavasoft
2007-06-07 22:25:00 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-06-07 22:24:33 -------- d-----w C:\DOCUME~1\Larry\APPLIC~1\Lavasoft
2007-06-06 02:13:14 2,422 ----a-w C:\WINDOWS\system32\tmp.reg
2007-06-05 23:05:17 -------- d-----w C:\DOCUME~1\Larry\APPLIC~1\dvdcss
2007-06-05 02:53:46 -------- d-----w C:\DOCUME~1\Larry\APPLIC~1\Uniblue
2007-06-03 19:12:03 24,575 ----a-w C:\WINDOWS\system32\Bwinsysmwappio60.dll
2007-05-28 07:34:08 -------- d-----w C:\Program Files\Universal Math Solver
2007-05-28 06:58:41 -------- d-----w C:\DOCUME~1\Larry\APPLIC~1\Thinstall
2007-05-27 23:44:07 -------- d-----w C:\DOCUME~1\Larry\APPLIC~1\U3
2007-05-26 12:35:20 -------- d-----w C:\Program Files\CyberLink
2007-05-26 06:19:50 -------- d-----w C:\Program Files\DivX
2007-05-26 05:59:57 -------- d-----w C:\Program Files\Morgan
2007-05-26 05:34:11 -------- d-----w C:\Program Files\Windows Media Connect 2
2007-05-24 00:17:09 -------- d-----w C:\Program Files\Ad Muncher
2007-05-23 05:03:27 -------- d-----w C:\Program Files\Blowfish Advanced CS
2007-05-23 05:01:38 -------- d-----w C:\Program Files\ImTOO
2007-05-23 04:54:57 -------- d-----w C:\Program Files\Desksware
2007-05-23 04:54:34 -------- d-----w C:\Program Files\Picture Merge Genius
2007-05-23 04:52:47 -------- d-----w C:\Program Files\Britannica 2006
2007-05-23 04:49:40 -------- d-----w C:\Program Files\IDoser
2007-05-23 04:46:16 -------- d-----w C:\Program Files\Supreme Folder Hider Demo
2007-05-23 04:45:44 -------- d-----w C:\Program Files\Gabest
2007-05-23 04:42:37 -------- d-----w C:\Program Files\Full Speed
2007-05-23 04:34:35 -------- d-----w C:\Program Files\Common Files\Ahead
2007-05-22 05:33:21 1,283,952 ----a-w C:\WINDOWS\wweb32.dll
2007-05-21 01:29:32 -------- d-----w C:\Program Files\dvdSanta
2007-05-21 00:06:10 737,280 ----a-w C:\WINDOWS\iun6002.exe
2007-05-20 23:51:45 -------- d-----w C:\Program Files\Google
2007-05-20 17:47:00 -------- d-----w C:\Program Files\Axaware
2007-05-20 05:43:06 -------- d-----w C:\Program Files\WinAVIVideoConverter
2007-05-19 06:55:18 298,104 ----a-w C:\WINDOWS\system32\imon.dll
2007-05-19 06:55:17 512,096 ----a-w C:\WINDOWS\system32\drivers\amon.sys
2007-05-19 06:55:16 15,424 ----a-w C:\WINDOWS\system32\drivers\nod32drv.sys
2007-05-15 03:38:07 -------- d-----w C:\Program Files\Winamp
2007-05-15 00:24:09 -------- d-----w C:\Program Files\East-Tec Eraser 2007
2007-05-13 22:58:07 -------- d-----w C:\Program Files\nLite
2007-05-08 23:30:21 -------- d-----w C:\DOCUME~1\Larry\APPLIC~1\LimeWire
2007-05-08 01:02:49 -------- d-----w C:\Program Files\CH-Soft
2007-05-08 01:02:37 17,408 ----a-w C:\psapi.dll
2007-05-08 00:54:38 -------- d-----w C:\Program Files\Speed DVD Creator
2007-05-08 00:36:21 -------- d-----w C:\Program Files\Speed Video Converter
2007-05-08 00:01:22 -------- d-----w C:\DOCUME~1\Larry\APPLIC~1\Ashampoo
2007-05-08 00:01:06 -------- d-----w C:\Program Files\Ashampoo
2007-05-07 23:39:46 -------- d-----w C:\DOCUME~1\Larry\APPLIC~1\Conceptworld
2007-05-07 23:39:22 -------- d-----w C:\Program Files\Conceptworld
2007-05-07 00:19:25 -------- d-----w C:\Program Files\JPSoft
2007-05-07 00:19:11 -------- d-----w C:\DOCUME~1\Larry\APPLIC~1\JP Software
2007-05-06 22:24:44 -------- d-----w C:\Program Files\Sygate
2007-05-02 03:06:19 -------- d-----w C:\Program Files\Your Uninstaller 2006
2007-04-29 16:59:26 -------- d-----w C:\Program Files\IE7pro
2007-04-28 22:59:31 -------- d-----w C:\Program Files\PC MightyMax
2007-04-28 22:00:34 -------- d-----w C:\Program Files\Online Services
2007-04-27 22:22:34 -------- d-----w C:\Program Files\CA
2007-04-27 22:14:44 -------- d-----w C:\Program Files\Sunbelt Software
2007-04-27 22:03:25 -------- d-----w C:\Program Files\FirefoxPreloader
2007-04-27 22:03:15 -------- d-----w C:\DOCUME~1\Larry\APPLIC~1\Creative
2007-04-27 07:29:53 -------- d-----w C:\DOCUME~1\Larry\APPLIC~1\FileZilla
2007-04-27 02:31:14 -------- d-----w C:\DOCUME~1\Larry\APPLIC~1\SuperAdBlocker.com
2007-04-27 02:30:52 -------- d-----w C:\Program Files\SuperAdBlocker.com
2007-04-26 06:15:33 -------- d-----w C:\Program Files\Alcohol Soft
2007-04-26 03:41:51 56 --sh--r C:\WINDOWS\system32\AFB0E0E686.sys
2007-04-26 03:41:51 1,682 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2007-04-25 02:12:10 -------- d-----w C:\Program Files\TrojanHunter 4.6
2007-04-25 00:50:10 -------- d-----w C:\Program Files\Xecutor
2007-04-24 20:33:37 23 ----a-w C:\tempdelete.bat
2007-04-24 19:22:12 -------- d-----w C:\Program Files\XP Hidden Application Enabler
2007-04-24 18:33:54 -------- d-----w C:\Program Files\Neoretix
2007-04-23 01:20:16 4,608 ----a-w C:\WINDOWS\system32\w95inf32.dll
2007-04-23 01:20:16 2,272 ----a-w C:\WINDOWS\system32\w95inf16.dll
2007-04-23 01:19:30 -------- d-----w C:\Program Files\Auralog
2007-04-22 12:08:08 87,608 ----a-w C:\DOCUME~1\Larry\APPLIC~1\ezpinst.exe
2007-04-22 12:08:08 47,360 ----a-w C:\WINDOWS\system32\drivers\pcouffin.sys
2007-04-22 12:08:08 47,360 ----a-w C:\DOCUME~1\Larry\APPLIC~1\pcouffin.sys
2007-04-22 11:53:21 -------- d-----w C:\Program Files\Rollback
2007-04-21 19:13:28 -------- d-----w C:\Program Files\Microsoft Bootvis
2007-04-21 17:01:37 -------- d-----w C:\Program Files\WinZix
2007-04-19 23:27:32 -------- d-----w C:\Program Files\Microsoft Visual Studio 8
2007-04-19 23:18:32 -------- d-----w C:\Program Files\Common Files\stardock
2007-04-19 23:06:50 -------- d-----w C:\Program Files\MPEG4 Direct Maker
2007-04-19 23:00:54 -------- d-----w C:\Program Files\AviSynth 2.5
2007-04-19 22:58:27 -------- d-----w C:\Program Files\Apple Software Update
2007-04-19 03:53:51 -------- d-----w C:\Program Files\R-Drive Image
2007-04-19 03:13:29 103,936 ------w C:\WINDOWS\hpoins04.dat
2007-04-19 01:45:50 -------- d-----w C:\Program Files\RogueRemover
2007-04-19 00:30:53 -------- d-----w C:\Program Files\WinAVI DVD Copy
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 04:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 04:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 04:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 04:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 04:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2005-07-08 23:11:22 108 --sha-r C:\WINDOWS\neoqaz2.dll
2005-06-22 05:37:42 45,568 --sha-r C:\WINDOWS\system32\cygz.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{00011268-E188-40DF-A514-835FCD78B1BF}=C:\Program Files\IE7pro\IE7pro.dll [2007-02-10 16:38]
{00C6482D-C502-44C8-8409-FCE54AD9C208}=C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll [2007-05-01 11:11]
{2F364306-AA45-47B5-9F9D-39A8B94E7EF7}=C:\PROGRA~1\FlashGet\jccatch.dll [2007-01-15 15:04]
{724d43a9-0d85-11d4-9908-00400523e39a}=C:\Program Files\Siber Systems\AI RoboForm\roboform.dll [2007-05-25 16:20]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll [2006-07-26 04:17]
{E5A1691B-D188-4419-AD02-90002030B8EE}=C:\PROGRA~1\FlashFXP\IEFlash.dll [2006-03-31 23:27]
{F156768E-81EF-470C-9057-481BA8380DBA}=C:\Program Files\FlashGet\getflash.dll [2007-01-15 11:40]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"THGuard"="C:\Program Files\TrojanHunter 4.6\THGuard.exe" [2006-09-14 02:22]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2005-09-27 12:16]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-05-19 00:55]
"SpywareTerminator"="C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" [2007-05-25 19:50]
"Ad Muncher"="C:\Program Files\Ad Muncher\AdMunch.exe" [2007-05-23 18:17]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-14 21:01]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2007-02-07 16:21]
"Flashget"="C:\PROGRA~1\FlashGet\Flashget.exe" [2007-01-15 14:55]
"Babylon Client"="C:\Program Files\Babylon\Babylon-Pro\Babylon.exe" [2007-06-07 15:01]
"nwiz"="nwiz.exe" [2006-10-22 12:22 C:\WINDOWS\system32\nwiz.exe]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 14:56 C:\WINDOWS\system32\CTXFIHLP.EXE]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ProtoWall"="C:\Program Files\Bluetack\ProtoWall\ProtoWall.exe" [2006-04-17 22:06]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2007-05-25 16:20]
"BandwidthMonitor"="C:\Program Files\BandwidthMonitor\BWMonitor.exe" [2007-05-22 13:06]
"Creative MediaSource Go"="C:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe" [2002-11-25 12:38]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"RunStartupScriptSync"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoRemoteRecursiveEvents"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsMenu"=1 (0x1)
"NoLowDiskSpaceChecks"=1 (0x1)
"NoChangeKeyboardNavigationIndicators"=0 (0x0)
"NoSMBalloonTip"=1 (0x1)
"NoDesktopCleanupWizard"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"{F5DF91F9-15E9-416B-A7C3-7519B11ECBFC}"="C:\PROGRA~1\COMMON~1\stardock\MCPCore.dll" [2005-05-10 13:31]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
UmxWnp.Dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\RegCompact]
RegCompact.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=UmxSbxExw.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Firefox Preloader.lnk]
backup=C:\WINDOWS\pss\Firefox Preloader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Larry^Start Menu^Programs^Startup^naviscope.lnk]
backup=C:\WINDOWS\pss\naviscope.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Larry^Start Menu^Programs^Startup^WordWeb Pro.lnk]
backup=C:\WINDOWS\pss\WordWeb Pro.lnkStartup
path=C:\Documents and Settings\Larry\Start Menu\Programs\Startup\WordWeb Pro.lnk

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\0204191169260128mcinstcleanup]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
"C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
"C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SecurDisc]
"C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\XoftSpySE]
"C:\Program Files\XoftSpySE\xoftspy.exe" -s

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
"CoolSwitch"=C:\WINDOWS\System32\taskswitch.exe
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe"
"AsioReg"="REGSVR32.EXE" /S CTASIO.DLL
"CTHelper"=CTHELPER.EXE
"KernelFaultCheck"=C:\WINDOWS\system32\dumprep 0 -k

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*


Contents of the 'Scheduled Tasks' folder
2007-06-09 04:20:43 C:\WINDOWS\tasks\User_Feed_Synchronization-{675C24DC-6969-49A8-B0F9-F618E507DAAC}.job
2007-06-09 16:33:51 C:\WINDOWS\tasks\XoftSpySE 2.job
2007-06-05 15:26:49 C:\WINDOWS\tasks\XoftSpySE.job

**************************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-09 10:34:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-09 10:35:35 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-09 10:35

--- E O F ---
*********************************************************************************************************************************
Logfile of HijackThis v1.99.1
Scan saved at 10:40:26 AM, on 6/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\TrojanHunter 4.6\THGuard.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\Program Files\Ad Muncher\AdMunch.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Babylon\Babylon-Pro\Babylon.exe
C:\Program Files\BandwidthMonitor\BWMonitor.exe
C:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: IE7pro BHO - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IE7pro\IE7pro.dll
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: ImageShack Toolbar - {6932D140-ABC4-4073-A44C-D4A541665E35} - C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKLM\..\Run: [SmcService] "C:\PROGRA~1\Sygate\SPF\smc.exe" -startgui
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [Ad Muncher] C:\Program Files\Ad Muncher\AdMunch.exe /bt
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [Flashget] C:\PROGRA~1\FlashGet\Flashget.exe /min
O4 - HKLM\..\Run: [Babylon Client] C:\Program Files\Babylon\Babylon-Pro\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKCU\..\Run: [ProtoWall] "C:\Program Files\Bluetack\ProtoWall\ProtoWall.exe"
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [BandwidthMonitor] C:\Program Files\BandwidthMonitor\BWMonitor.exe
O4 - HKCU\..\Run: [Creative MediaSource Go] C:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe /SYS
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Open Selected URL - C:\Program Files\RightClickGoogleSearchOpenSelectedURL\openselectedurl.htm
O8 - Extra context menu item: Search &Google - C:\Program Files\RightClickGoogleSearchOpenSelectedURL\google.htm
O8 - Extra context menu item: Translate with &Babylon - res://C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
O9 - Extra button: IE7pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IE7pro\IE7pro.dll
O9 - Extra 'Tools' menuitem: IE7pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IE7pro\IE7pro.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://toolbar.imageshack.us
O16 - DPF: {6932D140-ABC4-4073-A44C-D4A541665E35} (ImageShack Toolbar) - http://toolbar.imageshack.us/toolbar/ImageShackToolbar.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1162873201218
O16 - DPF: {BDEE1959-AB6B-4745-A29B-F492861102CC} -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4ADA8CDD-664C-4790-8AD2-21B7B89256B6}: NameServer = 208.67.222.222,208.67.220.220
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: PFW - C:\WINDOWS\SYSTEM32\UmxWnp.Dll
O20 - Winlogon Notify: RegCompact - C:\WINDOWS\SYSTEM32\RegCompact.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - C:\WINDOWS\system32\nvsvc32.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RichVideo - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe

#4 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:06 AM

Posted 09 June 2007 - 03:05 PM

Go here to run an online scannner from Kaspersky.
  • Click on "Kaspersky Online Scanner"
  • A new smaller window will pop up. Press on "Accept". After reading the contents.
  • Now Kaspersky will update the anti-virus database. Let it run.
  • Click on "Next">"Scan Settings", and make sure the database is set to "extended". And check both the scan options. Then click OK.
  • Then click on "My Computer", and the scan will start.
  • Once finished, save the log as "KAV.txt" to the desktop.
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Post the kaspersky log, a new HijackThis log and let me know how its running now

#5 lemco

lemco
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:06 PM

Posted 09 June 2007 - 08:58 PM

As requested here is the log files


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, June 09, 2007 7:51:25 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 10/06/2007
Kaspersky Anti-Virus database records: 341780
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
G:\

Scan Statistics:
Total number of scanned objects: 151987
Number of viruses found: 29
Number of infected objects: 147
Number of suspicious objects: 5
Duration of the scan process: 04:07:18

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Larry\Application Data\BWMonitor\bwmsum_v2.log Object is locked skipped
C:\Documents and Settings\Larry\Application Data\Sun\Java\Deployment\log\plugin150_08.trace Object is locked skipped
C:\Documents and Settings\Larry\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Larry\Desktop\123456files for reformat 11-1-06\Magical Jelly Bean Keyfinder v1.5B3A\kf15b3.zip/keyfinder.exe/data.rar/officekey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\Documents and Settings\Larry\Desktop\123456files for reformat 11-1-06\Magical Jelly Bean Keyfinder v1.5B3A\kf15b3.zip/keyfinder.exe/data.rar Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\Documents and Settings\Larry\Desktop\123456files for reformat 11-1-06\Magical Jelly Bean Keyfinder v1.5B3A\kf15b3.zip/keyfinder.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\Documents and Settings\Larry\Desktop\123456files for reformat 11-1-06\Magical Jelly Bean Keyfinder v1.5B3A\kf15b3.zip ZIP: infected - 3 skipped
C:\Documents and Settings\Larry\Desktop\123456files for reformat 11-1-06\NOD32 Antivirus System 2.70.16\NOD32.FiX.v2.1-nsane\NOD32.FiX.v2.1-nsane\NOD32.FiX.v2.1.rar/NOD32.FiX.v2.1.exe Infected: Backdoor.Win32.Rbot.bbm skipped
C:\Documents and Settings\Larry\Desktop\123456files for reformat 11-1-06\NOD32 Antivirus System 2.70.16\NOD32.FiX.v2.1-nsane\NOD32.FiX.v2.1-nsane\NOD32.FiX.v2.1.rar RAR: infected - 1 skipped
C:\Documents and Settings\Larry\Desktop\123456files for reformat 11-1-06\NOD32 Antivirus System 2.70.16\NOD32.FiX.v2.1-nsane\NOD32.FiX.v2.1-nsane\NOD32F~1.VVVV Object is locked skipped
C:\Documents and Settings\Larry\Desktop\123456files for reformat 11-1-06\NOD32 Antivirus System 2.70.16\NOD32.FiX.v2.1-nsane\NOD32.v2.1.Crack\NOD32F~1.VVVV Object is locked skipped
C:\Documents and Settings\Larry\Desktop\123456files for reformat 11-1-06\NOD32 Antivirus System 2.70.16\NOD32.FiX.v2.1-nsane.rar/NOD32.FiX.v2.1-nsane/NOD32.FiX.v2.1.rar/NOD32.FiX.v2.1.exe Infected: Backdoor.Win32.Rbot.bbm skipped
C:\Documents and Settings\Larry\Desktop\123456files for reformat 11-1-06\NOD32 Antivirus System 2.70.16\NOD32.FiX.v2.1-nsane.rar/NOD32.FiX.v2.1-nsane/NOD32.FiX.v2.1.rar Infected: Backdoor.Win32.Rbot.bbm skipped
C:\Documents and Settings\Larry\Desktop\123456files for reformat 11-1-06\NOD32 Antivirus System 2.70.16\NOD32.FiX.v2.1-nsane.rar/NOD32.FiX.v2.1-nsane/NOD32.v2.1.Crack/NOD32.FiX.v2.1.exe Infected: Backdoor.Win32.Rbot.bbm skipped
C:\Documents and Settings\Larry\Desktop\123456files for reformat 11-1-06\NOD32 Antivirus System 2.70.16\NOD32.FiX.v2.1-nsane.rar RAR: infected - 3 skipped
C:\Documents and Settings\Larry\Desktop\123456files for reformat 11-1-06\SmitFraudFix v2.150\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Larry\Desktop\123456files for reformat 11-1-06\Top Programs All in one\Top 5 Download Managers All in one\AIODM.exe/AutoPlay/Docs/DAP_7.4/DAP.exe/data.rar/DAP.exe Infected: not-a-virus:AdWare.Win32.Dap.b skipped
C:\Documents and Settings\Larry\Desktop\123456files for reformat 11-1-06\Top Programs All in one\Top 5 Download Managers All in one\AIODM.exe/AutoPlay/Docs/DAP_7.4/DAP.exe/data.rar Infected: not-a-virus:AdWare.Win32.Dap.b skipped
C:\Documents and Settings\Larry\Desktop\123456files for reformat 11-1-06\Top Programs All in one\Top 5 Download Managers All in one\AIODM.exe/AutoPlay/Docs/DAP_7.4/DAP.exe Infected: not-a-virus:AdWare.Win32.Dap.b skipped
C:\Documents and Settings\Larry\Desktop\123456files for reformat 11-1-06\Top Programs All in one\Top 5 Download Managers All in one\AIODM.exe ZIP: infected - 3 skipped
C:\Documents and Settings\Larry\Desktop\123456files for reformat 11-1-06\Top Programs All in one\Top 5 Download Managers All in one\AIODM.rar/AIODM.exe/AutoPlay/Docs/DAP_7.4/DAP.exe/data.rar/DAP.exe Infected: not-a-virus:AdWare.Win32.Dap.b skipped
C:\Documents and Settings\Larry\Desktop\123456files for reformat 11-1-06\Top Programs All in one\Top 5 Download Managers All in one\AIODM.rar/AIODM.exe/AutoPlay/Docs/DAP_7.4/DAP.exe/data.rar Infected: not-a-virus:AdWare.Win32.Dap.b skipped
C:\Documents and Settings\Larry\Desktop\123456files for reformat 11-1-06\Top Programs All in one\Top 5 Download Managers All in one\AIODM.rar/AIODM.exe/AutoPlay/Docs/DAP_7.4/DAP.exe Infected: not-a-virus:AdWare.Win32.Dap.b skipped
C:\Documents and Settings\Larry\Desktop\123456files for reformat 11-1-06\Top Programs All in one\Top 5 Download Managers All in one\AIODM.rar/AIODM.exe Infected: not-a-virus:AdWare.Win32.Dap.b skipped
C:\Documents and Settings\Larry\Desktop\123456files for reformat 11-1-06\Top Programs All in one\Top 5 Download Managers All in one\AIODM.rar RAR: infected - 4 skipped
C:\Documents and Settings\Larry\Desktop\123456files for reformat 11-1-06\Top Programs All in one\WEEKLY SOUL'S SEVEN TOOLS - Week No. 8\SOUL8.rar/WEEKLY SOUL'S SEVEN TOOLS.exe/data.rar/AutoPlay/Docs/CSTools 0.01.exe/data.rar/CSTools.tm8/Data1.cab/_5284D43BDA6946D291EC89B1CCB81B8D Infected: not-a-virus:AdWare.Win32.Craagle.19 skipped
C:\Documents and Settings\Larry\Desktop\123456files for reformat 11-1-06\Top Programs All in one\WEEKLY SOUL'S SEVEN TOOLS - Week No. 8\SOUL8.rar/WEEKLY SOUL'S SEVEN TOOLS.exe/data.rar/AutoPlay/Docs/CSTools 0.01.exe/data.rar/CSTools.tm8/Data1.cab/_4D6D32F4E55545AE8D1DB5BFA5329D88 Infected: HackTool.Win32.CrackSearch.a skipped
C:\Documents and Settings\Larry\Desktop\123456files for reformat 11-1-06\Top Programs All in one\WEEKLY SOUL'S SEVEN TOOLS - Week No. 8\SOUL8.rar/WEEKLY SOUL'S SEVEN TOOLS.exe/data.rar/AutoPlay/Docs/CSTools 0.01.exe/data.rar/CSTools.tm8/Data1.cab Infected: HackTool.Win32.CrackSearch.a skipped
C:\Documents and Settings\Larry\Desktop\123456files for reformat 11-1-06\Top Programs All in one\WEEKLY SOUL'S SEVEN TOOLS - Week No. 8\SOUL8.rar/WEEKLY SOUL'S SEVEN TOOLS.exe/data.rar/AutoPlay/Docs/CSTools 0.01.exe/data.rar/CSTools.tm8 Infected: HackTool.Win32.CrackSearch.a skipped
C:\Documents and Settings\Larry\Desktop\123456files for reformat 11-1-06\Top Programs All in one\WEEKLY SOUL'S SEVEN TOOLS - Week No. 8\SOUL8.rar/WEEKLY SOUL'S SEVEN TOOLS.exe/data.rar/AutoPlay/Docs/CSTools 0.01.exe/data.rar Infected: HackTool.Win32.CrackSearch.a skipped
C:\Documents and Settings\Larry\Desktop\123456files for reformat 11-1-06\Top Programs All in one\WEEKLY SOUL'S SEVEN TOOLS - Week No. 8\SOUL8.rar/WEEKLY SOUL'S SEVEN TOOLS.exe/data.rar/AutoPlay/Docs/CSTools 0.01.exe Infected: HackTool.Win32.CrackSearch.a skipped
C:\Documents and Settings\Larry\Desktop\123456files for reformat 11-1-06\Top Programs All in one\WEEKLY SOUL'S SEVEN TOOLS - Week No. 8\SOUL8.rar/WEEKLY SOUL'S SEVEN TOOLS.exe/data.rar Infected: HackTool.Win32.CrackSearch.a skipped
C:\Documents and Settings\Larry\Desktop\123456files for reformat 11-1-06\Top Programs All in one\WEEKLY SOUL'S SEVEN TOOLS - Week No. 8\SOUL8.rar/WEEKLY SOUL'S SEVEN TOOLS.exe Infected: HackTool.Win32.CrackSearch.a skipped
C:\Documents and Settings\Larry\Desktop\123456files for reformat 11-1-06\Top Programs All in one\WEEKLY SOUL'S SEVEN TOOLS - Week No. 8\SOUL8.rar RAR: infected - 8 skipped
C:\Documents and Settings\Larry\Desktop\123456files for reformat 11-1-06\Top Programs All in one\WEEKLY SOUL'S SEVEN TOOLS - Week No. 8\WEEKLY SOUL'S SEVEN TOOLS.exe/data.rar/AutoPlay/Docs/CSTools 0.01.exe/data.rar/CSTools.tm8/Data1.cab/_5284D43BDA6946D291EC89B1CCB81B8D Infected: not-a-virus:AdWare.Win32.Craagle.19 skipped
C:\Documents and Settings\Larry\Desktop\123456files for reformat 11-1-06\Top Programs All in one\WEEKLY SOUL'S SEVEN TOOLS - Week No. 8\WEEKLY SOUL'S SEVEN TOOLS.exe/data.rar/AutoPlay/Docs/CSTools 0.01.exe/data.rar/CSTools.tm8/Data1.cab/_4D6D32F4E55545AE8D1DB5BFA5329D88 Infected: HackTool.Win32.CrackSearch.a skipped
C:\Documents and Settings\Larry\Desktop\123456files for reformat 11-1-06\Top Programs All in one\WEEKLY SOUL'S SEVEN TOOLS - Week No. 8\WEEKLY SOUL'S SEVEN TOOLS.exe/data.rar/AutoPlay/Docs/CSTools 0.01.exe/data.rar/CSTools.tm8/Data1.cab Infected: HackTool.Win32.CrackSearch.a skipped
C:\Documents and Settings\Larry\Desktop\123456files for reformat 11-1-06\Top Programs All in one\WEEKLY SOUL'S SEVEN TOOLS - Week No. 8\WEEKLY SOUL'S SEVEN TOOLS.exe/data.rar/AutoPlay/Docs/CSTools 0.01.exe/data.rar/CSTools.tm8 Infected: HackTool.Win32.CrackSearch.a skipped
C:\Documents and Settings\Larry\Desktop\123456files for reformat 11-1-06\Top Programs All in one\WEEKLY SOUL'S SEVEN TOOLS - Week No. 8\WEEKLY SOUL'S SEVEN TOOLS.exe/data.rar/AutoPlay/Docs/CSTools 0.01.exe/data.rar Infected: HackTool.Win32.CrackSearch.a skipped
C:\Documents and Settings\Larry\Desktop\123456files for reformat 11-1-06\Top Programs All in one\WEEKLY SOUL'S SEVEN TOOLS - Week No. 8\WEEKLY SOUL'S SEVEN TOOLS.exe/data.rar/AutoPlay/Docs/CSTools 0.01.exe Infected: HackTool.Win32.CrackSearch.a skipped
C:\Documents and Settings\Larry\Desktop\123456files for reformat 11-1-06\Top Programs All in one\WEEKLY SOUL'S SEVEN TOOLS - Week No. 8\WEEKLY SOUL'S SEVEN TOOLS.exe/data.rar Infected: HackTool.Win32.CrackSearch.a skipped
C:\Documents and Settings\Larry\Desktop\123456files for reformat 11-1-06\Top Programs All in one\WEEKLY SOUL'S SEVEN TOOLS - Week No. 8\WEEKLY SOUL'S SEVEN TOOLS.exe RarSFX: infected - 7 skipped
C:\Documents and Settings\Larry\Desktop\123456files for reformat 11-1-06\U-Serve ftp\New Folder\Serv-U.v6.1.0.1_CRKEXE-FFF.zip/ServUDaemon.exe Infected: Backdoor.Win32.ServU-based.bk skipped
C:\Documents and Settings\Larry\Desktop\123456files for reformat 11-1-06\U-Serve ftp\New Folder\Serv-U.v6.1.0.1_CRKEXE-FFF.zip RAR: infected - 1 skipped
C:\Documents and Settings\Larry\Desktop\4-27-07 software reinstall\FlashGet 1.81 1002\FlashGet.1.81.BY.SOFT-BEST.NET.rar/flashget181en.exe/data0000.cab/FLASHG~1.EXE Infected: Backdoor.Win32.Pakes skipped
C:\Documents and Settings\Larry\Desktop\4-27-07 software reinstall\FlashGet 1.81 1002\FlashGet.1.81.BY.SOFT-BEST.NET.rar/flashget181en.exe/data0000.cab Infected: Backdoor.Win32.Pakes skipped
C:\Documents and Settings\Larry\Desktop\4-27-07 software reinstall\FlashGet 1.81 1002\FlashGet.1.81.BY.SOFT-BEST.NET.rar/flashget181en.exe Infected: Backdoor.Win32.Pakes skipped
C:\Documents and Settings\Larry\Desktop\4-27-07 software reinstall\FlashGet 1.81 1002\FlashGet.1.81.BY.SOFT-BEST.NET.rar RAR: infected - 3 skipped
C:\Documents and Settings\Larry\Desktop\abcdef All Holding files\Cain&Able\ca_setup.exe/WISE0025.BIN Infected: not-a-virus:PSWTool.Win32.Cain.284 skipped
C:\Documents and Settings\Larry\Desktop\abcdef All Holding files\Cain&Able\ca_setup.exe WiseSFX: infected - 1 skipped
C:\Documents and Settings\Larry\Desktop\abcdef All Holding files\Cain&Able\ca_setup.zip/ca_setup.exe/WISE0025.BIN Infected: not-a-virus:PSWTool.Win32.Cain.284 skipped
C:\Documents and Settings\Larry\Desktop\abcdef All Holding files\Cain&Able\ca_setup.zip/ca_setup.exe Infected: not-a-virus:PSWTool.Win32.Cain.284 skipped
C:\Documents and Settings\Larry\Desktop\abcdef All Holding files\Cain&Able\ca_setup.zip ZIP: infected - 2 skipped
C:\Documents and Settings\Larry\Desktop\abcdef All Holding files\NERO v7.7.5.1\Nero-7.7.5.1_eng_trial.exe/Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\Documents and Settings\Larry\Desktop\abcdef All Holding files\NERO v7.7.5.1\Nero-7.7.5.1_eng_trial.exe RAR: infected - 1 skipped
C:\Documents and Settings\Larry\Desktop\new programs hold\Advanced Archive Password Recover\New Folder\Advanced_Archive_Password_Recovery_3.01.7.rar/keygen.exe Infected: Trojan-Downloader.Win32.LoadAdv.c skipped
C:\Documents and Settings\Larry\Desktop\new programs hold\Advanced Archive Password Recover\New Folder\Advanced_Archive_Password_Recovery_3.01.7.rar/crack.exe Infected: Trojan.Win32.Agent.qt skipped
C:\Documents and Settings\Larry\Desktop\new programs hold\Advanced Archive Password Recover\New Folder\Advanced_Archive_Password_Recovery_3.01.7.rar/patch.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.if skipped
C:\Documents and Settings\Larry\Desktop\new programs hold\Advanced Archive Password Recover\New Folder\Advanced_Archive_Password_Recovery_3.01.7.rar RAR: infected - 3 skipped
C:\Documents and Settings\Larry\Desktop\new programs hold\Advanced Archive Password Recover\New Folder\crack.exe Infected: Trojan.Win32.Agent.qt skipped
C:\Documents and Settings\Larry\Desktop\new programs hold\Advanced Archive Password Recover\New Folder\New Folder\crack.exe Infected: Trojan.Win32.Agent.qt skipped
C:\Documents and Settings\Larry\Desktop\new programs hold\Advanced Archive Password Recover\New Folder\New Folder\ELCOMSOFT_Advanced_Archive_Password_Recovery_3.01_Build_7.rar/keygen.exe Infected: Trojan-Downloader.Win32.LoadAdv.c skipped
C:\Documents and Settings\Larry\Desktop\new programs hold\Advanced Archive Password Recover\New Folder\New Folder\ELCOMSOFT_Advanced_Archive_Password_Recovery_3.01_Build_7.rar/crack.exe Infected: Trojan.Win32.Agent.qt skipped
C:\Documents and Settings\Larry\Desktop\new programs hold\Advanced Archive Password Recover\New Folder\New Folder\ELCOMSOFT_Advanced_Archive_Password_Recovery_3.01_Build_7.rar/patch.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.if skipped
C:\Documents and Settings\Larry\Desktop\new programs hold\Advanced Archive Password Recover\New Folder\New Folder\ELCOMSOFT_Advanced_Archive_Password_Recovery_3.01_Build_7.rar RAR: infected - 3 skipped
C:\Documents and Settings\Larry\Desktop\new programs hold\Advanced Archive Password Recover\New Folder\New Folder\patch.VVVVvvexe Object is locked skipped
C:\Documents and Settings\Larry\Desktop\new programs hold\Advanced Archive Password Recover\New Folder\patch.VVVVvvexe Object is locked skipped
C:\Documents and Settings\Larry\Desktop\new programs hold\I Hate Keyloggers Version 1.0 + SERIAL\I.Hate.Keyloggers.v1.0.FULL.VERSION.rar/i-hate-keyloggers.exe Infected: not-a-virus:Monitor.Win32.KeyLogger.w skipped
C:\Documents and Settings\Larry\Desktop\new programs hold\I Hate Keyloggers Version 1.0 + SERIAL\I.Hate.Keyloggers.v1.0.FULL.VERSION.rar RAR: infected - 1 skipped
C:\Documents and Settings\Larry\Desktop\new programs hold\Nero 7 Ultra ENHANCED{7.8.5.0}With PhotoShow Deluxe 4 and DVD Video Multichannel Plug-in\Nero-7.8.5.0_all_update.exe/Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\Documents and Settings\Larry\Desktop\new programs hold\Nero 7 Ultra ENHANCED{7.8.5.0}With PhotoShow Deluxe 4 and DVD Video Multichannel Plug-in\Nero-7.8.5.0_all_update.exe RAR: infected - 1 skipped
C:\Documents and Settings\Larry\Desktop\new programs hold\Power Video Converter 1.5.37\keygen\powervideoconverter_keygen_by_code79club.zip/keygen.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\Larry\Desktop\new programs hold\Power Video Converter 1.5.37\keygen\powervideoconverter_keygen_by_code79club.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\Larry\Desktop\new programs hold\RockXP4\RockXP4.exe/data.rar/pwdump2/pwdump2.exe Infected: not-a-virus:PSWTool.Win32.PWDump.2 skipped
C:\Documents and Settings\Larry\Desktop\new programs hold\RockXP4\RockXP4.exe/data.rar/pwdump2/samdump.dll Infected: not-a-virus:PSWTool.Win32.PWDump.2 skipped
C:\Documents and Settings\Larry\Desktop\new programs hold\RockXP4\RockXP4.exe/data.rar/RockXP4_.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\Documents and Settings\Larry\Desktop\new programs hold\RockXP4\RockXP4.exe/data.rar Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\Documents and Settings\Larry\Desktop\new programs hold\RockXP4\RockXP4.exe RarSFX: infected - 4 skipped
C:\Documents and Settings\Larry\Desktop\new programs hold\Smitfraud\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Larry\Desktop\new programs hold\Smitfraud\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Larry\Desktop\new programs hold\Smitfraud\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Larry\Desktop\new programs hold\Smitfraud\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\Documents and Settings\Larry\Desktop\new programs hold\SmitFraudFix v2.176\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Larry\Desktop\new programs hold\SmitFraudFix v2.176\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Larry\Desktop\new programs hold\SmitFraudFix v2.176\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Larry\Desktop\new programs hold\SmitFraudFix v2.176\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\Documents and Settings\Larry\Desktop\new programs hold\Speed Video Converter v3.0.38\sdc4038kg\Keygen\keygen.exe Suspicious: Packed.Win32.CryptExe skipped
C:\Documents and Settings\Larry\Desktop\new programs hold\Speed Video Converter v3.0.38\sdc4038kg.rar/sdc4038kg/Keygen/keygen.exe Suspicious: Packed.Win32.CryptExe skipped
C:\Documents and Settings\Larry\Desktop\new programs hold\Speed Video Converter v3.0.38\sdc4038kg.rar RAR: suspicious - 1 skipped
C:\Documents and Settings\Larry\Desktop\new programs hold\Winrar 3.70 beta 6\Patch that works for all versions\2004.02.21_WinRAR_3.x_UNIVERSAL_PATCH.PATCH_MP2K.zip/crack.exe Infected: Trojan-Downloader.Win32.Small.ddp skipped
C:\Documents and Settings\Larry\Desktop\new programs hold\Winrar 3.70 beta 6\Patch that works for all versions\2004.02.21_WinRAR_3.x_UNIVERSAL_PATCH.PATCH_MP2K.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Larry\Desktop\new programs hold\ZeroSpyware\ZeroSpyware_3.3_(WWW.CRACK-LOCATOR.ORG).zip/patch1.exe Infected: Trojan-Downloader.Win32.INService.bl skipped
C:\Documents and Settings\Larry\Desktop\new programs hold\ZeroSpyware\ZeroSpyware_3.3_(WWW.CRACK-LOCATOR.ORG).zip ZIP: infected - 1 skipped
C:\Documents and Settings\Larry\Desktop\program temp hold\RapidUp ver. 1.3 Final 1,2 Mb\Extra tools\RapidSearch Beta v0.2\RapidSearch.exe Infected: Trojan-PSW.Win32.IcqSmiley.c skipped
C:\Documents and Settings\Larry\Desktop\program temp hold\RapidUp ver. 1.3 Final 1,2 Mb\RapidUp_V1.3_Final.1-9-2006\Extra tools\RapidSearch Beta v0.2\RapidSearch.exe Infected: Trojan-PSW.Win32.IcqSmiley.c skipped
C:\Documents and Settings\Larry\Desktop\program temp hold\RapidUp ver. 1.3 Final 1,2 Mb\RapidUp_V1.3_Final.1-9-2006.rar/Extra tools/RapidSearch Beta v0.2/RapidSearch.exe Infected: Trojan-PSW.Win32.IcqSmiley.c skipped
C:\Documents and Settings\Larry\Desktop\program temp hold\RapidUp ver. 1.3 Final 1,2 Mb\RapidUp_V1.3_Final.1-9-2006.rar RAR: infected - 1 skipped
C:\Documents and Settings\Larry\Desktop\program temp hold\Remote Administrator (Radmin) v3.0 17.3 MB\Remote.Administrator.Radmin.v3.0.FULL\FIX - Read Informations\Famatech.Radmin.Server.3.0.Trial.Stop.and.Tray.Icon.Remove\R3GOD.DLL Infected: Backdoor.Win32.RAdmin.ab skipped
C:\Documents and Settings\Larry\Desktop\program temp hold\Remote Administrator (Radmin) v3.0 17.3 MB\Remote.Administrator.Radmin.v3.0.FULL.zip/Remote.Administrator.Radmin.v3.0.FULL/FIX - Read Informations/Famatech.Radmin.Server.3.0.Trial.Stop.and.Tray.Icon.Remove/R3GOD.DLL Infected: Backdoor.Win32.RAdmin.ab skipped
C:\Documents and Settings\Larry\Desktop\program temp hold\Remote Administrator (Radmin) v3.0 17.3 MB\Remote.Administrator.Radmin.v3.0.FULL.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Larry\Desktop\URL's Updated\RAPIDSHARE Search\RapidSearch.exe Infected: Trojan-PSW.Win32.IcqSmiley.c skipped
C:\Documents and Settings\Larry\Local Settings\Application Data\Identities\{99CD1172-A802-4DB0-A420-690F6EDB9988}\Microsoft\Outlook Express\Folders.dbx Object is locked skipped
C:\Documents and Settings\Larry\Local Settings\Application Data\Identities\{99CD1172-A802-4DB0-A420-690F6EDB9988}\Microsoft\Outlook Express\Inbox.dbx Object is locked skipped
C:\Documents and Settings\Larry\Local Settings\Application Data\Identities\{99CD1172-A802-4DB0-A420-690F6EDB9988}\Microsoft\Outlook Express\Offline.dbx Object is locked skipped
C:\Documents and Settings\Larry\Local Settings\Application Data\Identities\{99CD1172-A802-4DB0-A420-690F6EDB9988}\Microsoft\Outlook Express\Pop3uidl.dbx Object is locked skipped
C:\Documents and Settings\Larry\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Larry\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Larry\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Larry\Local Settings\Application Data\Mozilla\Firefox\Profiles\wafdexpp.default\Cache\13DE4457d01/crack.exe Infected: Trojan-Downloader.Win32.Small.ddp skipped
C:\Documents and Settings\Larry\Local Settings\Application Data\Mozilla\Firefox\Profiles\wafdexpp.default\Cache\13DE4457d01 ZIP: infected - 1 skipped
C:\Documents and Settings\Larry\Local Settings\Application Data\Mozilla\Firefox\Profiles\wafdexpp.default\Cache\A83954FAd01/crack.exe Infected: Trojan-Downloader.Win32.Small.ddp skipped
C:\Documents and Settings\Larry\Local Settings\Application Data\Mozilla\Firefox\Profiles\wafdexpp.default\Cache\A83954FAd01 RAR: infected - 1 skipped
C:\Documents and Settings\Larry\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Larry\Local Settings\Temp\hpodvd09.log Object is locked skipped
C:\Documents and Settings\Larry\Local Settings\Temp\hsperfdata_Larry\412 Object is locked skipped
C:\Documents and Settings\Larry\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Larry\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Larry\ntuser.dat Object is locked skipped
C:\Documents and Settings\Larry\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\logs\sw_ae-20070609-114857.log Object is locked skipped
C:\Program Files\ESET\cache\CACHE.NDB Object is locked skipped
C:\Program Files\ESET\infected\DP15INDA.NQF Infected: Trojan-Downloader.Win32.Small.ddp skipped
C:\Program Files\ESET\infected\EOTTE1BA.NQF Infected: Trojan-Downloader.Win32.LoadAdv.c skipped
C:\Program Files\ESET\infected\G3M13EAA.NQF Infected: Trojan-Downloader.Win32.Small.cwj skipped
C:\Program Files\ESET\infected\JN2SPPAA.NQF Infected: Backdoor.Win32.Rbot.bbm skipped
C:\Program Files\ESET\infected\PBUIFABA.NQF Infected: Trojan.Win32.Obfuscated.fy skipped
C:\Program Files\ESET\infected\S1LST2AA.NQF Infected: not-a-virus:AdWare.Win32.Virtumonde.if skipped
C:\Program Files\ESET\logs\virlog.dat Object is locked skipped
C:\Program Files\ESET\logs\warnlog.dat Object is locked skipped
C:\Program Files\Sygate\SPF\debug.log Object is locked skipped
C:\Program Files\Sygate\SPF\rawlog.log Object is locked skipped
C:\Program Files\Sygate\SPF\seclog.log Object is locked skipped
C:\Program Files\Sygate\SPF\syslog.log Object is locked skipped
C:\Program Files\Sygate\SPF\tralog.log Object is locked skipped
C:\Program Files\WinZix\WinZixManager.dll Infected: not-a-virus:FraudTool.Win32.WinZix.a skipped
C:\System Volume Information\_restore{4135F169-DF80-45DD-A185-3223B4010116}\RP260\A0100560.exe Infected: not-a-virus:AdTool.Win32.WhenU.j skipped
C:\System Volume Information\_restore{4135F169-DF80-45DD-A185-3223B4010116}\RP260\A0100561.exe/data0000.cab/FLASHG~1.EXE Infected: Backdoor.Win32.Pakes skipped
C:\System Volume Information\_restore{4135F169-DF80-45DD-A185-3223B4010116}\RP260\A0100561.exe/data0000.cab Infected: Backdoor.Win32.Pakes skipped
C:\System Volume Information\_restore{4135F169-DF80-45DD-A185-3223B4010116}\RP260\A0100561.exe Rsrc-Package: infected - 2 skipped
C:\System Volume Information\_restore{4135F169-DF80-45DD-A185-3223B4010116}\RP268\A0107979.exe/data.rar/pwdump2/pwdump2.exe Infected: not-a-virus:PSWTool.Win32.PWDump.2 skipped
C:\System Volume Information\_restore{4135F169-DF80-45DD-A185-3223B4010116}\RP268\A0107979.exe/data.rar/pwdump2/samdump.dll Infected: not-a-virus:PSWTool.Win32.PWDump.2 skipped
C:\System Volume Information\_restore{4135F169-DF80-45DD-A185-3223B4010116}\RP268\A0107979.exe/data.rar/RockXP4_.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\System Volume Information\_restore{4135F169-DF80-45DD-A185-3223B4010116}\RP268\A0107979.exe/data.rar Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\System Volume Information\_restore{4135F169-DF80-45DD-A185-3223B4010116}\RP268\A0107979.exe RarSFX: infected - 4 skipped
C:\System Volume Information\_restore{4135F169-DF80-45DD-A185-3223B4010116}\RP303\A0116898.exe Infected: not-a-virus:FraudTool.Win32.WinZix.a skipped
C:\System Volume Information\_restore{4135F169-DF80-45DD-A185-3223B4010116}\RP304\A0118071.exe/file1 Infected: not-a-virus:FraudTool.Win32.WinZix.a skipped
C:\System Volume Information\_restore{4135F169-DF80-45DD-A185-3223B4010116}\RP304\A0118071.exe/file2 Infected: not-a-virus:FraudTool.Win32.WinZix.a skipped
C:\System Volume Information\_restore{4135F169-DF80-45DD-A185-3223B4010116}\RP304\A0118071.exe Inno: infected - 2 skipped
C:\System Volume Information\_restore{4135F169-DF80-45DD-A185-3223B4010116}\RP335\A0138172.exe Infected: Trojan.Win32.Agent.qt skipped
C:\System Volume Information\_restore{4135F169-DF80-45DD-A185-3223B4010116}\RP335\A0138173.Vexe Infected: Trojan.Win32.Obfuscated.fy skipped
C:\System Volume Information\_restore{4135F169-DF80-45DD-A185-3223B4010116}\RP335\A0138180.exe Infected: Trojan.Win32.Agent.qt skipped
C:\System Volume Information\_restore{4135F169-DF80-45DD-A185-3223B4010116}\RP335\A0138182.Vexe Infected: Trojan.Win32.Obfuscated.fy skipped
C:\System Volume Information\_restore{4135F169-DF80-45DD-A185-3223B4010116}\RP347\A0145802.exe/WISE0025.BIN Infected: not-a-virus:PSWTool.Win32.Cain.284 skipped
C:\System Volume Information\_restore{4135F169-DF80-45DD-A185-3223B4010116}\RP347\A0145802.exe WiseSFX: infected - 1 skipped
C:\System Volume Information\_restore{4135F169-DF80-45DD-A185-3223B4010116}\RP351\A0149851.exe/Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{4135F169-DF80-45DD-A185-3223B4010116}\RP351\A0149851.exe RAR: infected - 1 skipped
C:\System Volume Information\_restore{4135F169-DF80-45DD-A185-3223B4010116}\RP384\A0163916.exe Infected: Trojan.Win32.Agent.qt skipped
C:\System Volume Information\_restore{4135F169-DF80-45DD-A185-3223B4010116}\RP404\A0179146.exe/data.rar/rs32.exe Infected: not-a-virus:NetTool.Win32.Calc-DNet.r skipped
C:\System Volume Information\_restore{4135F169-DF80-45DD-A185-3223B4010116}\RP404\A0179146.exe/data.rar Infected: not-a-virus:NetTool.Win32.Calc-DNet.r skipped
C:\System Volume Information\_restore{4135F169-DF80-45DD-A185-3223B4010116}\RP404\A0179146.exe RarSFX: infected - 2 skipped
C:\System Volume Information\_restore{4135F169-DF80-45DD-A185-3223B4010116}\RP404\A0179147.exe Infected: not-a-virus:NetTool.Win32.Calc-DNet.r skipped
C:\System Volume Information\_restore{4135F169-DF80-45DD-A185-3223B4010116}\RP404\A0179157.exe Infected: not-a-virus:NetTool.Win32.Calc-DNet.r skipped
C:\System Volume Information\_restore{4135F169-DF80-45DD-A185-3223B4010116}\RP404\A0179158.exe Infected: not-a-virus:NetTool.Win32.Calc-DNet.r skipped
C:\System Volume Information\_restore{4135F169-DF80-45DD-A185-3223B4010116}\RP425\A0184368.exe/data.rar/rs32.exe Infected: not-a-virus:NetTool.Win32.Calc-DNet.r skipped
C:\System Volume Information\_restore{4135F169-DF80-45DD-A185-3223B4010116}\RP425\A0184368.exe/data.rar Infected: not-a-virus:NetTool.Win32.Calc-DNet.r skipped
C:\System Volume Information\_restore{4135F169-DF80-45DD-A185-3223B4010116}\RP425\A0184368.exe RarSFX: infected - 2 skipped
C:\System Volume Information\_restore{4135F169-DF80-45DD-A185-3223B4010116}\RP425\A0184369.exe Infected: not-a-virus:NetTool.Win32.Calc-DNet.r skipped
C:\System Volume Information\_restore{4135F169-DF80-45DD-A185-3223B4010116}\RP438\A0204644.exe Infected: not-a-virus:Monitor.Win32.KeyLogger.w skipped
C:\System Volume Information\_restore{4135F169-DF80-45DD-A185-3223B4010116}\RP438\A0204645.exe/script.au3 Infected: Trojan.Win32.Autoit.ac skipped
C:\System Volume Information\_restore{4135F169-DF80-45DD-A185-3223B4010116}\RP438\A0204645.exe AutoIt: infected - 1 skipped
C:\System Volume Information\_restore{4135F169-DF80-45DD-A185-3223B4010116}\RP438\A0204645.exe NSPack: infected - 1 skipped
C:\System Volume Information\_restore{4135F169-DF80-45DD-A185-3223B4010116}\RP438\A0204646.exe Infected: Trojan-Clicker.Win32.Costrat.at skipped
C:\System Volume Information\_restore{4135F169-DF80-45DD-A185-3223B4010116}\RP438\A0204647.exe Infected: Trojan-Clicker.Win32.Agent.is skipped
C:\System Volume Information\_restore{4135F169-DF80-45DD-A185-3223B4010116}\RP439\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system\rs.exe/data.rar/rs32.exe Infected: not-a-virus:NetTool.Win32.Calc-DNet.r skipped
C:\WINDOWS\system\rs.exe/data.rar Infected: not-a-virus:NetTool.Win32.Calc-DNet.r skipped
C:\WINDOWS\system\rs.exe RarSFX: infected - 2 skipped
C:\WINDOWS\system\rs32.exe.tp Infected: not-a-virus:NetTool.Win32.Calc-DNet.r skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\kbhookdll.dll Infected: not-a-virus:Monitor.Win32.KeyLogger.w skipped
C:\WINDOWS\system32\rs.exe/data.rar/rs32.exe Infected: not-a-virus:NetTool.Win32.Calc-DNet.r skipped
C:\WINDOWS\system32\rs.exe/data.rar Infected: not-a-virus:NetTool.Win32.Calc-DNet.r skipped
C:\WINDOWS\system32\rs.exe RarSFX: infected - 2 skipped
C:\WINDOWS\system32\rs32.exe.tp Infected: not-a-virus:NetTool.Win32.Calc-DNet.r skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_378.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.
******************************************************************************************************

Logfile of HijackThis v1.99.1
Scan saved at 7:53:56 PM, on 6/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Ad Muncher\AdMunch.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Bluetack\ProtoWall\ProtoWall.exe
C:\Program Files\BandwidthMonitor\BWMonitor.exe
C:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: IE7pro BHO - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IE7pro\IE7pro.dll
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: ImageShack Toolbar - {6932D140-ABC4-4073-A44C-D4A541665E35} - C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKLM\..\Run: [SmcService] "C:\PROGRA~1\Sygate\SPF\smc.exe" -startgui
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [Ad Muncher] C:\Program Files\Ad Muncher\AdMunch.exe /bt
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [Flashget] C:\PROGRA~1\FlashGet\Flashget.exe /min
O4 - HKLM\..\Run: [Babylon Client] C:\Program Files\Babylon\Babylon-Pro\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKCU\..\Run: [ProtoWall] "C:\Program Files\Bluetack\ProtoWall\ProtoWall.exe"
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [BandwidthMonitor] C:\Program Files\BandwidthMonitor\BWMonitor.exe
O4 - HKCU\..\Run: [Creative MediaSource Go] C:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe /SYS
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Open Selected URL - C:\Program Files\RightClickGoogleSearchOpenSelectedURL\openselectedurl.htm
O8 - Extra context menu item: Search &Google - C:\Program Files\RightClickGoogleSearchOpenSelectedURL\google.htm
O8 - Extra context menu item: Translate with &Babylon - res://C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
O9 - Extra button: IE7pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IE7pro\IE7pro.dll
O9 - Extra 'Tools' menuitem: IE7pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IE7pro\IE7pro.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://toolbar.imageshack.us
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6932D140-ABC4-4073-A44C-D4A541665E35} (ImageShack Toolbar) - http://toolbar.imageshack.us/toolbar/ImageShackToolbar.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1162873201218
O16 - DPF: {BDEE1959-AB6B-4745-A29B-F492861102CC} -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4ADA8CDD-664C-4790-8AD2-21B7B89256B6}: NameServer = 208.67.222.222,208.67.220.220
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: PFW - C:\WINDOWS\SYSTEM32\UmxWnp.Dll
O20 - Winlogon Notify: RegCompact - C:\WINDOWS\SYSTEM32\RegCompact.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - C:\WINDOWS\system32\nvsvc32.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RichVideo - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe

#6 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:06 AM

Posted 11 June 2007 - 08:51 AM

Your kaspersky log shows evidence of illegally copied/pirated software present on your harddrive

I highly recommend that you uninstall any such programs, and delete the the installers. Not only are such programs illegal, but a lot of them will come bundled with malware

If you need freeware replacements, then take a look here:

http://www.bleepingcomputer.com/forums/topic3616.html

These are the files that are definitely infected, and you should definitely delete them

C:\Documents and Settings\Larry\Desktop\123456files for reformat 11-1-06\Top Programs All in one\WEEKLY SOUL'S SEVEN TOOLS - Week No. 8\SOUL8.rar
C:\Documents and Settings\Larry\Desktop\123456files for reformat 11-1-06\Top Programs All in one\WEEKLY SOUL'S SEVEN TOOLS - Week No. 8\WEEKLY SOUL'S SEVEN TOOLS.exe
C:\Documents and Settings\Larry\Desktop\4-27-07 software reinstall\FlashGet 1.81 1002\FlashGet.1.81.BY.SOFT-BEST.NET.rar
C:\Documents and Settings\Larry\Desktop\new programs hold\Advanced Archive Password Recover\New Folder\Advanced_Archive_Password_Recovery_3.01.7.rar
C:\Documents and Settings\Larry\Desktop\new programs hold\Advanced Archive Password Recover\New Folder\crack.exe
C:\Documents and Settings\Larry\Desktop\new programs hold\Advanced Archive Password Recover\New Folder\New Folder\crack.exe
C:\Documents and Settings\Larry\Desktop\new programs hold\Advanced Archive Password Recover\New Folder\New Folder\ELCOMSOFT_Advanced_Archive_Password_Recovery_3.01_Build_7.rar
C:\Documents and Settings\Larry\Desktop\new programs hold\Advanced Archive Password Recover\New Folder\New Folder\patch.VVVVvvexe
C:\Documents and Settings\Larry\Desktop\new programs hold\Advanced Archive Password Recover\New Folder\patch.VVVVvvexe
C:\Documents and Settings\Larry\Desktop\new programs hold\Winrar 3.70 beta 6\Patch that works for all versions\2004.02.21_WinRAR_3.x_UNIVERSAL_PATCH.PATCH_MP2K.zip
C:\Documents and Settings\Larry\Desktop\program temp hold\RapidUp ver. 1.3 Final 1,2 Mb\RapidUp_V1.3_Final.1-9-2006\Extra tools\RapidSearch Beta v0.2\RapidSearch.exe
C:\Documents and Settings\Larry\Desktop\program temp hold\RapidUp ver. 1.3 Final 1,2 Mb\RapidUp_V1.3_Final.1-9-2006.rar RAR
C:\Documents and Settings\Larry\Desktop\URL's Updated\RAPIDSHARE Search\RapidSearch.exe

And these folders:

C:\Documents and Settings\Larry\Desktop\123456files for reformat 11-1-06\NOD32 Antivirus System 2.70.16\
C:\Documents and Settings\Larry\Desktop\new programs hold\I Hate Keyloggers Version 1.0 + SERIAL\

Download ATF Cleaner by Attribune
  • Double-click ATF-Cleaner.exe to run the program.
  • Click Main at the top and choose Select All from the list.
  • Click the Empty Selected button.
If you use Firefox browser:
  • Click Firefox at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser:
  • Click Opera at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Then please upload this file:

C:\WINDOWS\system\rs.exe

To either jotti or virustotal

Repeat for these files:

C:\WINDOWS\system\rs32.exe.tp
C:\WINDOWS\system32\kbhookdll.dll

Post back with the jotti/virustotal results and a new HijackThis log

#7 lemco

lemco
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:06 PM

Posted 11 June 2007 - 01:53 PM

"LOG FILES"

************************
File to upload & scan:
Service
Service load: 0% 100%

File: rs.exe
Status: INFECTED/MALWARE
MD5 7c63c49590064d10a39ecf52e0977dbb
Packers detected: UPX, ASPACK

Scanner results
Scan taken on 11 Jun 2007 18:09:17 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found Program.DNetClient
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found not-a-virus:NetTool.Win32.Calc-DNet.r (6, 2, 612)
Fortinet Found nothing
Kaspersky Anti-Virus Found not-a-virus:NetTool.Win32.Calc-DNet.r
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing



Statistics
Last file scanned at least one scanner reported something about: U.exe (MD5: b4ba4bfd187d13404cc8b2b734f1bc7b, size: 28672 bytes), detected by:

Scanner Malware name
A-Squared X
AntiVir TR/Crypt.XPACK.Gen
ArcaVir Trojan.Psw.Ldpinch.Bjx
Avast X
AVG Antivirus PSW.Ldpinch.HZI
BitDefender Trojan.PWS.Ldpinch.ZC
ClamAV Trojan.Spy-7214
Dr.Web Trojan.PWS.LDPinch.1607
F-Prot Antivirus W32/PWStealer.MUJ
F-Secure Anti-Virus Trojan-PSW.Win32.LdPinch.bjx
Fortinet W32/Basine.BJX!tr.pws
Kaspersky Anti-Virus Trojan-PSW.Win32.LdPinch.bjx
NOD32 X
Norman Virus Control LdPinch.JVR
Panda Antivirus X
Rising Antivirus X
VirusBuster X
VBA32 Trojan-PSW.Win32.LdPinch.bjx
******************************************************************************
File: rs32.exe.tp
Status: INFECTED/MALWARE
MD5 e5f1fd32ea266d70cd5b5424d464b414
Packers detected: ASPACK

Scanner results
Scan taken on 11 Jun 2007 18:33:39 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found Program.DNetClient
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found not-a-virus:NetTool.Win32.Calc-DNet.r (6, 2, 612)
Fortinet Found nothing
Kaspersky Anti-Virus Found not-a-virus:NetTool.Win32.Calc-DNet.r
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing



Statistics
Last file scanned at least one scanner reported something about: ProAgent_Special_2.1.9U.exe (MD5: a7d5702ca8ced17ee28a9ceba9bb6498, size: 2145076 bytes), detected by:

Scanner Malware name
A-Squared X
AntiVir TR/Agent.41731
ArcaVir X
Avast X
AVG Antivirus PSW.Generic4.MKK
BitDefender X
ClamAV X
Dr.Web BackDoor.Agent
F-Prot Antivirus X
F-Secure Anti-Virus Trojan-Spy.Win32.ProAgent.21
Fortinet X
Kaspersky Anti-Virus Trojan-Spy.Win32.ProAgent.21
NOD32 probably unknown NewHeur_PE
Norman Virus Control W32/ProAgent.PF
Panda Antivirus X
Rising Antivirus X
VirusBuster X
VBA32 BackDoor.Agent
*********************************************************
Logfile of HijackThis v1.99.1
Scan saved at 12:43:07 PM, on 6/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\TrojanHunter 4.6\THGuard.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\FlashGet\Flashget.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Bluetack\ProtoWall\ProtoWall.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\BandwidthMonitor\BWMonitor.exe
C:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe
C:\Program Files\Ad Muncher\AdMunch.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\XYplorer\XYplorer.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: IE7pro BHO - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IE7pro\IE7pro.dll
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: ImageShack Toolbar - {6932D140-ABC4-4073-A44C-D4A541665E35} - C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKLM\..\Run: [SmcService] "C:\PROGRA~1\Sygate\SPF\smc.exe" -startgui
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [Flashget] C:\PROGRA~1\FlashGet\Flashget.exe /min
O4 - HKLM\..\Run: [Babylon Client] C:\Program Files\Babylon\Babylon-Pro\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKCU\..\Run: [ProtoWall] "C:\Program Files\Bluetack\ProtoWall\ProtoWall.exe"
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [BandwidthMonitor] C:\Program Files\BandwidthMonitor\BWMonitor.exe
O4 - HKCU\..\Run: [Creative MediaSource Go] C:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe /SYS
O4 - HKCU\..\Run: [Ad Muncher] C:\Program Files\Ad Muncher\AdMunch.exe /bt
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Open Selected URL - C:\Program Files\RightClickGoogleSearchOpenSelectedURL\openselectedurl.htm
O8 - Extra context menu item: Search &Google - C:\Program Files\RightClickGoogleSearchOpenSelectedURL\google.htm
O8 - Extra context menu item: Translate with &Babylon - res://C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
O9 - Extra button: IE7pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IE7pro\IE7pro.dll
O9 - Extra 'Tools' menuitem: IE7pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IE7pro\IE7pro.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://toolbar.imageshack.us
O16 - DPF: {6932D140-ABC4-4073-A44C-D4A541665E35} (ImageShack Toolbar) - http://toolbar.imageshack.us/toolbar/ImageShackToolbar.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1162873201218
O16 - DPF: {BDEE1959-AB6B-4745-A29B-F492861102CC} -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4ADA8CDD-664C-4790-8AD2-21B7B89256B6}: NameServer = 208.67.222.222,208.67.220.220
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: PFW - C:\WINDOWS\SYSTEM32\UmxWnp.Dll
O20 - Winlogon Notify: RegCompact - C:\WINDOWS\SYSTEM32\RegCompact.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVP - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - C:\WINDOWS\system32\nvsvc32.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RichVideo - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe

#8 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:06 AM

Posted 11 June 2007 - 04:25 PM

Download and scan with SUPERAntiSypware Free for Home Users
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Udates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.


#9 lemco

lemco
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:06 PM

Posted 11 June 2007 - 10:35 PM

Here is a Hijack log file, Installed SuperAnitspyware pro as instructed and let clean up a few things lost log file cause computer crashed, got it back doing several things, Removed SuperAnitspyware pro from computer got it where it will boot and dam slow now. May have to do a system restore.

Logfile of HijackThis v1.99.1
Scan saved at 9:19:15 PM, on 6/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\TrojanHunter 4.6\THGuard.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe
C:\Program Files\Ad Muncher\AdMunch.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: IE7pro BHO - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IE7pro\IE7pro.dll
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: ImageShack Toolbar - {6932D140-ABC4-4073-A44C-D4A541665E35} - C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [SmcService] "C:\PROGRA~1\Sygate\SPF\smc.exe" -startgui
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [ProtoWall] "C:\Program Files\Bluetack\ProtoWall\ProtoWall.exe"
O4 - HKCU\..\Run: [Creative MediaSource Go] C:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe /SYS
O4 - HKCU\..\Run: [Ad Muncher] C:\Program Files\Ad Muncher\AdMunch.exe /bt
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Open Selected URL - C:\Program Files\RightClickGoogleSearchOpenSelectedURL\openselectedurl.htm
O8 - Extra context menu item: Search &Google - C:\Program Files\RightClickGoogleSearchOpenSelectedURL\google.htm
O8 - Extra context menu item: Translate with &Babylon - res://C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
O9 - Extra button: IE7pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IE7pro\IE7pro.dll
O9 - Extra 'Tools' menuitem: IE7pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IE7pro\IE7pro.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://toolbar.imageshack.us
O16 - DPF: {6932D140-ABC4-4073-A44C-D4A541665E35} (ImageShack Toolbar) - http://toolbar.imageshack.us/toolbar/ImageShackToolbar.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1162873201218
O16 - DPF: {BDEE1959-AB6B-4745-A29B-F492861102CC} -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4ADA8CDD-664C-4790-8AD2-21B7B89256B6}: NameServer = 208.67.222.222,208.67.220.220
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: PFW - C:\WINDOWS\SYSTEM32\UmxWnp.Dll
O20 - Winlogon Notify: RegCompact - C:\WINDOWS\SYSTEM32\RegCompact.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVP - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RichVideo - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe

#10 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:06 AM

Posted 12 June 2007 - 06:37 AM

Run HijackThis
Click on do a system scan only
Place a checkmark next to these lines(if still present)

O16 - DPF: {BDEE1959-AB6B-4745-A29B-F492861102CC} -

Then close all windows except HijackThis and click Fix Checked

Download ATF Cleaner by Attribune
  • Double-click ATF-Cleaner.exe to run the program.
  • Click Main at the top and choose Select All from the list.
  • Click the Empty Selected button.
If you use Firefox browser:
  • Click Firefox at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser:
  • Click Opera at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
  • Download WinPFind by OldTimer here
  • Double click on winpfind.exe to extract it
  • Click extract
  • Wait for the message "All files have been extracted" and then click OK
  • This will create the folder winPFind on your desktop
  • Inside that folder is a file called WinPFind.exe
  • Double click on that file to launch WinPFind
  • This will launch a configuration screen
    • Under Driver Services change the selection to Non-Microsoft
    • Under File Created Within change the selection to 60 days
    • Leave the other settings as they are
  • Click Run Scan
  • During the scan WinPFind may appear to be not responding, this is normal
  • Wait for the scan to finish, this may take several minutes
  • A notepad window will open with WinPFind's log.
  • Copy and paste the contents of that window here.
  • Note: You may need several posts to post the entire log, or it might get cut off


#11 lemco

lemco
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:06 PM

Posted 14 June 2007 - 08:03 PM

Logfile of HijackThis v1.99.1
Scan saved at 7:02:26 PM, on 6/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\TrojanHunter 4.6\THGuard.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Bluetack\ProtoWall\ProtoWall.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
C:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe
C:\Program Files\Ad Muncher\AdMunch.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: IE7pro BHO - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IE7pro\IE7pro.dll
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: ImageShack Toolbar - {6932D140-ABC4-4073-A44C-D4A541665E35} - C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [SmcService] "C:\PROGRA~1\Sygate\SPF\smc.exe" -startgui
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [ProtoWall] "C:\Program Files\Bluetack\ProtoWall\ProtoWall.exe"
O4 - HKCU\..\Run: [Creative MediaSource Go] C:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe /SYS
O4 - HKCU\..\Run: [Ad Muncher] C:\Program Files\Ad Muncher\AdMunch.exe /bt
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Open Selected URL - C:\Program Files\RightClickGoogleSearchOpenSelectedURL\openselectedurl.htm
O8 - Extra context menu item: Search &Google - C:\Program Files\RightClickGoogleSearchOpenSelectedURL\google.htm
O8 - Extra context menu item: Translate with &Babylon - res://C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
O9 - Extra button: IE7pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IE7pro\IE7pro.dll
O9 - Extra 'Tools' menuitem: IE7pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IE7pro\IE7pro.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://toolbar.imageshack.us
O16 - DPF: {6932D140-ABC4-4073-A44C-D4A541665E35} (ImageShack Toolbar) - http://toolbar.imageshack.us/toolbar/ImageShackToolbar.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1162873201218
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4ADA8CDD-664C-4790-8AD2-21B7B89256B6}: NameServer = 208.67.222.222,208.67.220.220
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: PFW - C:\WINDOWS\SYSTEM32\UmxWnp.Dll
O20 - Winlogon Notify: RegCompact - C:\WINDOWS\SYSTEM32\RegCompact.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVP - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - C:\WINDOWS\system32\nvsvc32.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RichVideo - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe

Can not run this program winpfind.exe get this error


Posted Image

#12 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:06 AM

Posted 15 June 2007 - 01:36 PM

  • Download Silent runners by Andrew Aronoff from here
  • Unzip/extract it to a folder on your desktop
  • Double click on Silent Runners.vbs to start Silent runners
  • If your antivirus warns you about a script, allow it to run, this script does not contain malicious code
  • You will be asked if you want skip the supplementary search, click Yes
  • Wait for Silent runners to inform you that it has finished
  • A log will be created in the same folder as Silent Runners.vbs
  • It will have a name of Startup Programs (yourusername) date-time.txt
  • Use notepad to open that file
  • Copy and paste the contents as a reply to this topic


#13 lemco

lemco
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:06 PM

Posted 15 June 2007 - 02:06 PM

"Silent Runners.vbs", revision R50, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"Creative MediaSource Go" = "C:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe /SYS" ["Creative Technology Ltd"]
"Ad Muncher" = "C:\Program Files\Ad Muncher\AdMunch.exe /bt" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"AVP" = ""C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"" ["Kaspersky Lab"]
"SmcService" = ""C:\PROGRA~1\Sygate\SPF\smc.exe" -startgui" ["Sygate Technologies, Inc."]

HKLM\Software\Microsoft\Active Setup\Installed Components\
{44BBA851-CC51-11CF-AAFA-00AA00B6015C}\(Default) = "Microsoft Web Publishing Wizard 1.52"
\StubPath = "rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wpie4x86.inf,PerUserRemove" [MS]
{8b15971b-5355-4c82-8c07-7e181ea07608}\(Default) = "Fax"
\StubPath = "rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.UnInstall.PerUser" [MS]
{94de52c8-2d59-4f1b-883e-79663d2d9a8c}\(Default) = "Fax Provider"
\StubPath = "rundll32.exe C:\WINDOWS\System32\Setup\FxsOcm.dll,XP_UninstallProvider" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{00011268-E188-40DF-A514-835FCD78B1BF}\(Default) = (no title provided)
-> {HKLM...CLSID} = "IE7pro BHO"
\InProcServer32\(Default) = "C:\Program Files\IE7pro\IE7pro.dll" ["IE7pro.com"]
{00C6482D-C502-44C8-8409-FCE54AD9C208}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SnagIt Toolbar Loader"
\InProcServer32\(Default) = "C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll" ["TechSmith Corporation"]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{2F364306-AA45-47B5-9F9D-39A8B94E7EF7}\(Default) = "flashget urlcatch"
-> {HKLM...CLSID} = "Flashget Catch Url Class"
\InProcServer32\(Default) = "C:\Program Files\FlashGet\jccatch.dll" ["www.flashget.com"]
{724d43a9-0d85-11d4-9908-00400523e39a}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Siber Systems\AI RoboForm\roboform.dll" ["Siber Systems"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll" ["Sun Microsystems, Inc."]
{E5A1691B-D188-4419-AD02-90002030B8EE}\(Default) = (no title provided)
-> {HKLM...CLSID} = "FlashFXP Helper for Internet Explorer"
\InProcServer32\(Default) = "C:\PROGRA~1\FlashFXP\IEFlash.dll" ["IniCom Networks, Inc."]
{F156768E-81EF-470C-9057-481BA8380DBA}\(Default) = (no title provided)
-> {HKLM...CLSID} = "FlashGet GetFlash Class"
\InProcServer32\(Default) = "C:\Program Files\FlashGet\getflash.dll" ["www.flashget.com"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}" = "TrojanHunter Menu Shell Extension"
-> {HKLM...CLSID} = "TrojanHunter Menu Shell Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1.6\contmenu.dll" [null data]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRar\rarext.dll" [null data]
"{8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3}" = "SnagIt"
-> {HKCU...CLSID} = "SnagIt"
\InProcServer32\(Default) = "C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll" ["TechSmith Corporation"]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {HKLM...CLSID} = "DesktopContext Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {HKLM...CLSID} = "NVIDIA CPL Extension"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {HKLM...CLSID} = "Desktop Explorer"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {HKLM...CLSID} = "nView Desktop Context Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{85E0B171-04FA-11D1-B7DA-00A0C90348D6}" = "Web Anti-Virus statistics"
-> {HKLM...CLSID} = "Web Anti-Virus statistics"
\InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll" ["Kaspersky Lab"]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\MI1933~1\Office12\OLKFSTUB.DLL" [MS]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MI1933~1\Office12\MLSHEXT.DLL" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"0aMCPClient" = "{F5DF91F9-15E9-416B-A7C3-7519B11ECBFC}"
-> {HKLM...CLSID} = "MCPShellInstantiator Class"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\stardock\MCPCore.dll" ["Stardock"]
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
-> {HKLM...CLSID} = "WPDShServiceObj Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\
<<!>> "AppInit_DLLs" = "UmxSbxExw.dll" ["CA"]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> klogon\DLLName = "C:\WINDOWS\system32\klogon.dll" ["Kaspersky Lab"]
<<!>> PFW\DLLName = "UmxWnp.Dll" ["CA"]
<<!>> RegCompact\DLLName = "RegCompact.dll" ["AMUST Software"]

HKLM\Software\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807563E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = "Microsoft Office InfoPath XML Mime Filter"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
CopyMoveTo\(Default) = "{51131DA7-1D24-40e5-AE07-5E3750F5DE3C}"
-> {HKLM...CLSID} = "ContextMenuExt Extension"
\InProcServer32\(Default) = "C:\WINDOWS\ContextMenuExt.dll" [null data]
Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\ShellEx.dll" ["Kaspersky Lab"]
TrojanHunter\(Default) = "{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"
-> {HKLM...CLSID} = "TrojanHunter Menu Shell Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1.6\contmenu.dll" [null data]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRar\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
CopyMoveTo\(Default) = "{51131DA7-1D24-40e5-AE07-5E3750F5DE3C}"
-> {HKLM...CLSID} = "ContextMenuExt Extension"
\InProcServer32\(Default) = "C:\WINDOWS\ContextMenuExt.dll" [null data]
TrojanHunter\(Default) = "{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"
-> {HKLM...CLSID} = "TrojanHunter Menu Shell Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1.6\contmenu.dll" [null data]
UltraISO\(Default) = "{AD392E40-428C-459F-961E-9B147782D099}"
-> {HKLM...CLSID} = "UIContextMenu Class"
\InProcServer32\(Default) = "C:\Program Files\UltraISO\isoshell.dll" ["EZB Systems, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRar\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
CopyMoveTo\(Default) = "{51131DA7-1D24-40e5-AE07-5E3750F5DE3C}"
-> {HKLM...CLSID} = "ContextMenuExt Extension"
\InProcServer32\(Default) = "C:\WINDOWS\ContextMenuExt.dll" [null data]
East-TecEraser\(Default) = "{E0BD38EB-C8EC-11D2-B274-B493B003B125}"
-> {HKLM...CLSID} = "East-Tec Eraser Context Menu Shell Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\EAST-T~1\ETCONT~1.DLL" [null data]
IconLayout\(Default) = "{19F500E0-9964-11cf-B63D-08002B317C03}"
-> {HKLM...CLSID} = "Desktop Icon Layout"
\InProcServer32\(Default) = "Layout.dll" ["Microsoft"]
Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\ShellEx.dll" ["Kaspersky Lab"]
TrojanHunter\(Default) = "{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"
-> {HKLM...CLSID} = "TrojanHunter Menu Shell Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1.6\contmenu.dll" [null data]
UltraISO\(Default) = "{AD392E40-428C-459F-961E-9B147782D099}"
-> {HKLM...CLSID} = "UIContextMenu Class"
\InProcServer32\(Default) = "C:\Program Files\UltraISO\isoshell.dll" ["EZB Systems, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRar\rarext.dll" [null data]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoRecentDocsMenu" = (REG_DWORD) hex:0x00000001
{unrecognized setting}

"NoLowDiskSpaceChecks" = (REG_DWORD) hex:0x00000001
{unrecognized setting}

"NoChangeKeyboardNavigationIndicators" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoSMBalloonTip" = (REG_DWORD) hex:0x00000001
{unrecognized setting}

"NoDesktopCleanupWizard" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoRemoteRecursiveEvents" = (REG_DWORD) hex:0x00000001
{unrecognized setting}

"ClassicShell" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoCDBurning" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}

"NoInternetOpenWith" = (REG_DWORD) hex:0x00000001
{unrecognized setting}

"RunStartupScriptSync" = (REG_DWORD) hex:0x00000001
{unrecognized setting}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Larry\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


Enabled Scheduled Tasks:
------------------------

"User_Feed_Synchronization-{675C24DC-6969-49A8-B0F9-F618E507DAAC}" -> launches: "C:\WINDOWS\system32\msfeedssync.exe sync" [MS]
"XoftSpySE 2" -> launches: "C:\Program Files\XoftSpySE\XoftSpy.exe ShowReminders" ["ParetoLogic"]
"XoftSpySE" -> launches: "C:\Program Files\XoftSpySE\XoftSpy.exe -t" ["ParetoLogic"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\System32\nwprovau.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 22
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{724D43A0-0D85-11D4-9908-00400523E39A}"
-> {HKLM...CLSID} = "&RoboForm"
\InProcServer32\(Default) = "C:\Program Files\Siber Systems\AI RoboForm\roboform.dll" ["Siber Systems"]
"{F2CF5485-4E02-4F68-819C-B92DE9277049}"
-> {HKLM...CLSID} = "&Links"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3}" = (no title provided)
-> {HKCU...CLSID} = "SnagIt"
\InProcServer32\(Default) = "C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll" ["TechSmith Corporation"]
"{724D43A0-0D85-11D4-9908-00400523E39A}" = (no title provided)
-> {HKLM...CLSID} = "&RoboForm"
\InProcServer32\(Default) = "C:\Program Files\Siber Systems\AI RoboForm\roboform.dll" ["Siber Systems"]
"{6932D140-ABC4-4073-A44C-D4A541665E35}" = "ImageShack Toolbar"
-> {HKLM...CLSID} = "ImageShack Toolbar"
\InProcServer32\(Default) = "C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll" ["ImageShack Corp."]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\

HKLM\Software\Classes\CLSID\{85E0B171-04FA-11D1-B7DA-00A0C90348D6}\(Default) = "Web Anti-Virus statistics"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll" ["Kaspersky Lab"]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{0026439F-A980-4F18-8C95-4F1CBBF9C1D8}\
"ButtonText" = "IE7pro Preferences"
"MenuText" = "IE7pro Preferences"
"CLSIDExtension" = "{B119EB0C-C021-46CF-85B0-34A760E0D5FE}"
-> {HKLM...CLSID} = "IE7pro ToolsExt"
\InProcServer32\(Default) = "C:\Program Files\IE7pro\IE7pro.dll" ["IE7pro.com"]

{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0004-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in 1.5.0_04"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_04"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll" ["Sun Microsystems, Inc."]

{1F460357-8A94-4D71-9CA3-AA4ACF32ED8E}\
"ButtonText" = "Web Anti-Virus statistics"

{320AF880-6646-11D3-ABEE-C5DBF3571F46}\
"ButtonText" = "Fill Forms"
"MenuText" = "Fill Forms"
"Script" = "file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html" [file not found]

{320AF880-6646-11D3-ABEE-C5DBF3571F49}\
"ButtonText" = "Save"
"MenuText" = "Save Forms"
"Script" = "file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html" [file not found]

{724D43AA-0D85-11D4-9908-00400523E39A}\
"ButtonText" = "RoboForm"
"MenuText" = "RoboForm Toolbar"
"Script" = "file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html" [file not found]

{D6E814A0-E0C5-11D4-8D29-0050BA6940E3}\
"ButtonText" = "FlashGet"
"MenuText" = "FlashGet"
"Exec" = "C:\PROGRA~1\FlashGet\flashget.exe" ["FlashGet.com"]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Ad-Aware 2007 Service, aawservice, ""C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe"" ["Lavasoft AB"]
AVP, AVP, ""C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r" ["Kaspersky Lab"]
Diskeeper, Diskeeper, ""C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe"" ["Diskeeper Corporation"]
HIPS Configuration Interpreter, UmxCfg, ""C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe"" ["CA"]
HIPS Event Manager, UmxAgent, ""C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe"" ["CA"]
HIPS Firewall Helper, UmxFwHlp, ""C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe"" ["CA"]
HIPS Policy Manager, UmxPol, ""C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe"" ["CA"]
IAA Event Monitor, IAANTMon, "C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe" ["Intel"]
LightScribeService Direct Disc Labeling Service, LightScribeService, ""C:\Program Files\Common Files\LightScribe\LSSrvc.exe"" ["Hewlett-Packard Company"]
StarWind AE Service, StarWindServiceAE, "C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe" ["Rocket Division Software"]
Sygate Personal Firewall Pro, SmcService, "C:\Program Files\Sygate\SPF\smc.exe" ["Sygate Technologies, Inc."]
WMDM PMSP Service, WMDM PMSP Service, "C:\WINDOWS\system32\MsPMSPSv.exe" [MS]


----------
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 131 seconds, including 13 seconds for message boxes)

#14 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:06 AM

Posted 16 June 2007 - 04:34 AM

Hows it running now?

#15 lemco

lemco
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:06 PM

Posted 16 June 2007 - 12:59 PM

Hows it running now?


It is running good, except it takes for ever to boot up, anything I can do for that? Use to boot up fast.
Thanks for your help




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users