|
Donation/Premium |
|
 |
|
|
|
|
|
|
|
|
|
| View previous topic :: View next topic |
| Author |
Message |
grsamf
1st Responder
Site Moderator
Joined: Oct 08, 2006
Posts: 1275
|
 Posted: Thu Jul 03, 2008 6:12 pm Post subject: |
|
|
Reopened by request of OP. Please post a new HJT log.
_________________
How to be wise in two easy steps: 1) Think of something really stupid to say. 2) Don't say it.
The better I get to know my fellow lawyers, the more I love my dog.
|
|
| Back to top |
|
 |
harleqin
Private
Joined: Nov 14, 2004
Posts: 42
Location: USA
|
| Posted: Fri Jul 04, 2008 1:23 am Post subject: |
|
|
Hey there,
The logs I sent you are all recent ones.
Here they are again:
Rapport.txt
SmitFraudFix v2.328
Scan done at 22:44:19.20, Thu 03/07/2008
Run from C:\Documents and Settings\Harleqin\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» Process
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\lxctcoms.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\ScsiAccess.EXE
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\Grisoft\AVG7\avgvv.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\cmd.exe
»»»»»»»»»»»»»»»»»»»»»»»» hosts
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Harleqin
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Harleqin\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Harleqin\FAVORI~1
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!
IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!
VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!
404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» Rustock
»»»»»»»»»»»»»»»»»»»»»»»» DNS
Description: Intel(R) PRO/Wireless 2200BG Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 10.1.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{5CCCC5E7-0AEF-478B-8861-DB3F4B6D040E}: DhcpNameServer=10.1.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{5CCCC5E7-0AEF-478B-8861-DB3F4B6D040E}: DhcpNameServer=10.1.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{5CCCC5E7-0AEF-478B-8861-DB3F4B6D040E}: DhcpNameServer=10.1.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=10.1.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=10.1.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=10.1.1.1
»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
Here's the uninstall list
7-Zip 4.57
ABBYY FineReader 6.0 Sprint
ACDSee 7.0 PowerPack
Ad-Aware 2007
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Reader 8.1.2
aspi
AVG 7.5
Camera Plus
CCHelp
CCleaner (remove only)
CCScore
Cisco Systems VPN Client 5.0.02.0090
Concise Oxford Dictionary (Tenth Edition)
Conexant AC-Link Audio
DivX
DivX Player
DVD Decrypter (Remove Only)
DVD Shrink 3.2
Easy Video Joiner 5.21
Easy Video Splitter 1.28
Empty Temp Folders 2.8.3
ESET Online Scanner
ESSAdpt
ESSANUP
ESSBrwr
ESSCAM
ESSCDBK
ESScore
ESSgui
ESShelp
ESSini
ESSPCD
ESSstore
ESSTUTOR
ESSvpaht
ESSvpot
FIFA 07
FMS
Google Earth
Google Toolbar for Internet Explorer
HijackThis 2.0.2
iFinger
Intel(R) Extreme Graphics 2 Driver
iTunes
J2SE Runtime Environment 5.0 Update 6
Kodak EasyShare software
KSU
Lexmark 5400 Series
LimeWire 4.16.7
Messenger Plus! Live
Microsoft AntiSpyware
Microsoft Office Professional Edition 2003
Microsoft® Winter Fun Pack 2004 for Windows® XP
Mozilla Firefox (2.0.0.15)
Musicmatch® Jukebox
Nokia Connectivity Cable Driver
Nokia PC Suite
Notifier
OTtBP
PCDLNCH
Photo DVD 2.0 SE
Power Tab Editor 1.7
PowerArchiver 2004 v9.20
PowerDVD
QuickTime
RealPlayer
RelevantKnowledge
RogueRemover 1.14
SFR
SFR2
Shareaza version 2.2.1.0
Siemens Subscriber Networks SpeedStream DSL
Skype™ 3.8
SoftV92 Data Fax Modem with SmartCP
Spybot - Search & Destroy 1.4
Spyware Terminator
SpywareBlaster v3.5.1
StuffPlug-NG (Messenger Plus! Plugins)
SUPERAntiSpyware Free Edition
V-Gear BEE
V-Gear TalkCam Pro
VideoLAN VLC media player 0.8.5
Winamp (remove only)
WinAVIVideoConverter
Windows Installer 3.1 (KB893803)
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Format Runtime
Windows Media Player 10 Beta
WinRAR archiver
Yahoo! Install Manager
and lastly the HJT log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:03:42, on 3/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\lxctcoms.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\ScsiAccess.EXE
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\Grisoft\AVG7\avgvv.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Harleqin\Desktop\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.hotmail.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.optusnet.com.au/dsl/favorites/homepage
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com.my/0SEENMY/SAOS01
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Video On-line - {741403DD-46A4-4D58-8FA7-427335C3BBF6} - C:\WINDOWS\system32\PowerVideo.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [LXCTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WebSafe] "C:\Documents and Settings\Harleqin\Application Data\Microsoft\Web\WebSafe.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: DriveGuard.lnk = C:\Program Files\WinDriveGuard\DriveGuard.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: iFinger - {936E5D60-596C-11D3-BB96-00600816DF55} - C:\WINDOWS\system32\SHDOCVW.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://desktop.optusnet.com.au/dsl/favorites/homepage
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.0.97.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-MY/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: AutorunsDisabled - C:\WINDOWS\
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxct_device - - C:\WINDOWS\system32\lxctcoms.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
--
End of file - 9422 bytes
In addition, my Home Page has been hijacked several times lately, so that's why I think I cannot let this go on any longer because my internet security may be compromised.
Out of no reason, and even after I have installed some anti-spyware programmes, my homepage changes to this:
http://googlseek.quotaless.com/
and a few variations of that I think... googlpages or something along those lines. I lost the latest hijack attempt address because I saved over the .txt file.
Lastly, my computer has been attacked with viruses about 4 times since the 27th of June... which isn't too long ago...
The file I moved to the AVG vault are:
27/6 --> KSU.cab (Trojan Horse SHeur.BSLA)
27/6 --> LiteInst.exe (Trojan Horse SHeur.BSLA)
28/6 --> A0010082.exe (Trojan Horse SHeur.BSLA)
2/7 --> DriveProtect.exe (Virus Identified Worm/Autoit.BQM)
Anyways, I do remember earlier this year maybe a few weeks or months ago, I borrowed an external hard disk from my friend and plugged it in and AVG found a virus straight away. Yesterday, I did so with my Camera which was plugged in and it found a virus in the path of my camera directory. It was connected via cable. Has this virus that originated from an external source i.e. external hard disk been lurking through out my system without me noticing? Is that even possible?
Btw, I also ran a search for the item KSU and it's a Kodak Software Updater... is that a virus? :S
Thank You
|
|
| Back to top |
|
|
grsamf
1st Responder
Site Moderator
Joined: Oct 08, 2006
Posts: 1275
|
| Posted: Fri Jul 04, 2008 3:03 pm Post subject: |
|
|
Because it has been over 6 months, I need to get a better picture of the current state of your computer. Some viruses and other malware can indeed lurk for months before doing anything. The KSU is Eastman Kodak software and probably related to your camera. Some of the virus alerts, including those associated with the camera, may be false positives with your antivirus.
If you still have ComboFix on your desktop from before, please delete it. The program has changed considerably since we last used it.
Please download Combofix from one of the following links and save it to your desktop:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.com
http://sUBs.geekstogo.com/ComboFix.exe
* Double click on combo.exe & follow the prompts.
* When finished, it will produce a logfile located at C:\ComboFix.txt.
* Post the contents of that log in your next reply with a new hijackthis log.
Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.
Please download Malwarebytes Anti-Malware and save it to your desktop. alternate download link 1 alternate download link 2
- Make sure you are connected to the Internet.
- Double-click on Download_mbam-setup.exe to install the application.
- When the installation begins, follow the prompts and do not make any changes to default settings.
- When installation has finished, make sure you leave both of these checked:
- Update Malwarebytes' Anti-Malware
- Launch Malwarebytes' Anti-Malware
- Then click Finish.
- MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
- On the Scanner tab:
- Make sure the "Perform Quick Scan" option is selected.
- Then click on the Scan button.
- If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
- The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
- When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
- Click OK to close the message box and continue with the removal process.
- Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
- Make sure that everything is checked, and click Remove Selected.
- When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
- The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
- Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
Post the ComboFix log, the MBAM log, and a new HJT log in your reply.
_________________
How to be wise in two easy steps: 1) Think of something really stupid to say. 2) Don't say it.
The better I get to know my fellow lawyers, the more I love my dog.
|
|
| Back to top |
|
|
harleqin
Private
Joined: Nov 14, 2004
Posts: 42
Location: USA
|
| Posted: Sat Jul 05, 2008 12:15 pm Post subject: |
|
|
Hey there. The following are the logs. In addition to the files that I have already named in the previous post, my Anti-Virus detected a Worm/Generic.IMG on my desktop and got it deleted.
This "Virus" according to the anti-virus was on my desktop and it was an .exe file. It has been deleted, but I have reason to believe that whatever is in my system still lurking is messing up/creating files that are viruses based on legitimate names. I say this because that file name is an Internet client programme that I downloaded to connect to my University's Wireless Internet Connection. This is troubling because I can't understand how legitimate, non-internet accessing drives like my camera can contain a Virus. Mind to shed some light on this?
Anyways, just to recap, few of my concerns include being hijacked at the homepage to googlpages (address along those lines) and my drives that I plug into my computer are getting infected for no logical reason (e.g. cameras); a possible explanation is that I first saw something of the sort in my computer when I plugged in a friend's external hard disk. Could that have been the culprit?
Here are the logs.
Thank You!
ComboFix.txt
ComboFix 08-07-03.5 - Harleqin 2008-07-05 19:09:17.2 -
NTFSx86
Microsoft Windows XP Professional
5.1.2600.2.1252.1.1033.18.330 [GMT 8:00]
Running from: C:\Documents and
Settings\Harleqin\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE
RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Created from 2008-06-05 to 2008-07-05
)))))))))))))))))))))))))))))))
.
2008-07-03 22:44 . 2008-07-03 22:44 3,914 --a------
C:\WINDOWS\system32\tmp.reg
2008-07-03 22:43 . 2007-09-06 00:22 289,144 --a------
C:\WINDOWS\system32\VCCLSID.exe
2008-07-03 22:43 . 2006-04-27 17:49 288,417 --a------
C:\WINDOWS\system32\SrchSTS.exe
2008-07-03 22:43 . 2008-05-29 09:35 86,528 --a------
C:\WINDOWS\system32\VACFix.exe
2008-07-03 22:43 . 2008-05-18 21:40 82,944 --a------
C:\WINDOWS\system32\IEDFix.exe
2008-07-03 22:43 . 2008-07-02 13:33 82,432 --a------
C:\WINDOWS\system32\IEDFix.C.exe
2008-07-03 22:43 . 2008-05-23 18:21 81,920 --a------
C:\WINDOWS\system32\404Fix.exe
2008-07-03 22:43 . 2003-06-05 21:13 53,248 --a------
C:\WINDOWS\system32\Process.exe
2008-07-03 22:43 . 2004-07-31 18:50 51,200 --a------
C:\WINDOWS\system32\dumphive.exe
2008-07-03 22:43 . 2007-10-04 00:36 25,600 --a------
C:\WINDOWS\system32\WS2Fix.exe
2008-07-03 22:34 . 2008-07-03 22:34 <DIR> d--------
C:\Program Files\SUPERAntiSpyware
2008-07-03 22:34 . 2008-07-03 22:34 <DIR> d--------
C:\Documents and Settings\Harleqin\Application
Data\SUPERAntiSpyware.com
2008-07-03 22:34 . 2008-07-03 22:34 <DIR> d--------
C:\Documents and Settings\All Users\Application
Data\SUPERAntiSpyware.com
2008-06-23 23:03 . 2008-07-03 23:11 <DIR> d--------
C:\Program Files\Spyware Terminator
2008-06-23 23:03 . 2008-07-05 19:07 <DIR> d--------
C:\Documents and Settings\Harleqin\Application Data\Spyware
Terminator
2008-06-23 23:03 . 2008-07-05 04:56 <DIR> d--------
C:\Documents and Settings\All Users\Application Data\Spyware
Terminator
2008-06-23 23:03 . 2008-06-23 23:03 141,312 --a------
C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2008-06-20 22:28 . 2008-07-04 10:20 <DIR> dr--s----
C:\Program Files\WinDriveGuard
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report
))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-05 07:20 --------- d-----w C:\Program
Files\Microsoft AntiSpyware
2008-07-04 02:20 --------- d-----w C:\Documents
and Settings\All Users\Application Data\avg7
2008-07-04 01:39 --------- d-----w C:\Documents
and Settings\Harleqin\Application Data\AVG7
2008-07-03 14:33 --------- d-----w C:\Program
Files\Common Files\Wise Installation Wizard
2008-07-03 14:01 11,062 --sha-w C:\WINDOWS\system32
\KGyGaAvL.sys
2008-07-01 00:00 --------- d-----w C:\Documents
and Settings\LocalService\Application Data\AVG7
2008-06-30 03:51 --------- d-----w C:\Program
Files\Lx_cats
2008-06-27 01:32 --------- d-----w C:\Documents
and Settings\Harleqin\Application Data\uTorrent
2008-06-07 05:47 --------- d-----w C:\Documents
and Settings\Harleqin\Application Data\Skype
2008-06-07 04:18 --------- d-----w C:\Documents
and Settings\Harleqin\Application Data\skypePM
2008-05-30 07:08 --------- d-----w C:\Program
Files\Common Files\Adobe
2008-05-29 17:30 --------- d-----w C:\Documents
and Settings\Harleqin\Application Data\AdobeUM
2008-05-27 07:16 --------- d-----w C:\Program
Files\microsing
2008-05-27 07:09 --------- d-----w C:\Program
Files\Common Files\Download Manager
2008-05-24 19:19 --------- d-----w C:\Program
Files\Common Files\xing shared
2008-05-24 19:19 --------- d-----w C:\Program
Files\Common Files\Real
2008-05-24 19:18 348,160 ----a-w C:\WINDOWS\system32
\msvcr71.dll
2008-05-15 15:21 --------- d-----w C:\Program
Files\Yahoo!
.
((((((((((((((((((((((((((((( snapshot@2007-12-05_22.48.43.22
)))))))))))))))))))))))))))))))))))))))))
.
+ 2008-07-05 07:19:18 2,048 --s-a-w
C:\WINDOWS\bootstat.dat
+ 2005-10-20 12:02:28 163,328 ----a-w
C:\WINDOWS\erdnt\Hiv-backup\ERDNT.EXE
+ 2000-08-31 00:00:00 89,504 ----a-w
C:\WINDOWS\fdsv.exe
+ 2000-08-31 00:00:00 80,412 ----a-w
C:\WINDOWS\grep.exe
+ 2008-04-07 06:50:18 6,144 ----a-r
C:\WINDOWS\Installer\{871DF2BE-41D2-4334-AC33-
839AF16FC8FE}\Icon3E5562ED1.exe
+ 2008-05-30 07:09:43 295,606 ----a-r
C:\WINDOWS\Installer\{AC76BA86-7AD7-1033-7B44-
A81200000003}\SC_Reader.exe
+ 2008-07-03 14:34:13 18,944 ----a-r
C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-
BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2008-07-03 14:34:13 65,024 ----a-r
C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-
BCC81A1EEAAA}\IconCDDCBBF15.exe
- 2007-06-16 16:11:58 51,200 ----a-w
C:\WINDOWS\NirCmd.exe
+ 2000-08-31 00:00:00 28,672 ----a-w
C:\WINDOWS\NirCmd.exe
+ 2005-12-28 04:45:05 2,722 ----a-w
C:\WINDOWS\pchealth\helpctr\PackageStore\SkuStore.bin
+ 2000-08-31 00:00:00 98,816 ----a-w
C:\WINDOWS\sed.exe
+ 2000-08-31 00:00:00 161,792 ----a-w
C:\WINDOWS\swreg.exe
+ 2000-08-31 00:00:00 136,704 ----a-w
C:\WINDOWS\swsc.exe
+ 2000-08-31 00:00:00 212,480 ----a-w
C:\WINDOWS\swxcacls.exe
+ 2004-09-01 00:00:00 2,000 ----a-w
C:\WINDOWS\system\KEYBOARD.DRV
+ 2004-09-01 00:00:00 73,376 ----a-w
C:\WINDOWS\system\MCIAVI.DRV
+ 2004-09-01 00:00:00 25,264 ----a-w
C:\WINDOWS\system\MCISEQ.DRV
+ 2004-09-01 00:00:00 28,160 ----a-w
C:\WINDOWS\system\MCIWAVE.DRV
+ 2004-09-01 00:00:00 2,032 ----a-w
C:\WINDOWS\system\MOUSE.DRV
+ 2004-09-01 00:00:00 1,744 ----a-w
C:\WINDOWS\system\SOUND.DRV
+ 2004-09-01 00:00:00 3,360 ----a-w
C:\WINDOWS\system\SYSTEM.DRV
+ 2004-09-01 00:00:00 4,048 ----a-w
C:\WINDOWS\system\TIMER.DRV
+ 2004-09-01 00:00:00 2,176 ----a-w
C:\WINDOWS\system\VGA.DRV
+ 2004-09-01 00:00:00 13,600 ----a-w
C:\WINDOWS\system\WFWNET.DRV
+ 2004-09-01 00:00:00 146,432 ----a-w
C:\WINDOWS\system\WINSPOOL.DRV
+ 2004-09-01 00:00:00 10,544 ----a-w
C:\WINDOWS\system32\comm.drv
- 2006-11-10 02:46:24 193,584 ----a-w
C:\WINDOWS\system32\CSGina.dll
+ 2007-10-26 06:28:04 193,312 ----a-w
C:\WINDOWS\system32\CSGina.dll
+ 2004-09-01 00:00:00 1,788 ----a-w
C:\WINDOWS\system32\Dcache.bin
+ 2004-08-03 15:07:58 2,944 -c--a-w
C:\WINDOWS\system32\dllcache\drmkaud.sys
+ 2004-09-01 00:00:00 2,000 -c--a-w
C:\WINDOWS\system32\dllcache\keyboard.drv
+ 2004-09-01 00:00:00 2,560 -c--a-w
C:\WINDOWS\system32\dllcache\lz32.dll
+ 2004-09-01 00:00:00 73,376 -c--a-w
C:\WINDOWS\system32\dllcache\mciavi.drv
+ 2004-09-01 00:00:00 25,264 -c--a-w
C:\WINDOWS\system32\dllcache\mciseq.drv
+ 2004-09-01 00:00:00 28,160 -c--a-w
C:\WINDOWS\system32\dllcache\mciwave.drv
+ 2004-09-01 00:00:00 2,032 -c--a-w
C:\WINDOWS\system32\dllcache\mouse.drv
+ 2004-09-01 00:00:00 2,944 -c--a-w
C:\WINDOWS\system32\dllcache\null.sys
+ 2004-09-01 00:00:00 1,744 -c--a-w
C:\WINDOWS\system32\dllcache\sound.drv
+ 2004-09-01 00:00:00 3,360 -c--a-w
C:\WINDOWS\system32\dllcache\system.drv
+ 2004-09-01 00:00:00 4,048 -c--a-w
C:\WINDOWS\system32\dllcache\timer.drv
+ 2004-09-01 00:00:00 2,176 -c--a-w
C:\WINDOWS\system32\dllcache\vga.drv
+ 2004-09-01 00:00:00 13,600 -c--a-w
C:\WINDOWS\system32\dllcache\wfwnet.drv
+ 2004-09-01 00:00:00 2,864 -c--a-w
C:\WINDOWS\system32\dllcache\winsock.dll
+ 2004-09-01 00:00:00 146,432 -c--a-w
C:\WINDOWS\system32\dllcache\winspool.drv
+ 2004-09-01 00:00:00 2,112 -c--a-w
C:\WINDOWS\system32\dllcache\winspool.exe
+ 2004-09-01 00:00:00 2,736 -c--a-w
C:\WINDOWS\system32\dllcache\wowdeb.exe
- 2006-09-21 09:55:16 101,904 ----a-w
C:\WINDOWS\system32\dneinobj.dll
+ 2007-01-31 05:45:08 101,904 ----a-w
C:\WINDOWS\system32\dneinobj.dll
- 2007-02-25 10:47:28 3,968 ----a-w
C:\WINDOWS\system32\drivers\avgclean.sys
+ 2008-02-19 08:11:04 10,760 ----a-w
C:\WINDOWS\system32\drivers\avgclean.sys
- 2007-06-26 00:54:47 19,904 ----a-w
C:\WINDOWS\system32\drivers\avgmfx86.sys
+ 2008-02-19 08:11:01 26,952 ----a-w
C:\WINDOWS\system32\drivers\avgmfx86.sys
+ 2006-05-19 21:16:24 2,432 ------w
C:\WINDOWS\system32\drivers\cdr4_xp.sys
+ 2006-05-19 21:16:24 2,560 ------w
C:\WINDOWS\system32\drivers\cdralw2k.sys
- 2005-05-16 20:51:34 5,315 ----a-w
C:\WINDOWS\system32\drivers\CVirtA.sys
+ 2007-01-18 08:28:02 5,275 ----a-w
C:\WINDOWS\system32\drivers\CVirtA.sys
- 2006-11-10 02:44:52 305,788 ----a-w
C:\WINDOWS\system32\drivers\CVPNDRVA.sys
+ 2007-10-26 06:27:00 306,300 ----a-w
C:\WINDOWS\system32\drivers\CVPNDRVA.sys
- 2006-09-21 09:55:16 126,864 ----a-w
C:\WINDOWS\system32\drivers\dne2000.sys
+ 2007-01-31 05:45:06 127,376 ----a-w
C:\WINDOWS\system32\drivers\dne2000.sys
+ 2004-08-03 15:07:58 2,944 ----a-w
C:\WINDOWS\system32\drivers\drmkaud.sys
+ 2004-09-01 00:00:00 2,944 ----a-w
C:\WINDOWS\system32\drivers\null.sys
+ 2004-09-01 00:00:00 2,000 ----a-w
C:\WINDOWS\system32\keyboard.drv
+ 2004-09-01 00:00:00 221,600 ----a-w
C:\WINDOWS\system32\lanman.drv
+ 2004-09-01 00:00:00 2,560 ----a-w
C:\WINDOWS\system32\lz32.dll
- 2007-06-11 05:34:00 2,115,816 ----a-w
C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
+ 2007-11-21 00:52:38 2,884,992 ----a-w
C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
- 2007-06-11 05:34:00 190,696 ----a-w
C:\WINDOWS\system32
\Macromed\Flash\NPSWF32_FlashUtil.exe
+ 2007-11-21 00:52:40 218,496 ----a-w
C:\WINDOWS\system32
\Macromed\Flash\NPSWF32_FlashUtil.exe
+ 2008-02-20 04:26:01 70,264 ----a-w
C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
+ 2004-09-01 00:00:00 73,376 ----a-w
C:\WINDOWS\system32\mciavi.drv
+ 2004-09-01 00:00:00 25,264 ----a-w
C:\WINDOWS\system32\mciseq.drv
+ 2004-09-01 00:00:00 28,160 ----a-w
C:\WINDOWS\system32\mciwave.drv
+ 2004-09-01 00:00:00 2,032 ----a-w
C:\WINDOWS\system32\mouse.drv
+ 2004-09-01 00:00:00 20,480 ----a-w
C:\WINDOWS\system32\msacm32.drv
+ 2004-09-01 00:00:00 188,416 ----a-w
C:\WINDOWS\system32\msh261.drv
+ 2004-09-01 00:00:00 294,912 ----a-w
C:\WINDOWS\system32\msh263.drv
- 2004-09-01 00:00:00 1,392,671 ----a-w
C:\WINDOWS\system32\msvbvm60.dll
+ 2004-02-23 15:12:40 1,386,496 ----a-w
C:\WINDOWS\system32\msvbvm60.dll
+ 2004-09-01 00:00:00 2,656 ----a-w
C:\WINDOWS\system32\netware.drv
- 2006-07-23 03:21:53 278,528 ----a-w
C:\WINDOWS\system32\pncrt.dll
+ 2008-05-24 19:18:55 278,528 ----a-w
C:\WINDOWS\system32\pncrt.dll
- 2006-07-23 03:21:55 6,656 ----a-w
C:\WINDOWS\system32\pndx5016.dll
+ 2008-05-24 19:19:02 6,656 ----a-w
C:\WINDOWS\system32\pndx5016.dll
- 2006-07-23 03:21:55 5,632 ----a-w
C:\WINDOWS\system32\pndx5032.dll
+ 2008-05-24 19:19:02 5,632 ----a-w
C:\WINDOWS\system32\pndx5032.dll
+ 2001-08-17 14:36:30 5,632 ----a-w
C:\WINDOWS\system32\ptpusb.dll
+ 2004-08-03 16:56:46 159,232 ----a-w
C:\WINDOWS\system32\ptpusd.dll
- 2006-07-23 03:22:01 176,167 ----a-w
C:\WINDOWS\system32\rmoc3260.dll
+ 2008-05-24 19:19:15 185,944 ----a-w
C:\WINDOWS\system32\rmoc3260.dll
+ 2004-09-01 00:00:00 1,744 ----a-w
C:\WINDOWS\system32\sound.drv
+ 2004-09-01 00:00:00 3,360 ----a-w
C:\WINDOWS\system32\system.drv
+ 2004-09-01 00:00:00 4,048 ----a-w
C:\WINDOWS\system32\timer.drv
+ 2004-09-01 00:00:00 2,176 ----a-w
C:\WINDOWS\system32\vga.drv
- 2006-11-10 02:46:36 197,680 ----a-w
C:\WINDOWS\system32\vpnapi.dll
+ 2007-10-26 06:28:18 197,408 ----a-w
C:\WINDOWS\system32\vpnapi.dll
- 2005-01-25 23:22:16 75,536 ----a-w
C:\WINDOWS\system32\vsdata.dll
+ 2005-01-26 02:22:16 75,536 ----a-w
C:\WINDOWS\system32\vsdata.dll
- 2005-01-25 23:22:20 280,344 ----a-w
C:\WINDOWS\system32\vsdatant.sys
+ 2005-01-26 02:22:20 280,344 ----a-w
C:\WINDOWS\system32\vsdatant.sys
- 2005-01-25 23:22:28 124,688 ----a-w
C:\WINDOWS\system32\vsinit.dll
+ 2005-01-26 02:22:28 124,688 ----a-w
C:\WINDOWS\system32\vsinit.dll
+ 2004-09-01 00:00:00 23,552 ----a-w
C:\WINDOWS\system32\wdmaud.drv
+ 2004-09-01 00:00:00 13,600 ----a-w
C:\WINDOWS\system32\wfwnet.drv
+ 2004-09-01 00:00:00 2,864 ----a-w
C:\WINDOWS\system32\winsock.dll
+ 2004-09-01 00:00:00 146,432 ----a-w
C:\WINDOWS\system32\winspool.drv
+ 2004-09-01 00:00:00 2,112 ----a-w
C:\WINDOWS\system32\winspool.exe
+ 2004-09-01 00:00:00 2,736 ----a-w
C:\WINDOWS\system32\wowdeb.exe
+ 2000-08-31 00:00:00 49,152 ----a-w
C:\WINDOWS\VFind.exe
+ 2005-09-22 15:48:08 479,232 ----a-w
C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e
3b_8.0.50727.42_x-ww_0de06acd\msvcm80.dll
+ 2005-09-22 15:48:08 548,864 ----a-w
C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e
3b_8.0.50727.42_x-ww_0de06acd\msvcp80.dll
+ 2005-09-22 15:48:06 626,688 ----a-w
C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e
3b_8.0.50727.42_x-ww_0de06acd\msvcr80.dll
+ 2000-08-31 00:00:00 68,096 ----a-w
C:\WINDOWS\zip.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points
))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentV
ersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe"
[2007-01-19 12:54 5674352]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-09-
01 08:00 15360]
"WebSafe"="C:\Documents and Settings\Harleqin\Application
Data\Microsoft\Web\WebSafe.exe" [2008-06-23 20:01 204381]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current
Version\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-
09-01 08:00 208952]
"PHIME2002ASync"="C:\WINDOWS\system32
\IME\TINTLGNT\TINTSETP.EXE" [2004-09-01 08:00 455168]
"PHIME2002A"="C:\WINDOWS\system32
\IME\TINTLGNT\TINTSETP.EXE" [2004-09-01 08:00 455168]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-06
-28 08:55 580096]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe"
[2001-07-09 10:50 155648]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2003-12-15
08:20 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2003-
12-15 08:07 118784]
"RemoteControl"="C:\Program
Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 20:24
32768]
"DAEMON Tools"="C:\Program Files\DAEMON
Tools\daemon.exe" [2005-11-09 06:00 128920]
"gcasServ"="C:\Program Files\Microsoft
AntiSpyware\gcasServ.exe" [2004-12-31 16:14 469824]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe"
[2006-02-19 06:51 155648]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06
\bin\jusched.exe" [2005-11-10 13:03 36975]
"LXCTCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86
\3\LXCTtime.dll" [2006-06-07 20:09 106496]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader
8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"SpywareTerminator"="C:\Program Files\Spyware
Terminator\SpywareTerminatorShield.exe" [2008-06-23 23:03
1817600]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVe
rsion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10
-26 13:36 219136]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVe
rsion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-09-01 08:00 53760
C:\WINDOWS\system32\narrator.exe]
[hkey_local_machine\software\microsoft\windows\currentversio
n\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program
Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows
nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 C:\Program
Files\SUPERAntiSpyware\SASWINLO.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All
Users^Start Menu^Programs^Startup^Adobe Reader Speed
Launch.lnk]
path=C:\Documents and Settings\All Users\Start
Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed
Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All
Users^Start Menu^Programs^Startup^iFinger.lnk]
path=C:\Documents and Settings\All Users\Start
Menu\Programs\Startup\iFinger.lnk
backup=C:\WINDOWS\pss\iFinger.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All
Users^Start Menu^Programs^Startup^Kodak EasyShare
software.lnk]
path=C:\Documents and Settings\All Users\Start
Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare
software.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All
Users^Start Menu^Programs^Startup^KODAK Software
Updater.lnk]
path=C:\Documents and Settings\All Users\Start
Menu\Programs\Startup\KODAK Software Updater.lnk
backup=C:\WINDOWS\pss\KODAK Software Updater.lnkCommon
Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All
Users^Start Menu^Programs^Startup^Winter Fun Wallpaper
Changer.lnk]
path=C:\Documents and Settings\All Users\Start
Menu\Programs\Startup\Winter Fun Wallpaper Changer.lnk
backup=C:\WINDOWS\pss\Winter Fun Wallpaper
Changer.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and
Settings^Harleqin^Start Menu^Programs^Startup^BEE Service.lnk]
path=C:\Documents and Settings\Harleqin\Start
Menu\Programs\Startup\BEE Service.lnk
backup=C:\WINDOWS\pss\BEE Service.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\DataLayer]
--a------ 2005-09-06 14:45 820736 C:\Program
Files\Common Files\PCSuite\DataLayer\DataLayer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\Desktop Service Centre]
--------- 2005-11-30 10:21 2919831 C:\Program
Files\OptusNet DSL Internet\DSC.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\EzPrint]
--a------ 2006-06-07 11:05 98304 C:\Program Files\Lexmark
5400 Series\ezprint.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-02-08 14:03 278528 C:\Program
Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\Lexmark 5400 Series Fax Server]
--a------ 2006-07-11 07:30 294912 C:\Program
Files\Lexmark 5400 Series\fm3032.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\lxctmon.exe]
--a------ 2006-06-20 21:37 286720 C:\Program
Files\Lexmark 5400 Series\lxctmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\MimBoot]
--a------ 2005-03-09 19:10 11776 C:\PROGRA~1\MUSICM~1
\MUSICM~1\mimboot.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-14 00:24 1694208 C:\Program
Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 12:54 5674352 C:\Program Files\MSN
Messenger\msnmsgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\PCSuiteTrayApplication]
--a------ 2005-06-29 15:29 176128 C:\Program
Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\PcSync]
--a------ 2005-08-26 15:49 860160 C:\Program
Files\Nokia\Nokia PC Suite 6\PcSync2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\TkBellExe]
--a------ 2008-05-25 03:18 185896 C:\Program
Files\Common Files\Real\Update_OB\realsched.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\stand
ardprofile\AuthorizedApplications\List]
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Documents and
Settings\\Harleqin\\Desktop\\utorrent.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
R1 sp_rsdrv2;Spyware Terminator Driver
2;C:\WINDOWS\system32\drivers\sp_rsdrv2.sys [2008-06-23
23:03]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversi
on\explorer\mountpoints2\{41317982-1194-11dc-b56a-
0013ce7bdeec}]
\Shell\AutoRun\command -
J:\System\DriveGuard\DriveProtect.exe -run
\Shell\Explore\Command -
J:\System\DriveGuard\DriveProtect.exe -run
\Shell\Open\Command - J:\System\DriveGuard\DriveProtect.exe
-run
[HKEY_CURRENT_USER\software\microsoft\windows\currentversi
on\explorer\mountpoints2\{8aeefc31-c657-11db-b4e0-
0013ce7bdeec}]
\Shell\AutoRun\command -
J:\System\DriveGuard\DriveProtect.exe -run
\Shell\Explore\Command -
J:\System\DriveGuard\DriveProtect.exe -run
\Shell\Open\Command - J:\System\DriveGuard\DriveProtect.exe
-run
[HKEY_CURRENT_USER\software\microsoft\windows\currentversi
on\explorer\mountpoints2\{a570f2a2-fd36-11dc-b6e7-
0013ce7bdeec}]
\Shell\AutoRun\command - h6o0re.cmd
\Shell\explore\Command - h6o0re.cmd
\Shell\open\Command - h6o0re.cmd
[HKEY_CURRENT_USER\software\microsoft\windows\currentversi
on\explorer\mountpoints2\{a70c9880-9b5e-11da-b32f-
0013ce7bdeec}]
\Shell\AutoRun\command - RavMon.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversi
on\explorer\mountpoints2\{a90b8b40-7792-11da-9245-
806d6172696f}]
\Shell\AutoRun\command - E:\NECMENU.EXE
[HKEY_CURRENT_USER\software\microsoft\windows\currentversi
on\explorer\mountpoints2\{f065c78d-257a-11dd-b734-
0013ce7bdeec}]
\Shell\AutoRun\command - h6o0re.cmd
\Shell\explore\Command - h6o0re.cmd
\Shell\open\Command - h6o0re.cmd
[HKEY_CURRENT_USER\software\microsoft\windows\currentversi
on\explorer\mountpoints2\{f065c78e-257a-11dd-b734-
0013ce7bdeec}]
\Shell\AutoRun\command - h6o0re.cmd
\Shell\explore\Command - h6o0re.cmd
\Shell\open\Command - h6o0re.cmd
[HKEY_LOCAL_MACHINE\software\microsoft\active
setup\installed components\{37699D9F-458A-71B7-0807-
080706040001}]
C:\WINDOWS\system32\WinSecSys.exe
.
- - - - ORPHANS REMOVED - - - -
BHO-{741403DD-46A4-4D58-8FA7-427335C3BBF6} -
C:\WINDOWS\system32\PowerVideo.dll
Notify-AutorunsDisabled - WgaLogon.dll
MSConfigStartUp-MessengerPlus3 - C:\Program
Files\MessengerPlus! 3\MsgPlus.exe
*********************************************************************
*****
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware
detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-05 19:12:36
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCTCATS = rundll32 C:\WINDOWS\System32
\spool\DRIVERS\W32X86\3
\LXCTtime.dll,_RunDLLEntry@16?????????????????????????????????????????
??????????????????????????????????????????????????????????????????????????????????
????????????????????????????????????????????????????????
scanning hidden files ...
scan completed successfully
hidden files: 0
*********************************************************************
*****
.
Completion time: 2008-07-05 19:13:36
ComboFix-quarantined-files.txt 2008-07-05 11:13:30
ComboFix2.txt 2007-12-05 14:49:18
Pre-Run: 540,708,864 bytes free
Post-Run: 578,473,984 bytes free
301
HJT Log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:51:04 PM, on 5/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\lxctcoms.exe
C:\Program Files\Common Files\Microsoft
Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\ScsiAccess.EXE
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Spyware
Terminator\SpywareTerminatorShield.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Harleqin\Desktop\HiJackThis.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page
= http://login.live.com/login.srf?id=2
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Page_URL =
http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Search_URL =
http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar
= http://g.msn.com.my/0SEENMY/SAOS01
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search
Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page
= http://www.hotmail.com/
R1 -
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-
4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common
Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet
Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} -
C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-
206D7942484F} - C:\Program Files\Spybot - Search &
Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-
D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-
4ABF-8ECC-5164760863C6} - C:\Program Files\Common
Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-
CF10577473F7} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-
009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1
\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32
\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32
\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7
\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32
\NeroCheck.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32
\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32
\hkcmd.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program
Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON
Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft
AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program
Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32
\dumprep 0 -u
O4 - HKLM\..\Run: [LXCTCATS] rundll32
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3
\LXCTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program
Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program
Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN
Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32
\ctfmon.exe
O4 - HKCU\..\Run: [WebSafe] "C:\Documents and
Settings\Harleqin\Application Data\Microsoft\Web\WebSafe.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1
\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1
\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1
\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe
(User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1
\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe
(User 'Default user')
O4 - Global Startup: DriveGuard.lnk = C:\Program
Files\WinDriveGuard\DriveGuard.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-
00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-
4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-
3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11
\REFIEBAR.DLL
O9 - Extra button: iFinger - {936E5D60-596C-11D3-BB96-
00600816DF55} - C:\WINDOWS\system32\SHDOCVW.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-
00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-
F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O14 - IERESET.INF:
START_PAGE_URL=http://desktop.optusnet.com.au/dsl/favorites
/homepage
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700}
(Windows Genuine Advantage Validation Tool) -
http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501}
(Checkers Class) -
http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab}
(YInstStarter Class) - C:\Program Files\Yahoo!
\Common\yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} -
http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.0.97.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B}
(OnlineScanner Control) -
http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24}
(UnoCtrl Class) - http://messenger.zone.msn.com/EN-MY/a-
UNO1/GAME_UNO1.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC}
(Facebook Photo Uploader Control) -
http://upload.facebook.com/controls/FacebookPhotoUploader.c
ab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072}
(MessengerStatsClient Class) -
http://messenger.zone.msn.com/binary/MessengerStatsPAClient
.cab56907.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-
1830C7DD7F5D} - C:\PROGRA~1\COMMON~1
\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program
Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB
- C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT,
s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT,
s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. -
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco
Systems, Inc. - C:\Program Files\Cisco Systems\VPN
Client\cvpnd.exe
O23 - Service: Google Updater Service (gusvc) - Google -
C:\Program Files\Google\Common\Google
Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) -
Macrovision Corporation - C:\Program Files\Common
Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program
Files\iPod\bin\iPodService.exe
O23 - Service: lxct_device - - C:\WINDOWS\system32
\lxctcoms.exe
O23 - Service: ScsiAccess - Unknown owner -
C:\WINDOWS\system32\ScsiAccess.EXE
O23 - Service: Spyware Terminator Realtime Shield Service
(sp_rssrv) - Crawler.com - C:\Program Files\Spyware
Terminator\sp_rsser.exe
--
End of file - 9075 bytes
MBAM Log
Malwarebytes' Anti-Malware 1.19
Database version: 922
Windows 5.1.2600 Service Pack 2
8:10:25 PM 5/07/2008
mbam-log-7-5-2008 (20-10-25).txt
Scan type: Quick Scan
Objects scanned: 40015
Time elapsed: 8 minute(s), 23 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\powervideo.video (Trojan.FakeAlert) ->
Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{741403dd-46a4-4d58-8fa7-
427335c3bbf6} (Trojan.FakeAlert) -> Quarantined and deleted
successfully.
HKEY_CLASSES_ROOT\Interface\{f627a939-3f63-42e2-b77b-
f733cb2439c9} (Trojan.FakeAlert) -> Quarantined and deleted
successfully.
HKEY_CLASSES_ROOT\Typelib\{fadc335e-6a47-47ef-97b8-
704c72d1e725} (Trojan.FakeAlert) -> Quarantined and deleted
successfully.
HKEY_CLASSES_ROOT\AppID\PowerVideo.dll (Trojan.FakeAlert)
-> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
|
|
| Back to top |
|
|
grsamf
1st Responder
Site Moderator
Joined: Oct 08, 2006
Posts: 1275
|
| Posted: Sun Jul 06, 2008 3:19 pm Post subject: |
|
|
Please go to VirusTotal or Jotti’s VirusScan. Please note that both of these sites can be quite busy at times and you may have to wait.
Click the browse button on the VirusTotal or Jotti web page and upload the following file by migrating to it in the pop up box that appears:
C:\Program Files\WinDriveGuard\DriveGuard.exe
VirusTotal or Jotti will give results. Copy and paste the results of the scan in your next post.
Repeat the process with the following file:
C:\Documents and Settings\Harleqin\Application Data\Microsoft\Web\WebSafe.exe
In addition to the two VirusTotal or Jotti logs, post a new HJT log. NOTE: Please be sure that WordWrap is unchecked in NotePad when prducing and copying logs. That will make the logs much easier to read.
_________________
How to be wise in two easy steps: 1) Think of something really stupid to say. 2) Don't say it.
The better I get to know my fellow lawyers, the more I love my dog.
|
|
| Back to top |
|
|
harleqin
Private
Joined: Nov 14, 2004
Posts: 42
Location: USA
|
| Posted: Mon Jul 07, 2008 8:43 am Post subject: |
|
|
Driveguard was deleted because I think it was a virus. One of my programmes detected it, so it's no longer on the system.
Here's the websafe result.
File WebSafe.exe received on 07.07.2008 10:33:06 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 6/33 (18.19%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 37 and 53 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.
You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:
Antivirus Version Last Update Result
AhnLab-V3 2008.7.4.1 2008.07.07 -
AntiVir 7.8.0.64 2008.07.07 -
Authentium 5.1.0.4 2008.07.06 -
Avast 4.8.1195.0 2008.07.06 -
AVG 7.5.0.516 2008.07.06 -
BitDefender 7.2 2008.07.07 -
CAT-QuickHeal 9.50 2008.07.04 TrojanSpy.Agent.bve
ClamAV 0.93.1 2008.07.07 -
DrWeb 4.44.0.09170 2008.07.07 -
eSafe 7.0.17.0 2008.07.03 Suspicious File
eTrust-Vet 31.6.5927 2008.07.04 -
Ewido 4.0 2008.07.06 -
F-Prot 4.4.4.56 2008.07.06 -
F-Secure 7.60.13501.0 2008.07.03 -
Fortinet 3.14.0.0 2008.07.07 -
GData 2.0.7306.1023 2008.07.07 -
Ikarus T3.1.1.26.0 2008.07.07 Trojan-Spy.Win32.Agent.bbg
Kaspersky 7.0.0.125 2008.07.07 -
McAfee 5332 2008.07.04 -
Microsoft 1.3704 2008.07.07 -
NOD32v2 3245 2008.07.07 archive damaged
Norman 5.80.02 2008.07.04 -
Panda 9.0.0.4 2008.07.06 Suspicious file
Prevx1 V2 2008.07.07 -
Rising 20.51.60.00 2008.07.06 -
Sophos 4.31.0 2008.07.07 -
Sunbelt 3.1.1509.1 2008.07.04 -
Symantec 10 2008.07.07 -
TheHacker 6.2.96.374 2008.07.07 -
TrendMicro 8.700.0.1004 2008.07.07 -
VBA32 3.12.6.8 2008.07.06 -
VirusBuster 4.5.11.0 2008.07.06 -
Webwasher-Gateway 6.6.2 2008.07.07 Win32.ModifiedUPX.gen (suspicious)
Additional information
File size: 204381 bytes
MD5...: e97755d3212ec2e62a84666be278b415
SHA1..: a3b9e0a57b5f3c87ad6cc5e023fc0ae5ae045cb3
SHA256: cfbf040eab2a7f5bc9fc64a0864c43a5845fb688f4903fad7b228960a477b8f9
SHA512: e70c8dcce196cbf13b3361b935085573366dbd27a54c1aa6e86763310172e3c4
716ed362e75af9cc5676135fb813b82de073b99fef08117a4ca00f7094e28cab
PEiD..: UPX 2.93 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x46f1c0
timedatestamp.....: 0x47d3fe43 (Sun Mar 09 15:12:03 2008)
machinetype.......: 0x14c (I386)
( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
UPX0 0x1000 0x3f000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
UPX1 0x40000 0x30000 0x2fe00 8.00 6a82e892f8d930137de43ca6ee7e740c
.rsrc 0x70000 0x2000 0x1400 5.56 34159f417138450999da59c3d8c19449
( 12 imports )
> KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
> ADVAPI32.dll: RegCloseKey
> COMCTL32.dll: -
> comdlg32.dll: GetOpenFileNameA
> GDI32.dll: BitBlt
> ole32.dll: CoInitialize
> OLEAUT32.dll: -
> SHELL32.dll: DragFinish
> USER32.dll: GetDC
> VERSION.dll: VerQueryValueA
> WINMM.dll: mixerOpen
> WSOCK32.dll: -
( 0 exports )
packers (F-Prot): UPX_LZMA
packers (Kaspersky): UPX
HJT Log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:39:26 PM, on 7/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\lxctcoms.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\ScsiAccess.EXE
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Harleqin\Desktop\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.live.com/login.srf?id=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com.my/0SEENMY/SAOS01
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [LXCTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WebSafe] "C:\Documents and Settings\Harleqin\Application Data\Microsoft\Web\WebSafe.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: iFinger - {936E5D60-596C-11D3-BB96-00600816DF55} - C:\WINDOWS\system32\SHDOCVW.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://desktop.optusnet.com.au/dsl/favorites/homepage
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.0.97.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-MY/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxct_device - - C:\WINDOWS\system32\lxctcoms.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
--
End of file - 8987 bytes
|
|
| Back to top |
|
|
grsamf
1st Responder
Site Moderator
Joined: Oct 08, 2006
Posts: 1275
| |
Forum FAQ
Search
Usergroups
Profile
Login to check your private messages
Login
