 |  |  |  |  |  |  |  |
Not-A-Virus.Monitor.Win32.Ardamax.ae
Thread Solved |
•
•
Join Date: Feb 2004
Posts: 10,011
Reputation: 
Solved Threads: 758
•
•
•
•
Originally Posted by crunchie 
Please save that log to post in your next reply along with a fresh HJT log[/b]
==
1. Please open Notepad
- Click Start , then Run
- Type notepad.exe in the Run Box.
•
•
•
•
KillAll::
RENV::
--sha-r 616,609 2008-01-30 19:16:02 C:\WINDOWS\system32\svchost .exe
3. Save the above as CFScript.txt
4. Physically disconnect from the internet.
5. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
6. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
http://i5.photobucket.com/albums/y15...1/CFScript.gif
7. After reboot, (in case it asks to reboot), please post the following reports/logs into your next replyafter you re-enable all the programs that were disabled during the running of ComboFix:
- Combofix.txt
- A new HijackThis log.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Proud member of ASAP (Alliance of Security analysis Professionals).
Opera AVAST anti-virus Comodo Firewall Spywareblaster
Opera AVAST anti-virus Comodo Firewall Spywareblaster
Hey Guys,
The first HJT log shows the following baddie:
F2 - REG:system.ini: Shell=Explorer.exe regsvr.exe
O4 - HKCU\..\Run: [Msn Messsenger] C:\WINDOWS\system32\regsvr.exe
This is probably responsible for the initial issues and may well be stealthed and still active....
Just a "heads up" in case you didn't look back that far.
-- Also, be advised that you have been exposed to an infected USB drive somewhere along the way. You may want to check your portable storage devices. If memory serves, sUBs has a "cleaner" for these....
PP
The first HJT log shows the following baddie:
F2 - REG:system.ini: Shell=Explorer.exe regsvr.exe
O4 - HKCU\..\Run: [Msn Messsenger] C:\WINDOWS\system32\regsvr.exe
This is probably responsible for the initial issues and may well be stealthed and still active....
Just a "heads up" in case you didn't look back that far.
-- Also, be advised that you have been exposed to an infected USB drive somewhere along the way. You may want to check your portable storage devices. If memory serves, sUBs has a "cleaner" for these....
PP
Last edited by PhilliePhan; Mar 14th, 2008 at 10:43 pm.
In some sort of crude sense, which no vulgarity, no humor, no overstatement can quite extinguish, the physicists have known sin; and this is a knowledge which they cannot lose.
~ J. Robert Oppenheimer
ASAP
~ J. Robert Oppenheimer
ASAP
Hi. Im sending you the Hijackthis log and combofix log as attachments. Please look at those. What can be done for the baddies mentioned by PhilliePhan in the previous post. One more thing is whenever i run the combofix, it looks as if all my problems are getting solved. But after I restart my system twice the same problems exist. Except the registry is now working. But the connection to the servers keep failing.
ComboFix 08-03-13.4 - computer 2008-03-15 9:17:23.3 - NTFSx86
Running from: C:\Documents and Settings\computer\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\computer\Desktop\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Created from 2008-02-15 to 2008-03-15 )))))))))))))))))))))))))))))))
.
2008-03-13 20:09 . 2008-03-13 20:18 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-03-13 19:13 . 2008-03-13 19:13 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-13 19:06 . 2008-03-13 19:07 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-03-11 19:03 . 2008-03-11 19:03 <DIR> d-------- C:\fsaua.data
2008-03-11 18:42 . 2008-03-11 18:42 <DIR> d-------- C:\Program Files\McAfee
2008-03-11 18:42 . 2008-03-11 18:42 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-03-11 18:42 . 2008-03-11 18:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-03-11 18:42 . 2006-12-19 15:06 1,495,552 --a------ C:\WINDOWS\system32\epoPGPsdk.dll
2008-03-11 18:42 . 2007-02-22 20:50 170,408 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-03-11 18:42 . 2006-11-30 08:50 72,264 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-03-11 18:42 . 2006-11-30 08:50 64,360 --a------ C:\WINDOWS\system32\drivers\mfeapfk.sys
2008-03-11 18:42 . 2006-11-30 08:50 52,136 --a------ C:\WINDOWS\system32\drivers\mfetdik.sys
2008-03-11 18:42 . 2006-11-30 08:50 34,152 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-03-11 18:42 . 2006-12-19 15:06 280 --a------ C:\WINDOWS\system32\epoPGPsdk.dll.sig
2008-03-10 20:20 . 2008-03-13 21:29 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-10 20:20 . 2008-03-10 20:20 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-10 20:13 . 2008-01-31 00:46 616,609 -rahs---- C:\WINDOWS\system32\svchost .exe
2008-03-10 20:13 . 2008-01-31 00:46 616,609 -rahs---- C:\WINDOWS\system32\regsvr.exe
2008-03-10 19:34 . 1998-06-19 12:23 270,848 --a------ C:\WINDOWS\UNWISE32.EXE
2008-03-06 18:47 . 2008-03-11 18:18 <DIR> d-------- C:\Program Files\Macrogaming
2008-03-06 18:03 . 2008-03-06 18:03 <DIR> d-------- C:\Documents and Settings\computer\Application Data\LQ Graphics
2008-03-06 15:11 . 2008-03-06 15:12 1,045 --a------ C:\temp.avs
2008-03-06 15:11 . 2008-03-06 15:12 55 --a------ C:\WINDOWS\param.ini
2008-03-06 15:09 . 2004-02-23 21:41 719,872 --a------ C:\WINDOWS\system32\devil.dll
2008-03-06 15:09 . 2005-10-08 01:14 308,224 --a------ C:\WINDOWS\system32\avisynth.dll
2008-03-06 15:09 . 2006-05-11 09:43 163,496 --a------ C:\WINDOWS\system32\help.chm
2008-03-06 15:09 . 2006-05-11 09:41 80 --a------ C:\WINDOWS\system32\Home Page.url
2008-03-04 00:45 . 2008-03-04 00:47 <DIR> d-------- C:\Program Files\Free Video Converter
2008-03-03 00:37 . 2008-03-14 14:32 <DIR> d-------- C:\divx
2008-03-01 03:44 . 2008-03-05 00:25 <DIR> d-------- C:\Documents and Settings\computer\Application Data\dvdcss
2008-03-01 02:45 . 2008-03-01 02:45 42,612 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-02-27 09:07 . 2008-02-27 09:07 <DIR> d-------- C:\Documents and Settings\computer\Application Data\Grisoft
2008-02-27 09:07 . 2007-05-30 17:40 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-26 06:52 . 2008-02-26 06:52 <DIR> d-------- C:\Program Files\PCZeitschaltuhr
2008-02-26 06:52 . 2008-02-27 13:44 <DIR> d-------- C:\Documents and Settings\computer\Application Data\AutoPowerOn
2008-02-23 15:33 . 2007-04-23 05:45 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2008-02-23 15:33 . 2007-04-23 05:45 118,520 --------- C:\WINDOWS\system32\pxinsi64.exe
2008-02-23 15:33 . 2007-04-23 05:45 116,472 --------- C:\WINDOWS\system32\pxcpyi64.exe
2008-02-23 15:33 . 2007-04-23 05:45 2,560 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2008-02-23 15:33 . 2007-04-23 05:45 2,432 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2008-02-16 02:01 . 2008-02-16 02:01 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\PDFcreator
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-15 03:14 --------- d-----w C:\Documents and Settings\computer\Application Data\AVG7
2008-03-14 04:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2008-03-12 17:18 --------- d-----w C:\Program Files\Yahoo!
2008-03-12 16:02 --------- d-----w C:\Documents and Settings\computer\Application Data\DMCache
2008-03-07 12:48 --------- d-----w C:\Documents and Settings\computer\Application Data\MegauploadToolbar
2008-03-06 14:00 --------- d-----w C:\Program Files\ANSYS Inc
2008-03-02 08:05 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-03-01 05:45 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-29 21:51 --------- d-----w C:\Program Files\Picasa2
2008-02-27 09:33 --------- d-----w C:\Program Files\Nokia
2008-02-27 03:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-23 10:15 --------- d-----w C:\Documents and Settings\computer\Application Data\DivX
2008-02-23 10:03 --------- d-----w C:\Program Files\DivX
2008-02-20 21:49 --------- d-----w C:\Documents and Settings\computer\Application Data\uTorrent
2008-02-10 09:56 --------- d-----w C:\Documents and Settings\computer\Application Data\IDM
2008-02-02 19:35 --------- d-----w C:\Documents and Settings\computer\Application Data\U3
2008-01-16 16:52 --------- d-----w C:\Documents and Settings\computer\Application Data\PC Suite
2008-01-16 16:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\PC Suite
2008-01-16 16:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Bluetooth
2008-01-16 16:43 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-16 16:43 --------- d-----w C:\Program Files\IVT Corporation
2008-01-15 17:31 --------- d-----w C:\Documents and Settings\computer\Application Data\Nokia
2008-01-15 17:29 --------- d-----w C:\Program Files\PC Connectivity Solution
2008-01-15 17:29 --------- d-----w C:\Program Files\DIFX
2008-01-15 17:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Installations
2007-12-23 16:47 32,232 ----a-w C:\license.dat
2007-09-23 12:59 52,768 ----a-w C:\Documents and Settings\computer\Application Data\GDIPFONTCACHEV1.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 17:30 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 21:54 1694208]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [ ]
"Crammer"="C:\Documents and Settings\computer\Desktop\Dictionary\Crammer.exe" [ ]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-05-25 12:21 131072]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-05-25 12:21 155648]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-05-25 12:21 131072]
"RTHDCPL"="RTHDCPL.EXE" [2007-05-25 12:21 16132608 C:\WINDOWS\RTHDCPL.exe]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-08-05 13:20 180269]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb02.exe" [2001-03-22 20:48 192512]
"UDC Integration"="" []
"OrderReminder"="C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe" [2006-07-21 15:30 98304]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54 282624]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-25 08:44 579072]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 14:55 6731312]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [2007-02-22 20:50 112216]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2006-12-19 11:27 136768]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-25 14:26 219136]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlueSoleil.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BlueSoleil.lnk
backup=C:\WINDOWS\pss\BlueSoleil.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^computer^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\computer\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitDownload]
C:\Program Files\BitDownload\BitDownload.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
--a------ 2004-08-22 17:05 81920 C:\Program Files\D-Tools\daemon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
--a------ 2007-01-02 02:52 3739648 C:\Program Files\Google\Google Talk\googletalk.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IDMan]
--a------ 2007-08-29 19:49 2532784 C:\Program Files\Internet Download Manager\IDMan.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 21:54 1694208 C:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\svchost Agent]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-08-10 21:03 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2003-12-13 06:20 33792 C:\Program Files\Winamp\winampa.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-06-11 18:16 4670968 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"84:TCP"= 84:TCP:VRS Recording System Web Control Panel
"81:TCP"= 81:TCP:Axon Web Server
R2 ANSYS FLEXlm license manager;ANSYS FLEXlm license manager;C:\PROGRA~1\ANSYSI~2\SHARED~1\LICENS~1\Intel\lmgrd.exe [2006-03-24 22:04]
S3 SymIM;Symantec Network Security Intermediate Filter Service;C:\WINDOWS\system32\DRIVERS\SymIM.sys []
S3 SymIMMP;SymIMMP;C:\WINDOWS\system32\DRIVERS\SymIM.sys []
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{22d5b662-c785-11dc-b038-001167558fc8}]
\Shell\AutoRun\command - I:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2faa834e-7579-11dc-956b-0019d187a3cf}]
\Shell\Auto\command - G:\MicrosoftPowerPoint.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{56e6491b-4cc8-11dc-9494-0019d187a3cf}]
\Shell\AutoRun\command - I:\188qsm.bat
\Shell\explore\Command - I:\188qsm.bat
\Shell\open\Command - I:\188qsm.bat
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{683226a4-62f0-11dc-950f-0019d187a3cf}]
\Shell\Auto\command - MicrosoftPowerPoint.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aea70086-5c39-11dc-94e5-0019d187a3cf}]
\Shell\AutoRun\command - G:\PortableApps\PortableAppsMenu\PortableAppsMenu.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b8794dac-8b65-11dc-95d3-0019d187a3cf}]
\Shell\AutoRun\command - G:\ntde1ect.com
\Shell\explore\Command - G:\ntde1ect.com
\Shell\open\Command - G:\ntde1ect.com
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b9c4ff5b-e61e-11dc-b0ad-001167558fc8}]
\Shell\AutoRun\command - 2ifetri.cmd
\Shell\explore\Command - 2ifetri.cmd
\Shell\open\Command - 2ifetri.cmd
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f8c2a2aa-cc00-11dc-b047-001167558fc8}]
\Shell\Auto\command - MicrosoftPowerPoint.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-03-15 03:30:00 C:\WINDOWS\Tasks\A5BD3BC291E6AD36.job"
- c:\docume~1\computer\applic~1\chicproc\Acid the idol.exe
"2008-03-01 14:54:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-15 03:30:00 C:\WINDOWS\Tasks\At1.job"
- C:\WINDOWS\system32\svchost
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-15 09:21:15
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\system32\crypserv.exe
C:\PROGRA~1\ANSYSI~2\SHARED~1\LICENS~1\Intel\ansyslmd.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\WINDOWS\system32\UTSCSI.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
.
**************************************************************************
.
Completion time: 2008-03-15 9:23:35 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-15 03:53:33
ComboFix2.txt 2008-03-14 19:14:38
ComboFix3.txt 2008-03-14 12:06:43
.
2008-02-13 18:30:05 --- E O F ---
==============
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:24:34 AM, on 3/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ANSYSI~2\SHARED~1\LICENS~1\Intel\lmgrd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\ANSYSI~2\SHARED~1\LICENS~1\Intel\lmgrd.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\system32\crypserv.exe
C:\PROGRA~1\ANSYSI~2\SHARED~1\LICENS~1\Intel\ansyslmd.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UTSCSI.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb02.exe
O4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [Crammer] C:\Documents and Settings\computer\Desktop\Dictionary\Crammer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/f...trol_en_US.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://asia-ml04.asia.csc.com/iNotes6W.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://img2.orkut.com/activex/10035/photouploader.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/us/securityadvisor...n/pestscan.cab
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelgraphics.com/l2/bin/cortvrml.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ANSYS FLEXlm license manager - Macrovision Corporation - C:\PROGRA~1\ANSYSI~2\SHARED~1\LICENS~1\Intel\lmgrd.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: USBest Service Zero (UTSCSI) - USBest - C:\WINDOWS\system32\UTSCSI.EXE
--
End of file - 10131 bytes
ComboFix 08-03-13.4 - computer 2008-03-15 9:17:23.3 - NTFSx86
Running from: C:\Documents and Settings\computer\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\computer\Desktop\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Created from 2008-02-15 to 2008-03-15 )))))))))))))))))))))))))))))))
.
2008-03-13 20:09 . 2008-03-13 20:18 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-03-13 19:13 . 2008-03-13 19:13 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-13 19:06 . 2008-03-13 19:07 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-03-11 19:03 . 2008-03-11 19:03 <DIR> d-------- C:\fsaua.data
2008-03-11 18:42 . 2008-03-11 18:42 <DIR> d-------- C:\Program Files\McAfee
2008-03-11 18:42 . 2008-03-11 18:42 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-03-11 18:42 . 2008-03-11 18:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-03-11 18:42 . 2006-12-19 15:06 1,495,552 --a------ C:\WINDOWS\system32\epoPGPsdk.dll
2008-03-11 18:42 . 2007-02-22 20:50 170,408 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-03-11 18:42 . 2006-11-30 08:50 72,264 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-03-11 18:42 . 2006-11-30 08:50 64,360 --a------ C:\WINDOWS\system32\drivers\mfeapfk.sys
2008-03-11 18:42 . 2006-11-30 08:50 52,136 --a------ C:\WINDOWS\system32\drivers\mfetdik.sys
2008-03-11 18:42 . 2006-11-30 08:50 34,152 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-03-11 18:42 . 2006-12-19 15:06 280 --a------ C:\WINDOWS\system32\epoPGPsdk.dll.sig
2008-03-10 20:20 . 2008-03-13 21:29 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-10 20:20 . 2008-03-10 20:20 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-10 20:13 . 2008-01-31 00:46 616,609 -rahs---- C:\WINDOWS\system32\svchost .exe
2008-03-10 20:13 . 2008-01-31 00:46 616,609 -rahs---- C:\WINDOWS\system32\regsvr.exe
2008-03-10 19:34 . 1998-06-19 12:23 270,848 --a------ C:\WINDOWS\UNWISE32.EXE
2008-03-06 18:47 . 2008-03-11 18:18 <DIR> d-------- C:\Program Files\Macrogaming
2008-03-06 18:03 . 2008-03-06 18:03 <DIR> d-------- C:\Documents and Settings\computer\Application Data\LQ Graphics
2008-03-06 15:11 . 2008-03-06 15:12 1,045 --a------ C:\temp.avs
2008-03-06 15:11 . 2008-03-06 15:12 55 --a------ C:\WINDOWS\param.ini
2008-03-06 15:09 . 2004-02-23 21:41 719,872 --a------ C:\WINDOWS\system32\devil.dll
2008-03-06 15:09 . 2005-10-08 01:14 308,224 --a------ C:\WINDOWS\system32\avisynth.dll
2008-03-06 15:09 . 2006-05-11 09:43 163,496 --a------ C:\WINDOWS\system32\help.chm
2008-03-06 15:09 . 2006-05-11 09:41 80 --a------ C:\WINDOWS\system32\Home Page.url
2008-03-04 00:45 . 2008-03-04 00:47 <DIR> d-------- C:\Program Files\Free Video Converter
2008-03-03 00:37 . 2008-03-14 14:32 <DIR> d-------- C:\divx
2008-03-01 03:44 . 2008-03-05 00:25 <DIR> d-------- C:\Documents and Settings\computer\Application Data\dvdcss
2008-03-01 02:45 . 2008-03-01 02:45 42,612 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-02-27 09:07 . 2008-02-27 09:07 <DIR> d-------- C:\Documents and Settings\computer\Application Data\Grisoft
2008-02-27 09:07 . 2007-05-30 17:40 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-26 06:52 . 2008-02-26 06:52 <DIR> d-------- C:\Program Files\PCZeitschaltuhr
2008-02-26 06:52 . 2008-02-27 13:44 <DIR> d-------- C:\Documents and Settings\computer\Application Data\AutoPowerOn
2008-02-23 15:33 . 2007-04-23 05:45 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2008-02-23 15:33 . 2007-04-23 05:45 118,520 --------- C:\WINDOWS\system32\pxinsi64.exe
2008-02-23 15:33 . 2007-04-23 05:45 116,472 --------- C:\WINDOWS\system32\pxcpyi64.exe
2008-02-23 15:33 . 2007-04-23 05:45 2,560 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2008-02-23 15:33 . 2007-04-23 05:45 2,432 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2008-02-16 02:01 . 2008-02-16 02:01 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\PDFcreator
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-15 03:14 --------- d-----w C:\Documents and Settings\computer\Application Data\AVG7
2008-03-14 04:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2008-03-12 17:18 --------- d-----w C:\Program Files\Yahoo!
2008-03-12 16:02 --------- d-----w C:\Documents and Settings\computer\Application Data\DMCache
2008-03-07 12:48 --------- d-----w C:\Documents and Settings\computer\Application Data\MegauploadToolbar
2008-03-06 14:00 --------- d-----w C:\Program Files\ANSYS Inc
2008-03-02 08:05 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-03-01 05:45 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-29 21:51 --------- d-----w C:\Program Files\Picasa2
2008-02-27 09:33 --------- d-----w C:\Program Files\Nokia
2008-02-27 03:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-23 10:15 --------- d-----w C:\Documents and Settings\computer\Application Data\DivX
2008-02-23 10:03 --------- d-----w C:\Program Files\DivX
2008-02-20 21:49 --------- d-----w C:\Documents and Settings\computer\Application Data\uTorrent
2008-02-10 09:56 --------- d-----w C:\Documents and Settings\computer\Application Data\IDM
2008-02-02 19:35 --------- d-----w C:\Documents and Settings\computer\Application Data\U3
2008-01-16 16:52 --------- d-----w C:\Documents and Settings\computer\Application Data\PC Suite
2008-01-16 16:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\PC Suite
2008-01-16 16:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Bluetooth
2008-01-16 16:43 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-16 16:43 --------- d-----w C:\Program Files\IVT Corporation
2008-01-15 17:31 --------- d-----w C:\Documents and Settings\computer\Application Data\Nokia
2008-01-15 17:29 --------- d-----w C:\Program Files\PC Connectivity Solution
2008-01-15 17:29 --------- d-----w C:\Program Files\DIFX
2008-01-15 17:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Installations
2007-12-23 16:47 32,232 ----a-w C:\license.dat
2007-09-23 12:59 52,768 ----a-w C:\Documents and Settings\computer\Application Data\GDIPFONTCACHEV1.DAT
.
<pre> --sha-r 616,609 2008-01-30 19:16:02 C:\WINDOWS\system32\svchost .exe </pre>
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 17:30 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 21:54 1694208]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [ ]
"Crammer"="C:\Documents and Settings\computer\Desktop\Dictionary\Crammer.exe" [ ]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-05-25 12:21 131072]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-05-25 12:21 155648]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-05-25 12:21 131072]
"RTHDCPL"="RTHDCPL.EXE" [2007-05-25 12:21 16132608 C:\WINDOWS\RTHDCPL.exe]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-08-05 13:20 180269]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb02.exe" [2001-03-22 20:48 192512]
"UDC Integration"="" []
"OrderReminder"="C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe" [2006-07-21 15:30 98304]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54 282624]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-25 08:44 579072]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 14:55 6731312]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [2007-02-22 20:50 112216]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2006-12-19 11:27 136768]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-25 14:26 219136]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlueSoleil.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BlueSoleil.lnk
backup=C:\WINDOWS\pss\BlueSoleil.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^computer^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\computer\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitDownload]
C:\Program Files\BitDownload\BitDownload.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
--a------ 2004-08-22 17:05 81920 C:\Program Files\D-Tools\daemon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
--a------ 2007-01-02 02:52 3739648 C:\Program Files\Google\Google Talk\googletalk.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IDMan]
--a------ 2007-08-29 19:49 2532784 C:\Program Files\Internet Download Manager\IDMan.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 21:54 1694208 C:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\svchost Agent]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-08-10 21:03 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2003-12-13 06:20 33792 C:\Program Files\Winamp\winampa.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-06-11 18:16 4670968 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"84:TCP"= 84:TCP:VRS Recording System Web Control Panel
"81:TCP"= 81:TCP:Axon Web Server
R2 ANSYS FLEXlm license manager;ANSYS FLEXlm license manager;C:\PROGRA~1\ANSYSI~2\SHARED~1\LICENS~1\Intel\lmgrd.exe [2006-03-24 22:04]
S3 SymIM;Symantec Network Security Intermediate Filter Service;C:\WINDOWS\system32\DRIVERS\SymIM.sys []
S3 SymIMMP;SymIMMP;C:\WINDOWS\system32\DRIVERS\SymIM.sys []
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{22d5b662-c785-11dc-b038-001167558fc8}]
\Shell\AutoRun\command - I:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2faa834e-7579-11dc-956b-0019d187a3cf}]
\Shell\Auto\command - G:\MicrosoftPowerPoint.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{56e6491b-4cc8-11dc-9494-0019d187a3cf}]
\Shell\AutoRun\command - I:\188qsm.bat
\Shell\explore\Command - I:\188qsm.bat
\Shell\open\Command - I:\188qsm.bat
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{683226a4-62f0-11dc-950f-0019d187a3cf}]
\Shell\Auto\command - MicrosoftPowerPoint.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aea70086-5c39-11dc-94e5-0019d187a3cf}]
\Shell\AutoRun\command - G:\PortableApps\PortableAppsMenu\PortableAppsMenu.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b8794dac-8b65-11dc-95d3-0019d187a3cf}]
\Shell\AutoRun\command - G:\ntde1ect.com
\Shell\explore\Command - G:\ntde1ect.com
\Shell\open\Command - G:\ntde1ect.com
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b9c4ff5b-e61e-11dc-b0ad-001167558fc8}]
\Shell\AutoRun\command - 2ifetri.cmd
\Shell\explore\Command - 2ifetri.cmd
\Shell\open\Command - 2ifetri.cmd
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f8c2a2aa-cc00-11dc-b047-001167558fc8}]
\Shell\Auto\command - MicrosoftPowerPoint.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-03-15 03:30:00 C:\WINDOWS\Tasks\A5BD3BC291E6AD36.job"
- c:\docume~1\computer\applic~1\chicproc\Acid the idol.exe
"2008-03-01 14:54:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-15 03:30:00 C:\WINDOWS\Tasks\At1.job"
- C:\WINDOWS\system32\svchost
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-15 09:21:15
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\system32\crypserv.exe
C:\PROGRA~1\ANSYSI~2\SHARED~1\LICENS~1\Intel\ansyslmd.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\WINDOWS\system32\UTSCSI.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
.
**************************************************************************
.
Completion time: 2008-03-15 9:23:35 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-15 03:53:33
ComboFix2.txt 2008-03-14 19:14:38
ComboFix3.txt 2008-03-14 12:06:43
.
2008-02-13 18:30:05 --- E O F ---
==============
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:24:34 AM, on 3/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ANSYSI~2\SHARED~1\LICENS~1\Intel\lmgrd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\ANSYSI~2\SHARED~1\LICENS~1\Intel\lmgrd.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\system32\crypserv.exe
C:\PROGRA~1\ANSYSI~2\SHARED~1\LICENS~1\Intel\ansyslmd.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UTSCSI.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb02.exe
O4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [Crammer] C:\Documents and Settings\computer\Desktop\Dictionary\Crammer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/f...trol_en_US.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://asia-ml04.asia.csc.com/iNotes6W.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://img2.orkut.com/activex/10035/photouploader.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/us/securityadvisor...n/pestscan.cab
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelgraphics.com/l2/bin/cortvrml.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ANSYS FLEXlm license manager - Macrovision Corporation - C:\PROGRA~1\ANSYSI~2\SHARED~1\LICENS~1\Intel\lmgrd.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: USBest Service Zero (UTSCSI) - USBest - C:\WINDOWS\system32\UTSCSI.EXE
--
End of file - 10131 bytes
Last edited by crunchie; Mar 15th, 2008 at 3:37 am.
•
•
Join Date: Feb 2004
Posts: 10,011
Reputation:
Solved Threads: 758
1. Please open Notepad
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
3. Save the above as CFScript.txt
4. Physically disconnect from the internet.
5. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
6. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
7. After reboot, (in case it asks to reboot), please post the following reports/logs into your next replyafter you re-enable all the programs that were disabled during the running of ComboFix:
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
==============
Please use the Internet Explorer browser (or FireFox with IETab), and do an online scan with Kaspersky Online Scanner
Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component
Click Yes, when prompted to install its ActiveX component.
(Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
The program launches and downloads the latest definition files.
There is no option to clean/disinfect, however, we need to analyze the information on the report.
To obtain the report:
Click on: Save Report As (above - red blinking arrow)
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar
In Save as type, click the drop arrow and select: Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in your reply.
- Click Start , then Run
- Type notepad.exe in the Run Box.
•
•
•
•
KillAll::
File::
C:\WINDOWS\system32\svchost .exe
C:\WINDOWS\system32\regsvr.exe
C:\WINDOWS\Tasks\A5BD3BC291E6AD36.job
RENV::
C:\WINDOWS\system32\svchost .exe
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Crammer"=-
3. Save the above as CFScript.txt
4. Physically disconnect from the internet.
5. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
6. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
7. After reboot, (in case it asks to reboot), please post the following reports/logs into your next replyafter you re-enable all the programs that were disabled during the running of ComboFix:
- Combofix.txt
- A new HijackThis log.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
==============
Please use the Internet Explorer browser (or FireFox with IETab), and do an online scan with Kaspersky Online Scanner
Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component
Click Yes, when prompted to install its ActiveX component.
(Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
The program launches and downloads the latest definition files.
- Once the files are downloaded click on Next
- Click on Scan Settings and configure as follows:
- Scan using the following Anti-Virus database:
- Extended
- Scan Options:
- Scan Archives
- Scan Mail Bases
- Scan using the following Anti-Virus database:
- Click OK and, under select a target to scan, select My Computer
There is no option to clean/disinfect, however, we need to analyze the information on the report.
To obtain the report:
Click on: Save Report As (above - red blinking arrow)
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar
In Save as type, click the drop arrow and select: Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in your reply.
Last edited by crunchie; Mar 15th, 2008 at 3:51 am.
Proud member of ASAP (Alliance of Security analysis Professionals).
Opera AVAST anti-virus Comodo Firewall Spywareblaster
Opera AVAST anti-virus Comodo Firewall Spywareblaster
Hi.. Thanks again. I carried out all the scans. I am sending the scan report here.
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, March 15, 2008 10:06:11 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 15/03/2008
Kaspersky Anti-Virus database records: 631406
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
Scan Statistics:
Total number of scanned objects: 126067
Number of viruses found: 4
Number of infected objects: 69
Number of suspicious objects: 0
Duration of the scan process: 01:53:22
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Db\Agent_VIBHAR.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Db\PrdMgr_VIBHAR.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection\AccessProtectionLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection\BufferOverflowProtectionLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection\OnAccessScanLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\computer\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\computer\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\computer\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\computer\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\computer\Local Settings\History\History.IE5\MSHist012008031520080316\index.dat Object is locked skipped
C:\Documents and Settings\computer\Local Settings\Temp\IMG11.tmp Object is locked skipped
C:\Documents and Settings\computer\Local Settings\Temp\IMG3.tmp Object is locked skipped
C:\Documents and Settings\computer\Local Settings\Temp\Perflib_Perfdata_4f0.dat Object is locked skipped
C:\Documents and Settings\computer\Local Settings\Temp\Perflib_Perfdata_c10.dat Object is locked skipped
C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\computer\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\computer\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\ANSYS Inc\Shared Files\Licensing\license.log Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\regsvr.exe.vir/C:\svchost.exe Infected: not-a-virus:Monitor.Win32.Ardamax.ae skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\regsvr.exe.vir Embedded: infected - 1 skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\regsvr.exe.vir ASPack: infected - 1 skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\svchost .exe.vir/C:\svchost.exe Infected: not-a-virus:Monitor.Win32.Ardamax.ae skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\svchost .exe.vir Embedded: infected - 1 skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\svchost .exe.vir ASPack: infected - 1 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP115\A0038597.exe/C:\svchost.exe Infected: not-a-virus:Monitor.Win32.Ardamax.ae skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP115\A0038597.exe Embedded: infected - 1 skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP115\A0038597.exe ASPack: infected - 1 skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP115\A0038604.exe/C:\svchost.exe Infected: not-a-virus:Monitor.Win32.Ardamax.ae skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP115\A0038604.exe Embedded: infected - 1 skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP115\A0038604.exe ASPack: infected - 1 skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP115\A0038610.exe/C:\svchost.exe Infected: not-a-virus:Monitor.Win32.Ardamax.ae skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP115\A0038610.exe Embedded: infected - 1 skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP115\A0038610.exe ASPack: infected - 1 skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP115\A0038620.exe/C:\svchost.exe Infected: not-a-virus:Monitor.Win32.Ardamax.ae skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP115\A0038620.exe Embedded: infected - 1 skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP115\A0038620.exe ASPack: infected - 1 skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP115\A0038696.exe/C:\svchost.exe Infected: not-a-virus:Monitor.Win32.Ardamax.ae skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP115\A0038696.exe Embedded: infected - 1 skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP115\A0038696.exe ASPack: infected - 1 skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP115\A0038718.exe/C:\svchost.exe Infected: not-a-virus:Monitor.Win32.Ardamax.ae skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP115\A0038718.exe Embedded: infected - 1 skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP115\A0038718.exe ASPack: infected - 1 skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP115\A0038724.exe/C:\svchost.exe Infected: not-a-virus:Monitor.Win32.Ardamax.ae skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP115\A0038724.exe Embedded: infected - 1 skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP115\A0038724.exe ASPack: infected - 1 skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP115\A0038736.exe/C:\svchost.exe Infected: not-a-virus:Monitor.Win32.Ardamax.ae skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP115\A0038736.exe Embedded: infected - 1 skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP115\A0038736.exe ASPack: infected - 1 skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP115\A0038751.exe/C:\svchost.exe Infected: not-a-virus:Monitor.Win32.Ardamax.ae skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP115\A0038751.exe Embedded: infected - 1 skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP115\A0038751.exe ASPack: infected - 1 skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP115\A0038764.exe/C:\svchost.exe Infected: not-a-virus:Monitor.Win32.Ardamax.ae skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP115\A0038764.exe Embedded: infected - 1 skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP115\A0038764.exe ASPack: infected - 1 skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP116\A0038786.exe/C:\svchost.exe Infected: not-a-virus:Monitor.Win32.Ardamax.ae skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP116\A0038786.exe Embedded: infected - 1 skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP116\A0038786.exe ASPack: infected - 1 skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP117\A0039786.exe/C:\svchost.exe Infected: not-a-virus:Monitor.Win32.Ardamax.ae skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP117\A0039786.exe Embedded: infected - 1 skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP117\A0039786.exe ASPack: infected - 1 skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP117\A0039799.exe/C:\svchost.exe Infected: not-a-virus:Monitor.Win32.Ardamax.ae skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP117\A0039799.exe Embedded: infected - 1 skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP117\A0039799.exe ASPack: infected - 1 skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP117\A0039807.exe/C:\svchost.exe Infected: not-a-virus:Monitor.Win32.Ardamax.ae skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP117\A0039807.exe Embedded: infected - 1 skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP117\A0039807.exe ASPack: infected - 1 skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP117\A0039826.exe/C:\svchost.exe Infected: not-a-virus:Monitor.Win32.Ardamax.ae skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP117\A0039826.exe Embedded: infected - 1 skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP117\A0039826.exe ASPack: infected - 1 skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP117\A0039834.exe/C:\svchost.exe Infected: not-a-virus:Monitor.Win32.Ardamax.ae skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP117\A0039834.exe Embedded: infected - 1 skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP117\A0039834.exe ASPack: infected - 1 skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP117\A0039845.exe/C:\svchost.exe Infected: not-a-virus:Monitor.Win32.Ardamax.ae skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP117\A0039845.exe Embedded: infected - 1 skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP117\A0039845.exe ASPack: infected - 1 skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP122\A0040491.exe/C:\svchost.exe Infected: not-a-virus:Monitor.Win32.Ardamax.ae skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP122\A0040491.exe Embedded: infected - 1 skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP122\A0040491.exe ASPack: infected - 1 skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP122\A0040492.exe/C:\svchost.exe Infected: not-a-virus:Monitor.Win32.Ardamax.ae skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP122\A0040492.exe Embedded: infected - 1 skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP122\A0040492.exe ASPack: infected - 1 skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP122\change.log Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP122\change.log Object is locked skipped
E:\Softwares setups\002\TorrentSoftware-4.2.0.0-setup-0260.exe/file02 Infected: not-a-virus:AdWare.Win32.Lop.bo skipped
E:\Softwares setups\002\TorrentSoftware-4.2.0.0-setup-0260.exe/file13 Infected: Trojan.Win32.Obfuscated.en skipped
E:\Softwares setups\002\TorrentSoftware-4.2.0.0-setup-0260.exe Inno: infected - 2 skipped
E:\Softwares setups\DivX.Pro.UI\DivX Pro + DivX Player 6[1].6.0.rar/Keygen/KeyGen [ DivX Pro + DivX Player 6.6.0 ].exe Infected: not-a-virus
SWTool.Win32.GetPass.h skipped
E:\Softwares setups\DivX.Pro.UI\DivX Pro + DivX Player 6[1].6.0.rar RAR: infected - 1 skipped
E:\Softwares setups\DivX.Pro.UI\Keygen\KeyGen [ DivX Pro + DivX Player 6.6.0 ].exe Infected: not-a-virusSWTool.Win32.GetPass.h skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
E:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP122\change.log Object is locked skipped
Scan process completed.
--------------------------------------------------------------------------------------------------------------------------------
ComboFix 08-03-13.4 - computer 2008-03-15 19:18:34.4 - NTFSx86
Running from: C:\Documents and Settings\computer\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\computer\Desktop\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\WINDOWS\system32\regsvr.exe
C:\WINDOWS\system32\svchost .exe
C:\WINDOWS\Tasks\A5BD3BC291E6AD36.job
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\regsvr.exe
C:\WINDOWS\system32\svchost .exe
C:\WINDOWS\Tasks\A5BD3BC291E6AD36.job
.
((((((((((((((((((((((((( Files Created from 2008-02-15 to 2008-03-15 )))))))))))))))))))))))))))))))
.
2008-03-13 20:09 . 2008-03-13 20:18 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-03-13 19:13 . 2008-03-13 19:13 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-13 19:06 . 2008-03-13 19:07 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-03-11 19:03 . 2008-03-11 19:03 <DIR> d-------- C:\fsaua.data
2008-03-11 18:42 . 2008-03-11 18:42 <DIR> d-------- C:\Program Files\McAfee
2008-03-11 18:42 . 2008-03-11 18:42 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-03-11 18:42 . 2008-03-11 18:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-03-11 18:42 . 2006-12-19 15:06 1,495,552 --a------ C:\WINDOWS\system32\epoPGPsdk.dll
2008-03-11 18:42 . 2007-02-22 20:50 170,408 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-03-11 18:42 . 2006-11-30 08:50 72,264 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-03-11 18:42 . 2006-11-30 08:50 64,360 --a------ C:\WINDOWS\system32\drivers\mfeapfk.sys
2008-03-11 18:42 . 2006-11-30 08:50 52,136 --a------ C:\WINDOWS\system32\drivers\mfetdik.sys
2008-03-11 18:42 . 2006-11-30 08:50 34,152 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-03-11 18:42 . 2006-12-19 15:06 280 --a------ C:\WINDOWS\system32\epoPGPsdk.dll.sig
2008-03-10 20:20 . 2008-03-13 21:29 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-10 20:20 . 2008-03-10 20:20 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-10 19:34 . 1998-06-19 12:23 270,848 --a------ C:\WINDOWS\UNWISE32.EXE
2008-03-06 18:47 . 2008-03-11 18:18 <DIR> d-------- C:\Program Files\Macrogaming
2008-03-06 18:03 . 2008-03-06 18:03 <DIR> d-------- C:\Documents and Settings\computer\Application Data\LQ Graphics
2008-03-06 15:11 . 2008-03-06 15:12 1,045 --a------ C:\temp.avs
2008-03-06 15:11 . 2008-03-06 15:12 55 --a------ C:\WINDOWS\param.ini
2008-03-06 15:09 . 2004-02-23 21:41 719,872 --a------ C:\WINDOWS\system32\devil.dll
2008-03-06 15:09 . 2005-10-08 01:14 308,224 --a------ C:\WINDOWS\system32\avisynth.dll
2008-03-06 15:09 . 2006-05-11 09:43 163,496 --a------ C:\WINDOWS\system32\help.chm
2008-03-06 15:09 . 2006-05-11 09:41 80 --a------ C:\WINDOWS\system32\Home Page.url
2008-03-04 00:45 . 2008-03-04 00:47 <DIR> d-------- C:\Program Files\Free Video Converter
2008-03-03 00:37 . 2008-03-14 14:32 <DIR> d-------- C:\divx
2008-03-01 03:44 . 2008-03-05 00:25 <DIR> d-------- C:\Documents and Settings\computer\Application Data\dvdcss
2008-03-01 02:45 . 2008-03-01 02:45 42,612 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-02-27 09:07 . 2008-02-27 09:07 <DIR> d-------- C:\Documents and Settings\computer\Application Data\Grisoft
2008-02-27 09:07 . 2007-05-30 17:40 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-26 06:52 . 2008-02-26 06:52 <DIR> d-------- C:\Program Files\PCZeitschaltuhr
2008-02-26 06:52 . 2008-02-27 13:44 <DIR> d-------- C:\Documents and Settings\computer\Application Data\AutoPowerOn
2008-02-23 15:33 . 2007-04-23 05:45 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2008-02-23 15:33 . 2007-04-23 05:45 118,520 --------- C:\WINDOWS\system32\pxinsi64.exe
2008-02-23 15:33 . 2007-04-23 05:45 116,472 --------- C:\WINDOWS\system32\pxcpyi64.exe
2008-02-23 15:33 . 2007-04-23 05:45 2,560 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2008-02-23 15:33 . 2007-04-23 05:45 2,432 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2008-02-16 02:01 . 2008-02-16 02:01 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\PDFcreator
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-15 07:42 --------- d-----w C:\Documents and Settings\computer\Application Data\AVG7
2008-03-14 04:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2008-03-12 17:18 --------- d-----w C:\Program Files\Yahoo!
2008-03-12 16:02 --------- d-----w C:\Documents and Settings\computer\Application Data\DMCache
2008-03-07 12:48 --------- d-----w C:\Documents and Settings\computer\Application Data\MegauploadToolbar
2008-03-06 14:00 --------- d-----w C:\Program Files\ANSYS Inc
2008-03-02 08:05 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-03-01 05:45 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-29 21:51 --------- d-----w C:\Program Files\Picasa2
2008-02-27 09:33 --------- d-----w C:\Program Files\Nokia
2008-02-27 03:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-23 10:15 --------- d-----w C:\Documents and Settings\computer\Application Data\DivX
2008-02-23 10:03 --------- d-----w C:\Program Files\DivX
2008-02-20 21:49 --------- d-----w C:\Documents and Settings\computer\Application Data\uTorrent
2008-02-10 09:56 --------- d-----w C:\Documents and Settings\computer\Application Data\IDM
2008-02-02 19:35 --------- d-----w C:\Documents and Settings\computer\Application Data\U3
2008-01-16 16:52 --------- d-----w C:\Documents and Settings\computer\Application Data\PC Suite
2008-01-16 16:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\PC Suite
2008-01-16 16:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Bluetooth
2008-01-16 16:43 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-16 16:43 --------- d-----w C:\Program Files\IVT Corporation
2008-01-15 17:31 --------- d-----w C:\Documents and Settings\computer\Application Data\Nokia
2008-01-15 17:29 --------- d-----w C:\Program Files\PC Connectivity Solution
2008-01-15 17:29 --------- d-----w C:\Program Files\DIFX
2008-01-15 17:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Installations
2007-12-23 16:47 32,232 ----a-w C:\license.dat
2007-09-23 12:59 52,768 ----a-w C:\Documents and Settings\computer\Application Data\GDIPFONTCACHEV1.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 17:30 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 21:54 1694208]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-06-11 18:16 4670968]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-05-25 12:21 131072]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-05-25 12:21 155648]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-05-25 12:21 131072]
"RTHDCPL"="RTHDCPL.EXE" [2007-05-25 12:21 16132608 C:\WINDOWS\RTHDCPL.exe]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-08-05 13:20 180269]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb02.exe" [2001-03-22 20:48 192512]
"UDC Integration"="" []
"OrderReminder"="C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe" [2006-07-21 15:30 98304]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54 282624]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-25 08:44 579072]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 14:55 6731312]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [2007-02-22 20:50 112216]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2006-12-19 11:27 136768]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-25 14:26 219136]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlueSoleil.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BlueSoleil.lnk
backup=C:\WINDOWS\pss\BlueSoleil.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^computer^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\computer\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitDownload]
C:\Program Files\BitDownload\BitDownload.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
--a------ 2004-08-22 17:05 81920 C:\Program Files\D-Tools\daemon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
--a------ 2007-01-02 02:52 3739648 C:\Program Files\Google\Google Talk\googletalk.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IDMan]
--a------ 2007-08-29 19:49 2532784 C:\Program Files\Internet Download Manager\IDMan.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 21:54 1694208 C:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\svchost Agent]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-08-10 21:03 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2003-12-13 06:20 33792 C:\Program Files\Winamp\winampa.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-06-11 18:16 4670968 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"84:TCP"= 84:TCP:VRS Recording System Web Control Panel
"81:TCP"= 81:TCP:Axon Web Server
R2 ANSYS FLEXlm license manager;ANSYS FLEXlm license manager;C:\PROGRA~1\ANSYSI~2\SHARED~1\LICENS~1\Intel\lmgrd.exe [2006-03-24 22:04]
S3 SymIM;Symantec Network Security Intermediate Filter Service;C:\WINDOWS\system32\DRIVERS\SymIM.sys []
S3 SymIMMP;SymIMMP;C:\WINDOWS\system32\DRIVERS\SymIM.sys []
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{22d5b662-c785-11dc-b038-001167558fc8}]
\Shell\AutoRun\command - I:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2faa834e-7579-11dc-956b-0019d187a3cf}]
\Shell\Auto\command - G:\MicrosoftPowerPoint.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{56e6491b-4cc8-11dc-9494-0019d187a3cf}]
\Shell\AutoRun\command - I:\188qsm.bat
\Shell\explore\Command - I:\188qsm.bat
\Shell\open\Command - I:\188qsm.bat
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{683226a4-62f0-11dc-950f-0019d187a3cf}]
\Shell\Auto\command - MicrosoftPowerPoint.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aea70086-5c39-11dc-94e5-0019d187a3cf}]
\Shell\AutoRun\command - G:\PortableApps\PortableAppsMenu\PortableAppsMenu.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b8794dac-8b65-11dc-95d3-0019d187a3cf}]
\Shell\AutoRun\command - G:\ntde1ect.com
\Shell\explore\Command - G:\ntde1ect.com
\Shell\open\Command - G:\ntde1ect.com
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b9c4ff5b-e61e-11dc-b0ad-001167558fc8}]
\Shell\AutoRun\command - 2ifetri.cmd
\Shell\explore\Command - 2ifetri.cmd
\Shell\open\Command - 2ifetri.cmd
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f8c2a2aa-cc00-11dc-b047-001167558fc8}]
\Shell\Auto\command - MicrosoftPowerPoint.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-03-01 14:54:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-15 03:30:00 C:\WINDOWS\Tasks\At1.job"
- C:\WINDOWS\system32\svchost
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-15 19:22:24
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\system32\crypserv.exe
C:\PROGRA~1\ANSYSI~2\SHARED~1\LICENS~1\Intel\ansyslmd.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\WINDOWS\system32\UTSCSI.EXE
C:\WINDOWS\system32\igfxsrvc.exe
.
**************************************************************************
.
Completion time: 2008-03-15 19:23:52 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-15 13:53:49
ComboFix2.txt 2008-03-15 03:53:36
ComboFix3.txt 2008-03-14 19:14:38
ComboFix4.txt 2008-03-14 12:06:43
.
2008-02-13 18:30:05 --- E O F ---
------------------------------------------------------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:25:25 PM, on 3/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ANSYSI~2\SHARED~1\LICENS~1\Intel\lmgrd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\ANSYSI~2\SHARED~1\LICENS~1\Intel\lmgrd.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\system32\crypserv.exe
C:\PROGRA~1\ANSYSI~2\SHARED~1\LICENS~1\Intel\ansyslmd.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UTSCSI.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb02.exe
O4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/f...trol_en_US.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://asia-ml04.asia.csc.com/iNotes6W.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://img2.orkut.com/activex/10035/photouploader.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/us/securityadvisor...n/pestscan.cab
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelgraphics.com/l2/bin/cortvrml.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ANSYS FLEXlm license manager - Macrovision Corporation - C:\PROGRA~1\ANSYSI~2\SHARED~1\LICENS~1\Intel\lmgrd.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: USBest Service Zero (UTSCSI) - USBest - C:\WINDOWS\system32\UTSCSI.EXE
--
End of file - 9695 bytes
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, March 15, 2008 10:06:11 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 15/03/2008
Kaspersky Anti-Virus database records: 631406
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
Scan Statistics:
Total number of scanned objects: 126067
Number of viruses found: 4
Number of infected objects: 69
Number of suspicious objects: 0
Duration of the scan process: 01:53:22
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Db\Agent_VIBHAR.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Db\PrdMgr_VIBHAR.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection\AccessProtectionLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection\BufferOverflowProtectionLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection\OnAccessScanLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\computer\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\computer\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\computer\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\computer\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\computer\Local Settings\History\History.IE5\MSHist012008031520080316\index.dat Object is locked skipped
C:\Documents and Settings\computer\Local Settings\Temp\IMG11.tmp Object is locked skipped
C:\Documents and Settings\computer\Local Settings\Temp\IMG3.tmp Object is locked skipped
C:\Documents and Settings\computer\Local Settings\Temp\Perflib_Perfdata_4f0.dat Object is locked skipped
C:\Documents and Settings\computer\Local Settings\Temp\Perflib_Perfdata_c10.dat Object is locked skipped
C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\computer\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\computer\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\computer\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\ANSYS Inc\Shared Files\Licensing\license.log Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\regsvr.exe.vir/C:\svchost.exe Infected: not-a-virus:Monitor.Win32.Ardamax.ae skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\regsvr.exe.vir Embedded: infected - 1 skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\regsvr.exe.vir ASPack: infected - 1 skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\svchost .exe.vir/C:\svchost.exe Infected: not-a-virus:Monitor.Win32.Ardamax.ae skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\svchost .exe.vir Embedded: infected - 1 skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\svchost .exe.vir ASPack: infected - 1 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP115\A0038597.exe/C:\svchost.exe Infected: not-a-virus:Monitor.Win32.Ardamax.ae skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP115\A0038597.exe Embedded: infected - 1 skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP115\A0038597.exe ASPack: infected - 1 skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP115\A0038604.exe/C:\svchost.exe Infected: not-a-virus:Monitor.Win32.Ardamax.ae skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP115\A0038604.exe Embedded: infected - 1 skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP115\A0038604.exe ASPack: infected - 1 skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP115\A0038610.exe/C:\svchost.exe Infected: not-a-virus:Monitor.Win32.Ardamax.ae skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP115\A0038610.exe Embedded: infected - 1 skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP115\A0038610.exe ASPack: infected - 1 skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP115\A0038620.exe/C:\svchost.exe Infected: not-a-virus:Monitor.Win32.Ardamax.ae skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP115\A0038620.exe Embedded: infected - 1 skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP115\A0038620.exe ASPack: infected - 1 skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP115\A0038696.exe/C:\svchost.exe Infected: not-a-virus:Monitor.Win32.Ardamax.ae skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP115\A0038696.exe Embedded: infected - 1 skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP115\A0038696.exe ASPack: infected - 1 skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP115\A0038718.exe/C:\svchost.exe Infected: not-a-virus:Monitor.Win32.Ardamax.ae skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP115\A0038718.exe Embedded: infected - 1 skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP115\A0038718.exe ASPack: infected - 1 skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP115\A0038724.exe/C:\svchost.exe Infected: not-a-virus:Monitor.Win32.Ardamax.ae skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP115\A0038724.exe Embedded: infected - 1 skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP115\A0038724.exe ASPack: infected - 1 skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP115\A0038736.exe/C:\svchost.exe Infected: not-a-virus:Monitor.Win32.Ardamax.ae skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP115\A0038736.exe Embedded: infected - 1 skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP115\A0038736.exe ASPack: infected - 1 skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP115\A0038751.exe/C:\svchost.exe Infected: not-a-virus:Monitor.Win32.Ardamax.ae skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP115\A0038751.exe Embedded: infected - 1 skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP115\A0038751.exe ASPack: infected - 1 skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP115\A0038764.exe/C:\svchost.exe Infected: not-a-virus:Monitor.Win32.Ardamax.ae skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP115\A0038764.exe Embedded: infected - 1 skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP115\A0038764.exe ASPack: infected - 1 skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP116\A0038786.exe/C:\svchost.exe Infected: not-a-virus:Monitor.Win32.Ardamax.ae skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP116\A0038786.exe Embedded: infected - 1 skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP116\A0038786.exe ASPack: infected - 1 skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP117\A0039786.exe/C:\svchost.exe Infected: not-a-virus:Monitor.Win32.Ardamax.ae skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP117\A0039786.exe Embedded: infected - 1 skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP117\A0039786.exe ASPack: infected - 1 skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP117\A0039799.exe/C:\svchost.exe Infected: not-a-virus:Monitor.Win32.Ardamax.ae skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP117\A0039799.exe Embedded: infected - 1 skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP117\A0039799.exe ASPack: infected - 1 skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP117\A0039807.exe/C:\svchost.exe Infected: not-a-virus:Monitor.Win32.Ardamax.ae skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP117\A0039807.exe Embedded: infected - 1 skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP117\A0039807.exe ASPack: infected - 1 skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP117\A0039826.exe/C:\svchost.exe Infected: not-a-virus:Monitor.Win32.Ardamax.ae skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP117\A0039826.exe Embedded: infected - 1 skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP117\A0039826.exe ASPack: infected - 1 skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP117\A0039834.exe/C:\svchost.exe Infected: not-a-virus:Monitor.Win32.Ardamax.ae skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP117\A0039834.exe Embedded: infected - 1 skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP117\A0039834.exe ASPack: infected - 1 skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP117\A0039845.exe/C:\svchost.exe Infected: not-a-virus:Monitor.Win32.Ardamax.ae skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP117\A0039845.exe Embedded: infected - 1 skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP117\A0039845.exe ASPack: infected - 1 skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP122\A0040491.exe/C:\svchost.exe Infected: not-a-virus:Monitor.Win32.Ardamax.ae skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP122\A0040491.exe Embedded: infected - 1 skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP122\A0040491.exe ASPack: infected - 1 skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP122\A0040492.exe/C:\svchost.exe Infected: not-a-virus:Monitor.Win32.Ardamax.ae skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP122\A0040492.exe Embedded: infected - 1 skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP122\A0040492.exe ASPack: infected - 1 skipped
C:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP122\change.log Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP122\change.log Object is locked skipped
E:\Softwares setups\002\TorrentSoftware-4.2.0.0-setup-0260.exe/file02 Infected: not-a-virus:AdWare.Win32.Lop.bo skipped
E:\Softwares setups\002\TorrentSoftware-4.2.0.0-setup-0260.exe/file13 Infected: Trojan.Win32.Obfuscated.en skipped
E:\Softwares setups\002\TorrentSoftware-4.2.0.0-setup-0260.exe Inno: infected - 2 skipped
E:\Softwares setups\DivX.Pro.UI\DivX Pro + DivX Player 6[1].6.0.rar/Keygen/KeyGen [ DivX Pro + DivX Player 6.6.0 ].exe Infected: not-a-virus
SWTool.Win32.GetPass.h skippedE:\Softwares setups\DivX.Pro.UI\DivX Pro + DivX Player 6[1].6.0.rar RAR: infected - 1 skipped
E:\Softwares setups\DivX.Pro.UI\Keygen\KeyGen [ DivX Pro + DivX Player 6.6.0 ].exe Infected: not-a-virus
SWTool.Win32.GetPass.h skippedE:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
E:\System Volume Information\_restore{ABBAAC21-3A5C-416B-B0A0-A3D0F13E30EF}\RP122\change.log Object is locked skipped
Scan process completed.
--------------------------------------------------------------------------------------------------------------------------------
ComboFix 08-03-13.4 - computer 2008-03-15 19:18:34.4 - NTFSx86
Running from: C:\Documents and Settings\computer\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\computer\Desktop\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\WINDOWS\system32\regsvr.exe
C:\WINDOWS\system32\svchost .exe
C:\WINDOWS\Tasks\A5BD3BC291E6AD36.job
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\regsvr.exe
C:\WINDOWS\system32\svchost .exe
C:\WINDOWS\Tasks\A5BD3BC291E6AD36.job
.
((((((((((((((((((((((((( Files Created from 2008-02-15 to 2008-03-15 )))))))))))))))))))))))))))))))
.
2008-03-13 20:09 . 2008-03-13 20:18 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-03-13 19:13 . 2008-03-13 19:13 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-13 19:06 . 2008-03-13 19:07 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-03-11 19:03 . 2008-03-11 19:03 <DIR> d-------- C:\fsaua.data
2008-03-11 18:42 . 2008-03-11 18:42 <DIR> d-------- C:\Program Files\McAfee
2008-03-11 18:42 . 2008-03-11 18:42 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-03-11 18:42 . 2008-03-11 18:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-03-11 18:42 . 2006-12-19 15:06 1,495,552 --a------ C:\WINDOWS\system32\epoPGPsdk.dll
2008-03-11 18:42 . 2007-02-22 20:50 170,408 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-03-11 18:42 . 2006-11-30 08:50 72,264 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-03-11 18:42 . 2006-11-30 08:50 64,360 --a------ C:\WINDOWS\system32\drivers\mfeapfk.sys
2008-03-11 18:42 . 2006-11-30 08:50 52,136 --a------ C:\WINDOWS\system32\drivers\mfetdik.sys
2008-03-11 18:42 . 2006-11-30 08:50 34,152 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-03-11 18:42 . 2006-12-19 15:06 280 --a------ C:\WINDOWS\system32\epoPGPsdk.dll.sig
2008-03-10 20:20 . 2008-03-13 21:29 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-10 20:20 . 2008-03-10 20:20 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-10 19:34 . 1998-06-19 12:23 270,848 --a------ C:\WINDOWS\UNWISE32.EXE
2008-03-06 18:47 . 2008-03-11 18:18 <DIR> d-------- C:\Program Files\Macrogaming
2008-03-06 18:03 . 2008-03-06 18:03 <DIR> d-------- C:\Documents and Settings\computer\Application Data\LQ Graphics
2008-03-06 15:11 . 2008-03-06 15:12 1,045 --a------ C:\temp.avs
2008-03-06 15:11 . 2008-03-06 15:12 55 --a------ C:\WINDOWS\param.ini
2008-03-06 15:09 . 2004-02-23 21:41 719,872 --a------ C:\WINDOWS\system32\devil.dll
2008-03-06 15:09 . 2005-10-08 01:14 308,224 --a------ C:\WINDOWS\system32\avisynth.dll
2008-03-06 15:09 . 2006-05-11 09:43 163,496 --a------ C:\WINDOWS\system32\help.chm
2008-03-06 15:09 . 2006-05-11 09:41 80 --a------ C:\WINDOWS\system32\Home Page.url
2008-03-04 00:45 . 2008-03-04 00:47 <DIR> d-------- C:\Program Files\Free Video Converter
2008-03-03 00:37 . 2008-03-14 14:32 <DIR> d-------- C:\divx
2008-03-01 03:44 . 2008-03-05 00:25 <DIR> d-------- C:\Documents and Settings\computer\Application Data\dvdcss
2008-03-01 02:45 . 2008-03-01 02:45 42,612 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-02-27 09:07 . 2008-02-27 09:07 <DIR> d-------- C:\Documents and Settings\computer\Application Data\Grisoft
2008-02-27 09:07 . 2007-05-30 17:40 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-26 06:52 . 2008-02-26 06:52 <DIR> d-------- C:\Program Files\PCZeitschaltuhr
2008-02-26 06:52 . 2008-02-27 13:44 <DIR> d-------- C:\Documents and Settings\computer\Application Data\AutoPowerOn
2008-02-23 15:33 . 2007-04-23 05:45 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2008-02-23 15:33 . 2007-04-23 05:45 118,520 --------- C:\WINDOWS\system32\pxinsi64.exe
2008-02-23 15:33 . 2007-04-23 05:45 116,472 --------- C:\WINDOWS\system32\pxcpyi64.exe
2008-02-23 15:33 . 2007-04-23 05:45 2,560 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2008-02-23 15:33 . 2007-04-23 05:45 2,432 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2008-02-16 02:01 . 2008-02-16 02:01 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\PDFcreator
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-15 07:42 --------- d-----w C:\Documents and Settings\computer\Application Data\AVG7
2008-03-14 04:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2008-03-12 17:18 --------- d-----w C:\Program Files\Yahoo!
2008-03-12 16:02 --------- d-----w C:\Documents and Settings\computer\Application Data\DMCache
2008-03-07 12:48 --------- d-----w C:\Documents and Settings\computer\Application Data\MegauploadToolbar
2008-03-06 14:00 --------- d-----w C:\Program Files\ANSYS Inc
2008-03-02 08:05 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-03-01 05:45 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-29 21:51 --------- d-----w C:\Program Files\Picasa2
2008-02-27 09:33 --------- d-----w C:\Program Files\Nokia
2008-02-27 03:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-23 10:15 --------- d-----w C:\Documents and Settings\computer\Application Data\DivX
2008-02-23 10:03 --------- d-----w C:\Program Files\DivX
2008-02-20 21:49 --------- d-----w C:\Documents and Settings\computer\Application Data\uTorrent
2008-02-10 09:56 --------- d-----w C:\Documents and Settings\computer\Application Data\IDM
2008-02-02 19:35 --------- d-----w C:\Documents and Settings\computer\Application Data\U3
2008-01-16 16:52 --------- d-----w C:\Documents and Settings\computer\Application Data\PC Suite
2008-01-16 16:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\PC Suite
2008-01-16 16:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Bluetooth
2008-01-16 16:43 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-16 16:43 --------- d-----w C:\Program Files\IVT Corporation
2008-01-15 17:31 --------- d-----w C:\Documents and Settings\computer\Application Data\Nokia
2008-01-15 17:29 --------- d-----w C:\Program Files\PC Connectivity Solution
2008-01-15 17:29 --------- d-----w C:\Program Files\DIFX
2008-01-15 17:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Installations
2007-12-23 16:47 32,232 ----a-w C:\license.dat
2007-09-23 12:59 52,768 ----a-w C:\Documents and Settings\computer\Application Data\GDIPFONTCACHEV1.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 17:30 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 21:54 1694208]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-06-11 18:16 4670968]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-05-25 12:21 131072]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-05-25 12:21 155648]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-05-25 12:21 131072]
"RTHDCPL"="RTHDCPL.EXE" [2007-05-25 12:21 16132608 C:\WINDOWS\RTHDCPL.exe]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-08-05 13:20 180269]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb02.exe" [2001-03-22 20:48 192512]
"UDC Integration"="" []
"OrderReminder"="C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe" [2006-07-21 15:30 98304]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54 282624]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-25 08:44 579072]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 14:55 6731312]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [2007-02-22 20:50 112216]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2006-12-19 11:27 136768]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-25 14:26 219136]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlueSoleil.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BlueSoleil.lnk
backup=C:\WINDOWS\pss\BlueSoleil.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^computer^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\computer\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitDownload]
C:\Program Files\BitDownload\BitDownload.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
--a------ 2004-08-22 17:05 81920 C:\Program Files\D-Tools\daemon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
--a------ 2007-01-02 02:52 3739648 C:\Program Files\Google\Google Talk\googletalk.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IDMan]
--a------ 2007-08-29 19:49 2532784 C:\Program Files\Internet Download Manager\IDMan.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 21:54 1694208 C:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\svchost Agent]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-08-10 21:03 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2003-12-13 06:20 33792 C:\Program Files\Winamp\winampa.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-06-11 18:16 4670968 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"84:TCP"= 84:TCP:VRS Recording System Web Control Panel
"81:TCP"= 81:TCP:Axon Web Server
R2 ANSYS FLEXlm license manager;ANSYS FLEXlm license manager;C:\PROGRA~1\ANSYSI~2\SHARED~1\LICENS~1\Intel\lmgrd.exe [2006-03-24 22:04]
S3 SymIM;Symantec Network Security Intermediate Filter Service;C:\WINDOWS\system32\DRIVERS\SymIM.sys []
S3 SymIMMP;SymIMMP;C:\WINDOWS\system32\DRIVERS\SymIM.sys []
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{22d5b662-c785-11dc-b038-001167558fc8}]
\Shell\AutoRun\command - I:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2faa834e-7579-11dc-956b-0019d187a3cf}]
\Shell\Auto\command - G:\MicrosoftPowerPoint.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{56e6491b-4cc8-11dc-9494-0019d187a3cf}]
\Shell\AutoRun\command - I:\188qsm.bat
\Shell\explore\Command - I:\188qsm.bat
\Shell\open\Command - I:\188qsm.bat
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{683226a4-62f0-11dc-950f-0019d187a3cf}]
\Shell\Auto\command - MicrosoftPowerPoint.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aea70086-5c39-11dc-94e5-0019d187a3cf}]
\Shell\AutoRun\command - G:\PortableApps\PortableAppsMenu\PortableAppsMenu.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b8794dac-8b65-11dc-95d3-0019d187a3cf}]
\Shell\AutoRun\command - G:\ntde1ect.com
\Shell\explore\Command - G:\ntde1ect.com
\Shell\open\Command - G:\ntde1ect.com
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b9c4ff5b-e61e-11dc-b0ad-001167558fc8}]
\Shell\AutoRun\command - 2ifetri.cmd
\Shell\explore\Command - 2ifetri.cmd
\Shell\open\Command - 2ifetri.cmd
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f8c2a2aa-cc00-11dc-b047-001167558fc8}]
\Shell\Auto\command - MicrosoftPowerPoint.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-03-01 14:54:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-15 03:30:00 C:\WINDOWS\Tasks\At1.job"
- C:\WINDOWS\system32\svchost
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-15 19:22:24
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\system32\crypserv.exe
C:\PROGRA~1\ANSYSI~2\SHARED~1\LICENS~1\Intel\ansyslmd.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\WINDOWS\system32\UTSCSI.EXE
C:\WINDOWS\system32\igfxsrvc.exe
.
**************************************************************************
.
Completion time: 2008-03-15 19:23:52 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-15 13:53:49
ComboFix2.txt 2008-03-15 03:53:36
ComboFix3.txt 2008-03-14 19:14:38
ComboFix4.txt 2008-03-14 12:06:43
.
2008-02-13 18:30:05 --- E O F ---
------------------------------------------------------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:25:25 PM, on 3/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ANSYSI~2\SHARED~1\LICENS~1\Intel\lmgrd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\ANSYSI~2\SHARED~1\LICENS~1\Intel\lmgrd.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\system32\crypserv.exe
C:\PROGRA~1\ANSYSI~2\SHARED~1\LICENS~1\Intel\ansyslmd.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UTSCSI.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb02.exe
O4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/f...trol_en_US.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://asia-ml04.asia.csc.com/iNotes6W.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://img2.orkut.com/activex/10035/photouploader.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/us/securityadvisor...n/pestscan.cab
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelgraphics.com/l2/bin/cortvrml.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ANSYS FLEXlm license manager - Macrovision Corporation - C:\PROGRA~1\ANSYSI~2\SHARED~1\LICENS~1\Intel\lmgrd.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: USBest Service Zero (UTSCSI) - USBest - C:\WINDOWS\system32\UTSCSI.EXE
--
End of file - 9695 bytes
•
•
Join Date: Feb 2004
Posts: 10,011
Reputation:
Solved Threads: 758
I can see a couple of reasons there of why you are infected: P2P software and Key Generators. Keygens will get you almost every time.
==
Go to Start | Run and type msconfig and press enter.
When msconfig opens, click the Launch System Restore Button.
On the next page, click the System Restore Settings link on the left.
Check the box labelled 'Turn off System restore'.
Reboot. Go back in and Turn System Restore Back on. A new Restore Point will be created.
Note that all previous restore points will be lost.
==
Is your "E" Drive removeable? If not, do the following:
1. Please open Notepad
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
3. Save the above as CFScript.txt
4. Physically disconnect from the internet.
5. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
6. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
7. After reboot, (in case it asks to reboot), please post the following reports/logs into your next replyafter you re-enable all the programs that were disabled during the running of ComboFix:
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
==
If it is, you need to clean the crap off it. A good format should do it.
==
Go to Start | Run and type msconfig and press enter.
When msconfig opens, click the Launch System Restore Button.
On the next page, click the System Restore Settings link on the left.
Check the box labelled 'Turn off System restore'.
Reboot. Go back in and Turn System Restore Back on. A new Restore Point will be created.
Note that all previous restore points will be lost.
==
Is your "E" Drive removeable? If not, do the following:
1. Please open Notepad
- Click Start , then Run
- Type notepad.exe in the Run Box.
•
•
•
•
KillAll::
Folder::
E:\Softwares setups\002
E:\Softwares setups\DivX.Pro.UI
3. Save the above as CFScript.txt
4. Physically disconnect from the internet.
5. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
6. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
7. After reboot, (in case it asks to reboot), please post the following reports/logs into your next replyafter you re-enable all the programs that were disabled during the running of ComboFix:
- Combofix.txt
- A new HijackThis log.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
==
If it is, you need to clean the crap off it. A good format should do it.
Last edited by crunchie; Mar 15th, 2008 at 9:01 pm.
Proud member of ASAP (Alliance of Security analysis Professionals).
Opera AVAST anti-virus Comodo Firewall Spywareblaster
Opera AVAST anti-virus Comodo Firewall Spywareblaster
Hi. Here is the recent log files of ComboFix and HJT. Now I have uninstalled the P2P software that was installed already in my system. Hope this is OK. !!!
-----------------------------------------------------------------------------------------------------
ComboFix 08-03-13.4 - computer 2008-03-16 10:50:36.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.624 [GMT 5.5:30]
Running from: C:\Documents and Settings\computer\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\computer\Desktop\CFScript.txt
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
E:\Softwares setups\002
E:\Softwares setups\002\AVG_Anti-Virus_plus_Firewall_pro7.5.503_Build_1205__by_shanu.rar
E:\Softwares setups\DivX.Pro.UI
E:\Softwares setups\DivX.Pro.UI\DivX Pro + DivX Player 6[1].6.0.rar
E:\Softwares setups\DivX.Pro.UI\DivXInstaller.exe
E:\Softwares setups\DivX.Pro.UI\Keygen\KeyGen [ DivX Pro + DivX Player 6.6.0 ].exe
E:\Softwares setups\DivX.Pro.UI\Keygen\READ.TXT
.
((((((((((((((((((((((((( Files Created from 2008-02-16 to 2008-03-16 )))))))))))))))))))))))))))))))
.
2008-03-15 19:50 . 2008-03-15 19:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-13 20:09 . 2008-03-13 20:18 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-03-13 19:13 . 2008-03-13 19:13 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-13 19:06 . 2008-03-13 19:07 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-03-11 19:03 . 2008-03-11 19:03 <DIR> d-------- C:\fsaua.data
2008-03-11 18:42 . 2008-03-11 18:42 <DIR> d-------- C:\Program Files\McAfee
2008-03-11 18:42 . 2008-03-11 18:42 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-03-11 18:42 . 2008-03-11 18:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-03-11 18:42 . 2006-12-19 15:06 1,495,552 --a------ C:\WINDOWS\system32\epoPGPsdk.dll
2008-03-11 18:42 . 2007-02-22 20:50 170,408 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-03-11 18:42 . 2006-11-30 08:50 72,264 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-03-11 18:42 . 2006-11-30 08:50 64,360 --a------ C:\WINDOWS\system32\drivers\mfeapfk.sys
2008-03-11 18:42 . 2006-11-30 08:50 52,136 --a------ C:\WINDOWS\system32\drivers\mfetdik.sys
2008-03-11 18:42 . 2006-11-30 08:50 34,152 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-03-11 18:42 . 2006-12-19 15:06 280 --a------ C:\WINDOWS\system32\epoPGPsdk.dll.sig
2008-03-10 20:20 . 2008-03-13 21:29 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-10 20:20 . 2008-03-10 20:20 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-10 19:34 . 1998-06-19 12:23 270,848 --a------ C:\WINDOWS\UNWISE32.EXE
2008-03-06 18:47 . 2008-03-11 18:18 <DIR> d-------- C:\Program Files\Macrogaming
2008-03-06 18:03 . 2008-03-06 18:03 <DIR> d-------- C:\Documents and Settings\computer\Application Data\LQ Graphics
2008-03-06 15:11 . 2008-03-06 15:12 1,045 --a------ C:\temp.avs
2008-03-06 15:11 . 2008-03-06 15:12 55 --a------ C:\WINDOWS\param.ini
2008-03-06 15:09 . 2004-02-23 21:41 719,872 --a------ C:\WINDOWS\system32\devil.dll
2008-03-06 15:09 . 2005-10-08 01:14 308,224 --a------ C:\WINDOWS\system32\avisynth.dll
2008-03-06 15:09 . 2006-05-11 09:43 163,496 --a------ C:\WINDOWS\system32\help.chm
2008-03-06 15:09 . 2006-05-11 09:41 80 --a------ C:\WINDOWS\system32\Home Page.url
2008-03-04 00:45 . 2008-03-04 00:47 <DIR> d-------- C:\Program Files\Free Video Converter
2008-03-03 00:37 . 2008-03-14 14:32 <DIR> d-------- C:\divx
2008-03-01 03:44 . 2008-03-05 00:25 <DIR> d-------- C:\Documents and Settings\computer\Application Data\dvdcss
2008-03-01 02:45 . 2008-03-01 02:45 42,612 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-02-27 09:07 . 2008-02-27 09:07 <DIR> d-------- C:\Documents and Settings\computer\Application Data\Grisoft
2008-02-27 09:07 . 2007-05-30 17:40 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-26 06:52 . 2008-02-26 06:52 <DIR> d-------- C:\Program Files\PCZeitschaltuhr
2008-02-26 06:52 . 2008-02-27 13:44 <DIR> d-------- C:\Documents and Settings\computer\Application Data\AutoPowerOn
2008-02-23 15:33 . 2007-04-23 05:45 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2008-02-23 15:33 . 2007-04-23 05:45 118,520 --------- C:\WINDOWS\system32\pxinsi64.exe
2008-02-23 15:33 . 2007-04-23 05:45 116,472 --------- C:\WINDOWS\system32\pxcpyi64.exe
2008-02-23 15:33 . 2007-04-23 05:45 2,560 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2008-02-23 15:33 . 2007-04-23 05:45 2,432 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2008-02-16 02:01 . 2008-02-16 02:01 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\PDFcreator
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-16 04:29 --------- d-----w C:\Documents and Settings\computer\Application Data\AVG7
2008-03-14 04:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2008-03-12 17:18 --------- d-----w C:\Program Files\Yahoo!
2008-03-12 16:02 --------- d-----w C:\Documents and Settings\computer\Application Data\DMCache
2008-03-07 12:48 --------- d-----w C:\Documents and Settings\computer\Application Data\MegauploadToolbar
2008-03-06 14:00 --------- d-----w C:\Program Files\ANSYS Inc
2008-03-02 08:05 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-03-01 05:45 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-29 21:51 --------- d-----w C:\Program Files\Picasa2
2008-02-27 09:33 --------- d-----w C:\Program Files\Nokia
2008-02-27 03:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-23 10:15 --------- d-----w C:\Documents and Settings\computer\Application Data\DivX
2008-02-23 10:03 --------- d-----w C:\Program Files\DivX
2008-02-20 21:49 --------- d-----w C:\Documents and Settings\computer\Application Data\uTorrent
2008-02-10 09:56 --------- d-----w C:\Documents and Settings\computer\Application Data\IDM
2008-02-02 19:35 --------- d-----w C:\Documents and Settings\computer\Application Data\U3
2008-01-16 16:52 --------- d-----w C:\Documents and Settings\computer\Application Data\PC Suite
2008-01-16 16:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\PC Suite
2008-01-16 16:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Bluetooth
2008-01-16 16:43 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-16 16:43 --------- d-----w C:\Program Files\IVT Corporation
2007-12-23 16:47 32,232 ----a-w C:\license.dat
2007-12-16 17:58 218,624 ----a-w C:\WINDOWS\system32\uxtheme.dll
2007-09-23 12:59 52,768 ----a-w C:\Documents and Settings\computer\Application Data\GDIPFONTCACHEV1.DAT
.
((((((((((((((((((((((((((((( snapshot@2008-03-14_17.36.30.79 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-05-24 06:57:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 10:17:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 10:19:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 17:30 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 21:54 1694208]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-06-11 18:16 4670968]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-05-25 12:21 131072]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-05-25 12:21 155648]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-05-25 12:21 131072]
"RTHDCPL"="RTHDCPL.EXE" [2007-05-25 12:21 16132608 C:\WINDOWS\RTHDCPL.exe]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-08-05 13:20 180269]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb02.exe" [2001-03-22 20:48 192512]
"UDC Integration"="" []
"OrderReminder"="C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe" [2006-07-21 15:30 98304]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54 282624]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-25 08:44 579072]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 14:55 6731312]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [2007-02-22 20:50 112216]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2006-12-19 11:27 136768]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-25 14:26 219136]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlueSoleil.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BlueSoleil.lnk
backup=C:\WINDOWS\pss\BlueSoleil.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^computer^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\computer\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitDownload]
C:\Program Files\BitDownload\BitDownload.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
--a------ 2004-08-22 17:05 81920 C:\Program Files\D-Tools\daemon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
--a------ 2007-01-02 02:52 3739648 C:\Program Files\Google\Google Talk\googletalk.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IDMan]
--a------ 2007-08-29 19:49 2532784 C:\Program Files\Internet Download Manager\IDMan.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 21:54 1694208 C:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\svchost Agent]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-08-10 21:03 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2003-12-13 06:20 33792 C:\Program Files\Winamp\winampa.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-06-11 18:16 4670968 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"84:TCP"= 84:TCP:VRS Recording System Web Control Panel
"81:TCP"= 81:TCP:Axon Web Server
R2 ANSYS FLEXlm license manager;ANSYS FLEXlm license manager;C:\PROGRA~1\ANSYSI~2\SHARED~1\LICENS~1\Intel\lmgrd.exe [2006-03-24 22:04]
S3 SymIM;Symantec Network Security Intermediate Filter Service;C:\WINDOWS\system32\DRIVERS\SymIM.sys []
S3 SymIMMP;SymIMMP;C:\WINDOWS\system32\DRIVERS\SymIM.sys []
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{22d5b662-c785-11dc-b038-001167558fc8}]
\Shell\AutoRun\command - I:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2faa834e-7579-11dc-956b-0019d187a3cf}]
\Shell\Auto\command - G:\MicrosoftPowerPoint.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{56e6491b-4cc8-11dc-9494-0019d187a3cf}]
\Shell\AutoRun\command - I:\188qsm.bat
\Shell\explore\Command - I:\188qsm.bat
\Shell\open\Command - I:\188qsm.bat
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{683226a4-62f0-11dc-950f-0019d187a3cf}]
\Shell\Auto\command - MicrosoftPowerPoint.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aea70086-5c39-11dc-94e5-0019d187a3cf}]
\Shell\AutoRun\command - G:\PortableApps\PortableAppsMenu\PortableAppsMenu.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b8794dac-8b65-11dc-95d3-0019d187a3cf}]
\Shell\AutoRun\command - G:\ntde1ect.com
\Shell\explore\Command - G:\ntde1ect.com
\Shell\open\Command - G:\ntde1ect.com
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b9c4ff5b-e61e-11dc-b0ad-001167558fc8}]
\Shell\AutoRun\command - 2ifetri.cmd
\Shell\explore\Command - 2ifetri.cmd
\Shell\open\Command - 2ifetri.cmd
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f8c2a2aa-cc00-11dc-b047-001167558fc8}]
\Shell\Auto\command - MicrosoftPowerPoint.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-03-15 14:54:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-15 03:30:00 C:\WINDOWS\Tasks\At1.job"
- C:\WINDOWS\system32\svchost
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-16 10:55:22
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\ANSYSI~2\SHARED~1\LICENS~1\Intel\ansyslmd.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\WINDOWS\system32\UTSCSI.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2008-03-16 10:57:49 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-16 05:27:46
ComboFix2.txt 2008-03-15 03:53:36
ComboFix3.txt 2008-03-14 19:14:38
ComboFix4.txt 2008-03-14 12:06:43
.
2008-02-13 18:30:05 --- E O F ---
--------------------------------------------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:00:07 AM, on 3/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ANSYSI~2\SHARED~1\LICENS~1\Intel\lmgrd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\ANSYSI~2\SHARED~1\LICENS~1\Intel\lmgrd.exe
C:\PROGRA~1\ANSYSI~2\SHARED~1\LICENS~1\Intel\ansyslmd.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UTSCSI.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb02.exe
O4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/f...trol_en_US.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://asia-ml04.asia.csc.com/iNotes6W.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://img2.orkut.com/activex/10035/photouploader.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/us/securityadvisor...n/pestscan.cab
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelgraphics.com/l2/bin/cortvrml.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ANSYS FLEXlm license manager - Macrovision Corporation - C:\PROGRA~1\ANSYSI~2\SHARED~1\LICENS~1\Intel\lmgrd.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: USBest Service Zero (UTSCSI) - USBest - C:\WINDOWS\system32\UTSCSI.EXE
--
End of file - 10278 bytes
-------------------------------------------------------------------------------------------------------
Thanks !!!
-----------------------------------------------------------------------------------------------------
ComboFix 08-03-13.4 - computer 2008-03-16 10:50:36.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.624 [GMT 5.5:30]
Running from: C:\Documents and Settings\computer\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\computer\Desktop\CFScript.txt
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
E:\Softwares setups\002
E:\Softwares setups\002\AVG_Anti-Virus_plus_Firewall_pro7.5.503_Build_1205__by_shanu.rar
E:\Softwares setups\DivX.Pro.UI
E:\Softwares setups\DivX.Pro.UI\DivX Pro + DivX Player 6[1].6.0.rar
E:\Softwares setups\DivX.Pro.UI\DivXInstaller.exe
E:\Softwares setups\DivX.Pro.UI\Keygen\KeyGen [ DivX Pro + DivX Player 6.6.0 ].exe
E:\Softwares setups\DivX.Pro.UI\Keygen\READ.TXT
.
((((((((((((((((((((((((( Files Created from 2008-02-16 to 2008-03-16 )))))))))))))))))))))))))))))))
.
2008-03-15 19:50 . 2008-03-15 19:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-13 20:09 . 2008-03-13 20:18 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-03-13 19:13 . 2008-03-13 19:13 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-13 19:06 . 2008-03-13 19:07 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-03-11 19:03 . 2008-03-11 19:03 <DIR> d-------- C:\fsaua.data
2008-03-11 18:42 . 2008-03-11 18:42 <DIR> d-------- C:\Program Files\McAfee
2008-03-11 18:42 . 2008-03-11 18:42 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-03-11 18:42 . 2008-03-11 18:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-03-11 18:42 . 2006-12-19 15:06 1,495,552 --a------ C:\WINDOWS\system32\epoPGPsdk.dll
2008-03-11 18:42 . 2007-02-22 20:50 170,408 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-03-11 18:42 . 2006-11-30 08:50 72,264 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-03-11 18:42 . 2006-11-30 08:50 64,360 --a------ C:\WINDOWS\system32\drivers\mfeapfk.sys
2008-03-11 18:42 . 2006-11-30 08:50 52,136 --a------ C:\WINDOWS\system32\drivers\mfetdik.sys
2008-03-11 18:42 . 2006-11-30 08:50 34,152 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-03-11 18:42 . 2006-12-19 15:06 280 --a------ C:\WINDOWS\system32\epoPGPsdk.dll.sig
2008-03-10 20:20 . 2008-03-13 21:29 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-10 20:20 . 2008-03-10 20:20 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-10 19:34 . 1998-06-19 12:23 270,848 --a------ C:\WINDOWS\UNWISE32.EXE
2008-03-06 18:47 . 2008-03-11 18:18 <DIR> d-------- C:\Program Files\Macrogaming
2008-03-06 18:03 . 2008-03-06 18:03 <DIR> d-------- C:\Documents and Settings\computer\Application Data\LQ Graphics
2008-03-06 15:11 . 2008-03-06 15:12 1,045 --a------ C:\temp.avs
2008-03-06 15:11 . 2008-03-06 15:12 55 --a------ C:\WINDOWS\param.ini
2008-03-06 15:09 . 2004-02-23 21:41 719,872 --a------ C:\WINDOWS\system32\devil.dll
2008-03-06 15:09 . 2005-10-08 01:14 308,224 --a------ C:\WINDOWS\system32\avisynth.dll
2008-03-06 15:09 . 2006-05-11 09:43 163,496 --a------ C:\WINDOWS\system32\help.chm
2008-03-06 15:09 . 2006-05-11 09:41 80 --a------ C:\WINDOWS\system32\Home Page.url
2008-03-04 00:45 . 2008-03-04 00:47 <DIR> d-------- C:\Program Files\Free Video Converter
2008-03-03 00:37 . 2008-03-14 14:32 <DIR> d-------- C:\divx
2008-03-01 03:44 . 2008-03-05 00:25 <DIR> d-------- C:\Documents and Settings\computer\Application Data\dvdcss
2008-03-01 02:45 . 2008-03-01 02:45 42,612 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-02-27 09:07 . 2008-02-27 09:07 <DIR> d-------- C:\Documents and Settings\computer\Application Data\Grisoft
2008-02-27 09:07 . 2007-05-30 17:40 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-26 06:52 . 2008-02-26 06:52 <DIR> d-------- C:\Program Files\PCZeitschaltuhr
2008-02-26 06:52 . 2008-02-27 13:44 <DIR> d-------- C:\Documents and Settings\computer\Application Data\AutoPowerOn
2008-02-23 15:33 . 2007-04-23 05:45 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2008-02-23 15:33 . 2007-04-23 05:45 118,520 --------- C:\WINDOWS\system32\pxinsi64.exe
2008-02-23 15:33 . 2007-04-23 05:45 116,472 --------- C:\WINDOWS\system32\pxcpyi64.exe
2008-02-23 15:33 . 2007-04-23 05:45 2,560 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2008-02-23 15:33 . 2007-04-23 05:45 2,432 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2008-02-16 02:01 . 2008-02-16 02:01 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\PDFcreator
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-16 04:29 --------- d-----w C:\Documents and Settings\computer\Application Data\AVG7
2008-03-14 04:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2008-03-12 17:18 --------- d-----w C:\Program Files\Yahoo!
2008-03-12 16:02 --------- d-----w C:\Documents and Settings\computer\Application Data\DMCache
2008-03-07 12:48 --------- d-----w C:\Documents and Settings\computer\Application Data\MegauploadToolbar
2008-03-06 14:00 --------- d-----w C:\Program Files\ANSYS Inc
2008-03-02 08:05 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-03-01 05:45 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-29 21:51 --------- d-----w C:\Program Files\Picasa2
2008-02-27 09:33 --------- d-----w C:\Program Files\Nokia
2008-02-27 03:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-23 10:15 --------- d-----w C:\Documents and Settings\computer\Application Data\DivX
2008-02-23 10:03 --------- d-----w C:\Program Files\DivX
2008-02-20 21:49 --------- d-----w C:\Documents and Settings\computer\Application Data\uTorrent
2008-02-10 09:56 --------- d-----w C:\Documents and Settings\computer\Application Data\IDM
2008-02-02 19:35 --------- d-----w C:\Documents and Settings\computer\Application Data\U3
2008-01-16 16:52 --------- d-----w C:\Documents and Settings\computer\Application Data\PC Suite
2008-01-16 16:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\PC Suite
2008-01-16 16:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Bluetooth
2008-01-16 16:43 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-16 16:43 --------- d-----w C:\Program Files\IVT Corporation
2007-12-23 16:47 32,232 ----a-w C:\license.dat
2007-12-16 17:58 218,624 ----a-w C:\WINDOWS\system32\uxtheme.dll
2007-09-23 12:59 52,768 ----a-w C:\Documents and Settings\computer\Application Data\GDIPFONTCACHEV1.DAT
.
((((((((((((((((((((((((((((( snapshot@2008-03-14_17.36.30.79 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-05-24 06:57:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 10:17:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 10:19:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 17:30 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 21:54 1694208]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-06-11 18:16 4670968]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-05-25 12:21 131072]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-05-25 12:21 155648]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-05-25 12:21 131072]
"RTHDCPL"="RTHDCPL.EXE" [2007-05-25 12:21 16132608 C:\WINDOWS\RTHDCPL.exe]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-08-05 13:20 180269]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb02.exe" [2001-03-22 20:48 192512]
"UDC Integration"="" []
"OrderReminder"="C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe" [2006-07-21 15:30 98304]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54 282624]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-25 08:44 579072]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 14:55 6731312]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [2007-02-22 20:50 112216]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2006-12-19 11:27 136768]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-25 14:26 219136]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlueSoleil.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BlueSoleil.lnk
backup=C:\WINDOWS\pss\BlueSoleil.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^computer^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\computer\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitDownload]
C:\Program Files\BitDownload\BitDownload.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
--a------ 2004-08-22 17:05 81920 C:\Program Files\D-Tools\daemon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
--a------ 2007-01-02 02:52 3739648 C:\Program Files\Google\Google Talk\googletalk.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IDMan]
--a------ 2007-08-29 19:49 2532784 C:\Program Files\Internet Download Manager\IDMan.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 21:54 1694208 C:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\svchost Agent]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-08-10 21:03 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2003-12-13 06:20 33792 C:\Program Files\Winamp\winampa.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-06-11 18:16 4670968 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"84:TCP"= 84:TCP:VRS Recording System Web Control Panel
"81:TCP"= 81:TCP:Axon Web Server
R2 ANSYS FLEXlm license manager;ANSYS FLEXlm license manager;C:\PROGRA~1\ANSYSI~2\SHARED~1\LICENS~1\Intel\lmgrd.exe [2006-03-24 22:04]
S3 SymIM;Symantec Network Security Intermediate Filter Service;C:\WINDOWS\system32\DRIVERS\SymIM.sys []
S3 SymIMMP;SymIMMP;C:\WINDOWS\system32\DRIVERS\SymIM.sys []
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{22d5b662-c785-11dc-b038-001167558fc8}]
\Shell\AutoRun\command - I:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2faa834e-7579-11dc-956b-0019d187a3cf}]
\Shell\Auto\command - G:\MicrosoftPowerPoint.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{56e6491b-4cc8-11dc-9494-0019d187a3cf}]
\Shell\AutoRun\command - I:\188qsm.bat
\Shell\explore\Command - I:\188qsm.bat
\Shell\open\Command - I:\188qsm.bat
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{683226a4-62f0-11dc-950f-0019d187a3cf}]
\Shell\Auto\command - MicrosoftPowerPoint.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aea70086-5c39-11dc-94e5-0019d187a3cf}]
\Shell\AutoRun\command - G:\PortableApps\PortableAppsMenu\PortableAppsMenu.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b8794dac-8b65-11dc-95d3-0019d187a3cf}]
\Shell\AutoRun\command - G:\ntde1ect.com
\Shell\explore\Command - G:\ntde1ect.com
\Shell\open\Command - G:\ntde1ect.com
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b9c4ff5b-e61e-11dc-b0ad-001167558fc8}]
\Shell\AutoRun\command - 2ifetri.cmd
\Shell\explore\Command - 2ifetri.cmd
\Shell\open\Command - 2ifetri.cmd
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f8c2a2aa-cc00-11dc-b047-001167558fc8}]
\Shell\Auto\command - MicrosoftPowerPoint.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-03-15 14:54:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-15 03:30:00 C:\WINDOWS\Tasks\At1.job"
- C:\WINDOWS\system32\svchost
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-16 10:55:22
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\ANSYSI~2\SHARED~1\LICENS~1\Intel\ansyslmd.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\WINDOWS\system32\UTSCSI.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2008-03-16 10:57:49 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-16 05:27:46
ComboFix2.txt 2008-03-15 03:53:36
ComboFix3.txt 2008-03-14 19:14:38
ComboFix4.txt 2008-03-14 12:06:43
.
2008-02-13 18:30:05 --- E O F ---
--------------------------------------------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:00:07 AM, on 3/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ANSYSI~2\SHARED~1\LICENS~1\Intel\lmgrd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\ANSYSI~2\SHARED~1\LICENS~1\Intel\lmgrd.exe
C:\PROGRA~1\ANSYSI~2\SHARED~1\LICENS~1\Intel\ansyslmd.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UTSCSI.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb02.exe
O4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/f...trol_en_US.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://asia-ml04.asia.csc.com/iNotes6W.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://img2.orkut.com/activex/10035/photouploader.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/us/securityadvisor...n/pestscan.cab
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelgraphics.com/l2/bin/cortvrml.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ANSYS FLEXlm license manager - Macrovision Corporation - C:\PROGRA~1\ANSYSI~2\SHARED~1\LICENS~1\Intel\lmgrd.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: USBest Service Zero (UTSCSI) - USBest - C:\WINDOWS\system32\UTSCSI.EXE
--
End of file - 10278 bytes
-------------------------------------------------------------------------------------------------------
Thanks !!!
Last edited by vidyaskandan; Mar 16th, 2008 at 2:45 am. Reason: Incomplete
Hi. Now I understand that I am getting this problem only because of USB pen drive. Once i run the ComboFix with the given scripts the server is getting connected. But unknowingly I used the Pen drive again and hence i got the problem again. After the last scan by ComboFix, I am able to update my AVG and even my ActiveX is getting installed (so only I was able to run Kaspersky online scan). Please review my recent log files for any possible fixes to be done for the virus.
Since this problem is connected to Pen Drive usage, can I get any suggestion to write protect it. I have Transcend 2GB pen drive and I didnt get any software for that.
I also understand that this is another topic which is to be posted separately. Since the spyware/malware/virus in this topic is in connection with USB drive I am posting here.
Thanks !!!
Since this problem is connected to Pen Drive usage, can I get any suggestion to write protect it. I have Transcend 2GB pen drive and I didnt get any software for that.
I also understand that this is another topic which is to be posted separately. Since the spyware/malware/virus in this topic is in connection with USB drive I am posting here.
Thanks !!!
•
•
Join Date: Feb 2004
Posts: 10,011
Reputation:
Solved Threads: 758
If you right click on the drive in question you should get an option to format it. I would choose that one.
Your latest logs look ok. Maybe you should think about purchasing those software programs rather than risk getting infected?
Your latest logs look ok. Maybe you should think about purchasing those software programs rather than risk getting infected?
Proud member of ASAP (Alliance of Security analysis Professionals).
Opera AVAST anti-virus Comodo Firewall Spywareblaster
Opera AVAST anti-virus Comodo Firewall Spywareblaster
•
•
•
•
Originally Posted by crunchie
If you right click on the drive in question you should get an option to format it. I would choose that one.
Your latest logs look ok. Maybe you should think about purchasing those software programs rather than risk getting infected?
 |
Similar Threads
- HELP! Trojan+Keylogger = Non-functioning Computer (Viruses, Spyware and other Nasties)
- Help is wanted (Viruses, Spyware and other Nasties)
Other Threads in the Viruses, Spyware and other Nasties Forum
- Previous Thread: explorer.exe restarting every 10 secs
- Next Thread: red circle with x, please help
| Thread Tools | Search this Thread |
You need to join our community in order to build your list of favorite forums. You can visit the forum index for a listing of all forums.
Related Forum Features
Latest Viruses, Spyware and other Nasties Posts
adware anti-malware anti-virussitesaccessissue antivirus apple attack avg backtoschoolspeech bar blackhat botnet botnets censorship china commercial conficker connect control cyber cybercrime cyberwarfare ddos education email europe exam exploit facebook fake fancheckvirus gaming gtaiv halloween herss.exe hijack hosting internet iphone kaspersky legal logfiles malware mcafee messagelabs microsoft mobile msn nazi news obama onlinethreats paedophile panel parents patch phishing police policeprovirusmba-mblockedinternetaccess president privacy pro problem redirect redirecting reliability report research risk rogueantivirus samhain sans scareware school search security seopoisoning sites software spam spyware spywareexternalwindows7adminstratortrojans sqlinjection symantec system teen translate trojan unabletoaccessanti-virussites unwanted update usa virus viruses vista war warning windows worm yahoo zeroday
