 |  |  |  |  |  |  |  |
Need help cleaning PC
 |
I have a problem and I cant seem to find it. Please help me.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:49:01 PM, on 4/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\msconfig.exe
C:\WINDOWS\vsnpstd3.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: (no name) - {11241072-58BB-40CE-9171-0B2BDFB22E97} - C:\WINDOWS\system32\fccdebx.dll (file missing)
O2 - BHO: (no name) - {7A4E840D-7FF4-410F-B394-5FD80D68A86D} - C:\WINDOWS\system32\ddaba.dll (file missing)
O2 - BHO: TrendProtect - {E3578B37-6346-4EC1-A82B-38273A100DCF} - C:\Program Files\Trend Micro\TrendProtect\MSIE\wrs.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\program files\hp\digital imaging\bin\hpdtlk02.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O3 - Toolbar: TrendProtect - {F83BE649-1CC3-48EE-B2E2-0826CEF3822A} - C:\Program Files\Trend Micro\TrendProtect\MSIE\wrs.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [DRam prosessor] msconfig.exe
O4 - HKLM\..\Run: [m7] "C:\progra~1\common~1\m7\in.vbs"
O4 - HKLM\..\Run: [WinReanimator] "C:\Program Files\WinReanimator\WinReanimator.exe" /hide
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\RunServices: [DRam prosessor] msconfig.exe
O4 - HKCU\..\Run: [BackupNotify] C:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [braviax] C:\WINDOWS\system32\braviax.exe
O4 - HKCU\..\Run: [540patrick] C:\Program Files\BPK\540patrick.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: PopSubtract.lnk = C:\Program Files\PopSubtract\PopSub.exe
O4 - Global Startup: Shortcut to MTS.lnk = ?
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Open with &ZipScan - C:\DOCUME~1\Owner\Desktop\NEWFOL~2\ZIPSCA~2\zs_ie.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O17 - HKLM\System\CCS\Services\Tcpip\..\{4B6EF099-4716-446F-A3C9-1E8CB0905BF9}: NameServer = 85.255.116.157 85.255.112.10
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MI1933~1\Office12\GR99D3~1.DLL
O18 - Protocol: trendprotect - {BC3A5F6F-12A0-4B14-A184-32939F413823} - C:\Program Files\Trend Micro\TrendProtect\MSIE\wrs.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O20 - Winlogon Notify: fccdebx - fccdebx.dll (file missing)
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
--
End of file - 7983 bytes
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:49:01 PM, on 4/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\msconfig.exe
C:\WINDOWS\vsnpstd3.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: (no name) - {11241072-58BB-40CE-9171-0B2BDFB22E97} - C:\WINDOWS\system32\fccdebx.dll (file missing)
O2 - BHO: (no name) - {7A4E840D-7FF4-410F-B394-5FD80D68A86D} - C:\WINDOWS\system32\ddaba.dll (file missing)
O2 - BHO: TrendProtect - {E3578B37-6346-4EC1-A82B-38273A100DCF} - C:\Program Files\Trend Micro\TrendProtect\MSIE\wrs.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\program files\hp\digital imaging\bin\hpdtlk02.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O3 - Toolbar: TrendProtect - {F83BE649-1CC3-48EE-B2E2-0826CEF3822A} - C:\Program Files\Trend Micro\TrendProtect\MSIE\wrs.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [DRam prosessor] msconfig.exe
O4 - HKLM\..\Run: [m7] "C:\progra~1\common~1\m7\in.vbs"
O4 - HKLM\..\Run: [WinReanimator] "C:\Program Files\WinReanimator\WinReanimator.exe" /hide
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\RunServices: [DRam prosessor] msconfig.exe
O4 - HKCU\..\Run: [BackupNotify] C:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [braviax] C:\WINDOWS\system32\braviax.exe
O4 - HKCU\..\Run: [540patrick] C:\Program Files\BPK\540patrick.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: PopSubtract.lnk = C:\Program Files\PopSubtract\PopSub.exe
O4 - Global Startup: Shortcut to MTS.lnk = ?
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Open with &ZipScan - C:\DOCUME~1\Owner\Desktop\NEWFOL~2\ZIPSCA~2\zs_ie.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O17 - HKLM\System\CCS\Services\Tcpip\..\{4B6EF099-4716-446F-A3C9-1E8CB0905BF9}: NameServer = 85.255.116.157 85.255.112.10
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MI1933~1\Office12\GR99D3~1.DLL
O18 - Protocol: trendprotect - {BC3A5F6F-12A0-4B14-A184-32939F413823} - C:\Program Files\Trend Micro\TrendProtect\MSIE\wrs.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O20 - Winlogon Notify: fccdebx - fccdebx.dll (file missing)
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
--
End of file - 7983 bytes
Hi and welcome to the Daniweb forums 
.
==========
Download
SDFix
and save it to your desktop.
Please then reboot your computer in Safe Mode by doing the
following :
.==========
Download
SDFix
and save it to your desktop.
Please then reboot your computer in Safe Mode by doing the
following :
- Restart your computer
- After hearing your computer beep once during startup, but before the
Windows icon appears, tap the F8 key continually; - Instead of Windows loading as normal, a menu with options should appear;
- Select the first option, to run Windows in Safe Mode, then press "Enter".
- Choose your usual account.
- In Safe Mode, right click the SDFix.zip folder and choose Extract
All, - Open the extracted folder and double click RunThis.bat to
start the script. - Type Y to begin the script.
- It will remove the Trojan Services then make some repairs to the
registry and prompt you to press any key to Reboot. - Press any Key and it will restart the PC.
- Your system will take longer that normal to restart as the fixtool
will be running and removing files. - When the desktop loads the Fixtool will complete the removal and
display Finished, then press any key to end the script and load
your desktop icons. - Finally open the SDFix folder on your desktop and copy and paste the
contents of the results file Report.txt back onto the forum with
a new HijackThis log
Proud member of ASAP (Alliance of Security analysis Professionals).
Opera AVAST anti-virus Comodo Firewall Spywareblaster
Opera AVAST anti-virus Comodo Firewall Spywareblaster
Thank you for your help.
SDFix: Version 1.167
Run by Owner on Tue 04/08/2008 at 07:54 PM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\DOCUME~1\Owner\Desktop\SDFix\SDFix
Checking Services :
Name:
hhlmken
Path:
\??\C:\WINDOWS\system32\ras\hhlmken.scp
hhlmken - Deleted
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting
Checking Files :
Trojan Files Found:
C:\WINDOWS\system32\ras\hhlmken.scp - Deleted
Removing Temp Files
ADS Check :
Final Check :
catchme 0.3.1351.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-08 20:05:06
Windows 5.1.2600 Service Pack 2 NTFS
detected NTDLL code modification:
ZwClose
scanning hidden processes ...
scanning hidden services & system hive ...
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC]
scanning hidden registry entries ...
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\BITS]
"StateIndex"=dword:00000000
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
Remaining Services :
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Updates from HP\\137903\\Program\\BackWeb-137903.exe"="C:\\Program Files\\Updates from HP\\137903\\Program\\BackWeb-137903.exe:*:Enabled:BackWeb-137903"
"C:\\Program Files\\InterMute\\SpamSubtract\\SpamSub.exe"="C:\\Program Files\\InterMute\\SpamSubtract\\SpamSub.exe:*:Enabled:SpamSubtract Main Module"
"C:\\Program Files\\World of Warcraft\\WoW-1.8.0-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-1.8.0-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\World of Warcraft\\WoW-1.8.3.4807-to-1.8.4.4878-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-1.8.3.4807-to-1.8.4.4878-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\World of Warcraft\\WoW-1.8.4.4878-to-1.9.0.4937-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-1.8.4.4878-to-1.9.0.4937-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\World of Warcraft\\WoW-1.9.2.4996-to-1.9.3.5059-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-1.9.2.4996-to-1.9.3.5059-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\World of Warcraft\\WoW-1.9.0-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-1.9.0-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\World of Warcraft\\WoW-1.9.4.5086-to-1.10.0.5195-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-1.9.4.5086-to-1.10.0.5195-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"="C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\World of Warcraft\\WoW-1.10.2.5302-to-1.11.0.5428-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-1.10.2.5302-to-1.11.0.5428-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\Ubisoft\\Crytek\\Far Cry\\Bin32\\FarCry.exe"="C:\\Program Files\\Ubisoft\\Crytek\\Far Cry\\Bin32\\FarCry.exe:*:Enabled:Far Cry"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\Video Capturix 2007\\vcap2k7.exe"="C:\\Program Files\\Video Capturix 2007\\vcap2k7.exe:*:Disabled:Video Capture Application"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:æTorrent"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"="C:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe:*:Enabled:Adobe Version Cue CS3 Server"
"C:\\Program Files\\Atari\\Test Drive Unlimited\\TestDriveUnlimited.exe"="C:\\Program Files\\Atari\\Test Drive Unlimited\\TestDriveUnlimited.exe:*:Disabled:Test Drive Unlimited"
"C:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe"="C:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe:*:Enabled:Google Desktop"
"C:\\Program Files\\SoundSpectrum\\G-Force\\G-Force Standalone.exe"="C:\\Program Files\\SoundSpectrum\\G-Force\\G-Force Standalone.exe:*:Enabled:G-Force Standalone"
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"="C:\\Program Files\\Windows Media Player\\wmplayer.exe:*:Enabled:Windows Media Player"
"C:\\Program Files\\Internet Explorer\\PLUGINS\\cxsrrs.exe"="C:\\Program Files\\Internet Explorer\\PLUGINS\\cxsrrs.exe:*:Disabled:cxsrrs"
"c:\\msiupdat.exe"="c:\\msiupdat.exe:*:Enabled:utorrent7"
"C:\\Program Files\\GameHouse Games Collection\\Wheel of Fortune\\Wheel of Fortune.exe"="C:\\Program Files\\GameHouse Games Collection\\Wheel of Fortune\\Wheel of Fortune.exe:*:Disabled:Wheel of Fortune"
"C:\\Program Files\\Windows Media Player\\WMP.exe"="C:\\Program Files\\Windows Media Player\\WMP.exe:*:Enabled:Windows Media Player"
"C:\\Program Files\\LimeWire\\LWP.exe"="C:\\Program Files\\LimeWire\\LWP.exe:*:Enabled:LimeWire"
"C:\\WINDOWS\\system32\\msconfig.exe"="C:\\WINDOWS\\system32\\msconfig.exe:*:Disabled:msconfig"
"C:\\Program Files\\Modem\\modemspy.exe"="C:\\Program Files\\Modem\\modemspy.exe:*:Enabled:modemspy"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
Remaining Files :
File Backups: - C:\DOCUME~1\Owner\Desktop\SDFix\SDFix\backups\backups.zip
Files with Hidden Attributes :
Tue 29 Nov 2005 196 A.SHR --- "C:\BOOT.BAK"
Mon 28 Nov 2005 0 A.SH. --- "C:\WINDOWS\SMINST\HPCD.sys"
Wed 19 Mar 2008 80 ..SHR --- "C:\WINDOWS\system32\7A5DBBE5E4.dll"
Tue 11 Mar 2008 56 ..SHR --- "C:\WINDOWS\system32\7A5DBBE5E4.sys"
Tue 11 Mar 2008 1,682 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"
Wed 13 Jun 2007 1,287,695 A.SHR --- "C:\WINDOWS\system32\msconfig.exe"
Tue 11 Mar 2008 8 ..SHR --- "C:\Documents and Settings\All Users\Application Data\E4E5BB5D7A.sys"
Tue 11 Mar 2008 2,516 A.SH. --- "C:\Documents and Settings\All Users\Application Data\KGyGaAvL.sys"
Fri 9 Dec 2005 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Tue 29 Mar 2005 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.key.bak"
Wed 22 Aug 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Tue 8 Apr 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\02cded8b341a95a07525625c2bc327cd\BIT6.tmp"
Tue 8 Apr 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\30afadc4c35db2f5d8b4c076a49edc7b\BIT4.tmp"
Tue 8 Apr 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\ca6c24ab62fe8433c5d63bb11a2e5a2c\BIT5.tmp"
Sun 9 Mar 2008 888 ...HR --- "C:\Documents and Settings\Owner\Application Data\SecuROM\UserData\securom_v7_01.bak"
Tue 29 Mar 2005 4,348 ...H. --- "C:\Documents and Settings\Owner\My Documents\My Music\License Backup\drmv1key.bak"
Sun 15 May 2005 20 A..H. --- "C:\Documents and Settings\Owner\My Documents\My Music\License Backup\drmv1lic.bak"
Sun 3 Apr 2005 488 A.SH. --- "C:\Documents and Settings\Owner\My Documents\My Music\License Backup\drmv2key.bak"
Finished!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:23:51 PM, on 4/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\vsnpstd3.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\PopSubtract\PopSub.exe
C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: (no name) - {11241072-58BB-40CE-9171-0B2BDFB22E97} - C:\WINDOWS\system32\fccdebx.dll (file missing)
O2 - BHO: (no name) - {7A4E840D-7FF4-410F-B394-5FD80D68A86D} - C:\WINDOWS\system32\ddaba.dll (file missing)
O2 - BHO: TrendProtect - {E3578B37-6346-4EC1-A82B-38273A100DCF} - C:\Program Files\Trend Micro\TrendProtect\MSIE\wrs.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\program files\hp\digital imaging\bin\hpdtlk02.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O3 - Toolbar: TrendProtect - {F83BE649-1CC3-48EE-B2E2-0826CEF3822A} - C:\Program Files\Trend Micro\TrendProtect\MSIE\wrs.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [m7] "C:\progra~1\common~1\m7\in.vbs"
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKCU\..\Run: [BackupNotify] C:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [540patrick] C:\Program Files\BPK\540patrick.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: PopSubtract.lnk = C:\Program Files\PopSubtract\PopSub.exe
O4 - Global Startup: Shortcut to MTS.lnk = ?
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Open with &ZipScan - C:\DOCUME~1\Owner\Desktop\NEWFOL~2\ZIPSCA~2\zs_ie.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O17 - HKLM\System\CCS\Services\Tcpip\..\{4B6EF099-4716-446F-A3C9-1E8CB0905BF9}: NameServer = 85.255.116.157 85.255.112.10
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MI1933~1\Office12\GR99D3~1.DLL
O18 - Protocol: trendprotect - {BC3A5F6F-12A0-4B14-A184-32939F413823} - C:\Program Files\Trend Micro\TrendProtect\MSIE\wrs.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O20 - Winlogon Notify: fccdebx - fccdebx.dll (file missing)
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
--
End of file - 7914 bytes
SDFix: Version 1.167
Run by Owner on Tue 04/08/2008 at 07:54 PM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\DOCUME~1\Owner\Desktop\SDFix\SDFix
Checking Services :
Name:
hhlmken
Path:
\??\C:\WINDOWS\system32\ras\hhlmken.scp
hhlmken - Deleted
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting
Checking Files :
Trojan Files Found:
C:\WINDOWS\system32\ras\hhlmken.scp - Deleted
Removing Temp Files
ADS Check :
Final Check :
catchme 0.3.1351.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-08 20:05:06
Windows 5.1.2600 Service Pack 2 NTFS
detected NTDLL code modification:
ZwClose
scanning hidden processes ...
scanning hidden services & system hive ...
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC]
scanning hidden registry entries ...
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\BITS]
"StateIndex"=dword:00000000
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
Remaining Services :
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Updates from HP\\137903\\Program\\BackWeb-137903.exe"="C:\\Program Files\\Updates from HP\\137903\\Program\\BackWeb-137903.exe:*:Enabled:BackWeb-137903"
"C:\\Program Files\\InterMute\\SpamSubtract\\SpamSub.exe"="C:\\Program Files\\InterMute\\SpamSubtract\\SpamSub.exe:*:Enabled:SpamSubtract Main Module"
"C:\\Program Files\\World of Warcraft\\WoW-1.8.0-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-1.8.0-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\World of Warcraft\\WoW-1.8.3.4807-to-1.8.4.4878-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-1.8.3.4807-to-1.8.4.4878-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\World of Warcraft\\WoW-1.8.4.4878-to-1.9.0.4937-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-1.8.4.4878-to-1.9.0.4937-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\World of Warcraft\\WoW-1.9.2.4996-to-1.9.3.5059-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-1.9.2.4996-to-1.9.3.5059-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\World of Warcraft\\WoW-1.9.0-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-1.9.0-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\World of Warcraft\\WoW-1.9.4.5086-to-1.10.0.5195-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-1.9.4.5086-to-1.10.0.5195-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"="C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\World of Warcraft\\WoW-1.10.2.5302-to-1.11.0.5428-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-1.10.2.5302-to-1.11.0.5428-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\Ubisoft\\Crytek\\Far Cry\\Bin32\\FarCry.exe"="C:\\Program Files\\Ubisoft\\Crytek\\Far Cry\\Bin32\\FarCry.exe:*:Enabled:Far Cry"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\Video Capturix 2007\\vcap2k7.exe"="C:\\Program Files\\Video Capturix 2007\\vcap2k7.exe:*:Disabled:Video Capture Application"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:æTorrent"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"="C:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe:*:Enabled:Adobe Version Cue CS3 Server"
"C:\\Program Files\\Atari\\Test Drive Unlimited\\TestDriveUnlimited.exe"="C:\\Program Files\\Atari\\Test Drive Unlimited\\TestDriveUnlimited.exe:*:Disabled:Test Drive Unlimited"
"C:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe"="C:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe:*:Enabled:Google Desktop"
"C:\\Program Files\\SoundSpectrum\\G-Force\\G-Force Standalone.exe"="C:\\Program Files\\SoundSpectrum\\G-Force\\G-Force Standalone.exe:*:Enabled:G-Force Standalone"
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"="C:\\Program Files\\Windows Media Player\\wmplayer.exe:*:Enabled:Windows Media Player"
"C:\\Program Files\\Internet Explorer\\PLUGINS\\cxsrrs.exe"="C:\\Program Files\\Internet Explorer\\PLUGINS\\cxsrrs.exe:*:Disabled:cxsrrs"
"c:\\msiupdat.exe"="c:\\msiupdat.exe:*:Enabled:utorrent7"
"C:\\Program Files\\GameHouse Games Collection\\Wheel of Fortune\\Wheel of Fortune.exe"="C:\\Program Files\\GameHouse Games Collection\\Wheel of Fortune\\Wheel of Fortune.exe:*:Disabled:Wheel of Fortune"
"C:\\Program Files\\Windows Media Player\\WMP.exe"="C:\\Program Files\\Windows Media Player\\WMP.exe:*:Enabled:Windows Media Player"
"C:\\Program Files\\LimeWire\\LWP.exe"="C:\\Program Files\\LimeWire\\LWP.exe:*:Enabled:LimeWire"
"C:\\WINDOWS\\system32\\msconfig.exe"="C:\\WINDOWS\\system32\\msconfig.exe:*:Disabled:msconfig"
"C:\\Program Files\\Modem\\modemspy.exe"="C:\\Program Files\\Modem\\modemspy.exe:*:Enabled:modemspy"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
Remaining Files :
File Backups: - C:\DOCUME~1\Owner\Desktop\SDFix\SDFix\backups\backups.zip
Files with Hidden Attributes :
Tue 29 Nov 2005 196 A.SHR --- "C:\BOOT.BAK"
Mon 28 Nov 2005 0 A.SH. --- "C:\WINDOWS\SMINST\HPCD.sys"
Wed 19 Mar 2008 80 ..SHR --- "C:\WINDOWS\system32\7A5DBBE5E4.dll"
Tue 11 Mar 2008 56 ..SHR --- "C:\WINDOWS\system32\7A5DBBE5E4.sys"
Tue 11 Mar 2008 1,682 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"
Wed 13 Jun 2007 1,287,695 A.SHR --- "C:\WINDOWS\system32\msconfig.exe"
Tue 11 Mar 2008 8 ..SHR --- "C:\Documents and Settings\All Users\Application Data\E4E5BB5D7A.sys"
Tue 11 Mar 2008 2,516 A.SH. --- "C:\Documents and Settings\All Users\Application Data\KGyGaAvL.sys"
Fri 9 Dec 2005 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Tue 29 Mar 2005 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.key.bak"
Wed 22 Aug 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Tue 8 Apr 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\02cded8b341a95a07525625c2bc327cd\BIT6.tmp"
Tue 8 Apr 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\30afadc4c35db2f5d8b4c076a49edc7b\BIT4.tmp"
Tue 8 Apr 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\ca6c24ab62fe8433c5d63bb11a2e5a2c\BIT5.tmp"
Sun 9 Mar 2008 888 ...HR --- "C:\Documents and Settings\Owner\Application Data\SecuROM\UserData\securom_v7_01.bak"
Tue 29 Mar 2005 4,348 ...H. --- "C:\Documents and Settings\Owner\My Documents\My Music\License Backup\drmv1key.bak"
Sun 15 May 2005 20 A..H. --- "C:\Documents and Settings\Owner\My Documents\My Music\License Backup\drmv1lic.bak"
Sun 3 Apr 2005 488 A.SH. --- "C:\Documents and Settings\Owner\My Documents\My Music\License Backup\drmv2key.bak"
Finished!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:23:51 PM, on 4/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\vsnpstd3.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\PopSubtract\PopSub.exe
C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: (no name) - {11241072-58BB-40CE-9171-0B2BDFB22E97} - C:\WINDOWS\system32\fccdebx.dll (file missing)
O2 - BHO: (no name) - {7A4E840D-7FF4-410F-B394-5FD80D68A86D} - C:\WINDOWS\system32\ddaba.dll (file missing)
O2 - BHO: TrendProtect - {E3578B37-6346-4EC1-A82B-38273A100DCF} - C:\Program Files\Trend Micro\TrendProtect\MSIE\wrs.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\program files\hp\digital imaging\bin\hpdtlk02.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O3 - Toolbar: TrendProtect - {F83BE649-1CC3-48EE-B2E2-0826CEF3822A} - C:\Program Files\Trend Micro\TrendProtect\MSIE\wrs.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [m7] "C:\progra~1\common~1\m7\in.vbs"
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKCU\..\Run: [BackupNotify] C:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [540patrick] C:\Program Files\BPK\540patrick.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: PopSubtract.lnk = C:\Program Files\PopSubtract\PopSub.exe
O4 - Global Startup: Shortcut to MTS.lnk = ?
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Open with &ZipScan - C:\DOCUME~1\Owner\Desktop\NEWFOL~2\ZIPSCA~2\zs_ie.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O17 - HKLM\System\CCS\Services\Tcpip\..\{4B6EF099-4716-446F-A3C9-1E8CB0905BF9}: NameServer = 85.255.116.157 85.255.112.10
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MI1933~1\Office12\GR99D3~1.DLL
O18 - Protocol: trendprotect - {BC3A5F6F-12A0-4B14-A184-32939F413823} - C:\Program Files\Trend Micro\TrendProtect\MSIE\wrs.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O20 - Winlogon Notify: fccdebx - fccdebx.dll (file missing)
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
--
End of file - 7914 bytes
Please use the Internet Explorer browser (or FireFox with IETab), and do an online scan with Kaspersky Online Scanner
Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component
Click Yes, when prompted to install its ActiveX component.
(Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
The program launches and downloads the latest definition files.
There is no option to clean/disinfect, however, we need to analyze the information on the report.
To obtain the report:
Click on: Save Report As (above - red blinking arrow)
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar
In Save as type, click the drop arrow and select: Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in your reply.
==============
Scan with HijackThis and then place a check next to all the following, if present:
O2 - BHO: (no name) - {11241072-58BB-40CE-9171-0B2BDFB22E97} - C:\WINDOWS\system32\fccdebx.dll (file missing)
O2 - BHO: (no name) - {7A4E840D-7FF4-410F-B394-5FD80D68A86D} - C:\WINDOWS\system32\ddaba.dll (file missing)
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - Global Startup: Shortcut to MTS.lnk = ?
O20 - Winlogon Notify: fccdebx - fccdebx.dll (file missing)
Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".
===============
Locate and delete the following item(s), if present. Make sure you are able to view system and hidden files/ folders:
Search for...
ALCXMNTR.EXE
...using "Start | Search...".
-
Note that some of these file(s)/folder(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them in Safe Mode by doing the following:
-
Reboot.
===============
After rebooting, rescan with hijackthis and post back a new log. Please let me know how your pc is now.
Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component
Click Yes, when prompted to install its ActiveX component.
(Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
The program launches and downloads the latest definition files.
- Once the files are downloaded click on Next
- Click on Scan Settings and configure as follows:
- Scan using the following Anti-Virus database:
- Extended
- Scan Options:
- Scan Archives
- Scan Mail Bases
- Scan using the following Anti-Virus database:
- Click OK and, under select a target to scan, select My Computer
There is no option to clean/disinfect, however, we need to analyze the information on the report.
To obtain the report:
Click on: Save Report As (above - red blinking arrow)
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar
In Save as type, click the drop arrow and select: Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in your reply.
==============
Scan with HijackThis and then place a check next to all the following, if present:
O2 - BHO: (no name) - {11241072-58BB-40CE-9171-0B2BDFB22E97} - C:\WINDOWS\system32\fccdebx.dll (file missing)
O2 - BHO: (no name) - {7A4E840D-7FF4-410F-B394-5FD80D68A86D} - C:\WINDOWS\system32\ddaba.dll (file missing)
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - Global Startup: Shortcut to MTS.lnk = ?
O20 - Winlogon Notify: fccdebx - fccdebx.dll (file missing)
Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".
===============
Locate and delete the following item(s), if present. Make sure you are able to view system and hidden files/ folders:
Search for...
ALCXMNTR.EXE
...using "Start | Search...".
-
Note that some of these file(s)/folder(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them in Safe Mode by doing the following:
- Restart your computer
- After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
- Instead of Windows loading as normal, a menu should appear.
-
Reboot.
===============
After rebooting, rescan with hijackthis and post back a new log. Please let me know how your pc is now.
Proud member of ASAP (Alliance of Security analysis Professionals).
Opera AVAST anti-virus Comodo Firewall Spywareblaster
Opera AVAST anti-virus Comodo Firewall Spywareblaster
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, April 09, 2008 5:35:34 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 9/04/2008
Kaspersky Anti-Virus database records: 692312
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
Scan Statistics:
Total number of scanned objects: 224836
Number of viruses found: 18
Number of infected objects: 49
Number of suspicious objects: 0
Duration of the scan process: 04:08:37
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\comodo\Firewall Pro\cfplogdb.sdb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\639c3166518e983c17e84dc5dcb0031e_6f3324c0-e6c0-43af-a294-494862771fd2 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\665c45d6dce5914eed25b3b26379502f_6f3324c0-e6c0-43af-a294-494862771fd2 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\719a6dca64a96c4f20cb1d0158c7e740_6f3324c0-e6c0-43af-a294-494862771fd2 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\75ba7c32e6deb56f07813bb009dbabd8_6f3324c0-e6c0-43af-a294-494862771fd2 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\b3f71b335bcea0427fe9de13433698c6_6f3324c0-e6c0-43af-a294-494862771fd2 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\ea5f041d6ace5d5e8f576312e0cd5bfb_6f3324c0-e6c0-43af-a294-494862771fd2 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\.housecall6.6\Quarantine\braviax.exe.bac_a01732 Infected: Trojan-Downloader.Win32.FraudLoad.x skipped
C:\Documents and Settings\Owner\.housecall6.6\Quarantine\braviax.exe.bac_a02192 Infected: Trojan-Downloader.Win32.FraudLoad.x skipped
C:\Documents and Settings\Owner\.housecall6.6\Quarantine\Dc1.exe.bac_a02424 Infected: Trojan-Downloader.Win32.FraudLoad.x skipped
C:\Documents and Settings\Owner\.housecall6.6\Quarantine\ddaba.dll.bac_a01732 Infected: Packed.Win32.Monder.gen skipped
C:\Documents and Settings\Owner\.housecall6.6\Quarantine\setup_akl.exe.bac_a01732/stream/data0005 Infected: not-a-virus:Monitor.Win32.Ardamax.ae skipped
C:\Documents and Settings\Owner\.housecall6.6\Quarantine\setup_akl.exe.bac_a01732/stream/data0007 Infected: not-a-virus:Monitor.Win32.Ardamax.o skipped
C:\Documents and Settings\Owner\.housecall6.6\Quarantine\setup_akl.exe.bac_a01732/stream/data0009 Infected: Trojan-Spy.Win32.Ardamax.n skipped
C:\Documents and Settings\Owner\.housecall6.6\Quarantine\setup_akl.exe.bac_a01732/stream/data0010 Infected: not-a-virus:Monitor.Win32.Ardamax.af skipped
C:\Documents and Settings\Owner\.housecall6.6\Quarantine\setup_akl.exe.bac_a01732/stream Infected: not-a-virus:Monitor.Win32.Ardamax.af skipped
C:\Documents and Settings\Owner\.housecall6.6\Quarantine\setup_akl.exe.bac_a01732 NSIS: infected - 5 skipped
C:\Documents and Settings\Owner\.housecall6.6\Quarantine\setup_akl.exe.bac_a01732 CryptFF.b: infected - 5 skipped
C:\Documents and Settings\Owner\.housecall6.6\Quarantine\tejgsbxj.dll.bac_a01732 Infected: Packed.Win32.Monder.gen skipped
C:\Documents and Settings\Owner\.housecall6.6\Quarantine\uwscixeo.dll.bac_a01732 Infected: Packed.Win32.Monder.gen skipped
C:\Documents and Settings\Owner\.housecall6.6\Quarantine\uxcmmsie.dll.bac_a01732 Infected: Packed.Win32.Monder.gen skipped
C:\Documents and Settings\Owner\.housecall6.6\Quarantine\whqtintp.dll.bac_a01732 Infected: Packed.Win32.Monder.gen skipped
C:\Documents and Settings\Owner\.housecall6.6\Quarantine\winivstr.exe.bac_a01732 Infected: not-a-virus:FraudTool.Win32.Reanimator.a skipped
C:\Documents and Settings\Owner\.housecall6.6\Quarantine\wyslkjks.dll.bac_a01732 Infected: Packed.Win32.Monder.gen skipped
C:\Documents and Settings\Owner\.housecall6.6\Quarantine\wyslkjks.dll.bac_a02192 Infected: Packed.Win32.Monder.gen skipped
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-51fad18-3d89459f.zip/vmain.class Infected: Exploit.Java.Gimsh.a skipped
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-51fad18-3d89459f.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\ApplicationHistory\cli.exe.c88dbd71.ini.inuse Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\Perflib_Perfdata_b78.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\Perflib_Perfdata_d6c.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\Perflib_Perfdata_d9c.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DF28AB.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DF28E6.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Shared\me so horney.mp3 Infected: Trojan-Downloader.WMA.Wimad.n skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\integ\avast.int Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\Program Files\Updates from HP\137903\Users\Default\Data\chandir.dat Object is locked skipped
C:\Program Files\Updates from HP\137903\Users\Default\Data\chandir.idx Object is locked skipped
C:\Program Files\Updates from HP\137903\Users\Default\Data\chn.dat Object is locked skipped
C:\Program Files\Updates from HP\137903\Users\Default\Data\chn.idx Object is locked skipped
C:\Program Files\Updates from HP\137903\Users\Default\Data\D0000000.FCS Object is locked skipped
C:\Program Files\Updates from HP\137903\Users\Default\Data\inuse.txt Object is locked skipped
C:\Program Files\Updates from HP\137903\Users\Default\Data\L0000011.FCS Object is locked skipped
C:\Program Files\Updates from HP\137903\Users\Default\Data\main.log Object is locked skipped
C:\Program Files\Updates from HP\137903\Users\Default\Data\prs.dat Object is locked skipped
C:\Program Files\Updates from HP\137903\Users\Default\Data\prs.idx Object is locked skipped
C:\Program Files\Updates from HP\137903\Users\Default\Data\prs_die.dat Object is locked skipped
C:\Program Files\Updates from HP\137903\Users\Default\Data\prs_die.idx Object is locked skipped
C:\Program Files\Updates from HP\137903\Users\Default\Data\prs_dnd.dat Object is locked skipped
C:\Program Files\Updates from HP\137903\Users\Default\Data\prs_dnd.idx Object is locked skipped
C:\Program Files\Updates from HP\137903\Users\Default\Data\prs_ext.dat Object is locked skipped
C:\Program Files\Updates from HP\137903\Users\Default\Data\prs_ext.idx Object is locked skipped
C:\Program Files\Updates from HP\137903\Users\Default\Data\prs_rcv.dat Object is locked skipped
C:\Program Files\Updates from HP\137903\Users\Default\Data\prs_rcv.idx Object is locked skipped
C:\Program Files\Updates from HP\137903\Users\Default\Data\storydb.dat Object is locked skipped
C:\Program Files\Updates from HP\137903\Users\Default\Data\storydb.idx Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{DD9CB1FB-3F7A-40CF-B44C-DD1502404737}\RP644\A0091919.exe Infected: not-a-virus
erver-Proxy.Win32.3proxy.l skipped
C:\System Volume Information\_restore{DD9CB1FB-3F7A-40CF-B44C-DD1502404737}\RP645\A0092139.exe Infected: not-a-virus:Monitor.Win32.Ardamax.af skipped
C:\System Volume Information\_restore{DD9CB1FB-3F7A-40CF-B44C-DD1502404737}\RP645\A0092154.exe Infected: not-a-virus:Monitor.Win32.Ardamax.af skipped
C:\System Volume Information\_restore{DD9CB1FB-3F7A-40CF-B44C-DD1502404737}\RP645\A0092170.exe Infected: not-a-virus:Monitor.Win32.Ardamax.af skipped
C:\System Volume Information\_restore{DD9CB1FB-3F7A-40CF-B44C-DD1502404737}\RP645\A0092185.exe Infected: not-a-virus:Monitor.Win32.Ardamax.af skipped
C:\System Volume Information\_restore{DD9CB1FB-3F7A-40CF-B44C-DD1502404737}\RP645\A0092239.exe Infected: not-a-virus:Monitor.Win32.Ardamax.af skipped
C:\System Volume Information\_restore{DD9CB1FB-3F7A-40CF-B44C-DD1502404737}\RP645\A0093258.exe Infected: not-a-virus:Monitor.Win32.Ardamax.af skipped
C:\System Volume Information\_restore{DD9CB1FB-3F7A-40CF-B44C-DD1502404737}\RP656\A0096436.exe Infected: Trojan-Clicker.Win32.Costrat.fe skipped
C:\System Volume Information\_restore{DD9CB1FB-3F7A-40CF-B44C-DD1502404737}\RP656\A0096438.exe Infected: Trojan-Downloader.Win32.Adload.xh skipped
C:\System Volume Information\_restore{DD9CB1FB-3F7A-40CF-B44C-DD1502404737}\RP656\A0096439.exe Infected: Trojan.Win32.Agent.giy skipped
C:\System Volume Information\_restore{DD9CB1FB-3F7A-40CF-B44C-DD1502404737}\RP656\A0096440.exe Infected: Trojan-Downloader.Win32.Agent.lxt skipped
C:\System Volume Information\_restore{DD9CB1FB-3F7A-40CF-B44C-DD1502404737}\RP656\A0096556.exe Infected: not-a-virus:FraudTool.Win32.Reanimator.a skipped
C:\System Volume Information\_restore{DD9CB1FB-3F7A-40CF-B44C-DD1502404737}\RP656\A0096562.exe Infected: not-a-virus:FraudTool.Win32.Reanimator.b skipped
C:\System Volume Information\_restore{DD9CB1FB-3F7A-40CF-B44C-DD1502404737}\RP657\A0096627.exe Infected: not-a-virus:Monitor.Win32.Perflogger.bs skipped
C:\System Volume Information\_restore{DD9CB1FB-3F7A-40CF-B44C-DD1502404737}\RP659\A0096783.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{DD9CB1FB-3F7A-40CF-B44C-DD1502404737}\RP659\A0096783.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{DD9CB1FB-3F7A-40CF-B44C-DD1502404737}\RP659\A0096783.exe RarSFX: infected - 2 skipped
C:\System Volume Information\_restore{DD9CB1FB-3F7A-40CF-B44C-DD1502404737}\RP659\A0096790.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{DD9CB1FB-3F7A-40CF-B44C-DD1502404737}\RP660\A0097012.exe/stream/data0005 Infected: not-a-virus:Monitor.Win32.Ardamax.ae skipped
C:\System Volume Information\_restore{DD9CB1FB-3F7A-40CF-B44C-DD1502404737}\RP660\A0097012.exe/stream/data0007 Infected: not-a-virus:Monitor.Win32.Ardamax.o skipped
C:\System Volume Information\_restore{DD9CB1FB-3F7A-40CF-B44C-DD1502404737}\RP660\A0097012.exe/stream/data0009 Infected: Trojan-Spy.Win32.Ardamax.n skipped
C:\System Volume Information\_restore{DD9CB1FB-3F7A-40CF-B44C-DD1502404737}\RP660\A0097012.exe/stream/data0010 Infected: not-a-virus:Monitor.Win32.Ardamax.af skipped
C:\System Volume Information\_restore{DD9CB1FB-3F7A-40CF-B44C-DD1502404737}\RP660\A0097012.exe/stream Infected: not-a-virus:Monitor.Win32.Ardamax.af skipped
C:\System Volume Information\_restore{DD9CB1FB-3F7A-40CF-B44C-DD1502404737}\RP660\A0097012.exe NSIS: infected - 5 skipped
C:\System Volume Information\_restore{DD9CB1FB-3F7A-40CF-B44C-DD1502404737}\RP660\A0097013.exe Infected: not-a-virus:FraudTool.Win32.Reanimator.a skipped
C:\System Volume Information\_restore{DD9CB1FB-3F7A-40CF-B44C-DD1502404737}\RP661\A0098078.exe Infected: Trojan-Downloader.Win32.FraudLoad.x skipped
C:\System Volume Information\_restore{DD9CB1FB-3F7A-40CF-B44C-DD1502404737}\RP672\A0103929.exe Infected: not-a-viruserver-Proxy.Win32.3proxy.l skipped
C:\System Volume Information\_restore{DD9CB1FB-3F7A-40CF-B44C-DD1502404737}\RP672\change.log Object is locked skipped
C:\WINDOWS\$NtUninstallKB833987$\sxs.dll Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\msconfig.exe Infected: Backdoor.Win32.Rbot.jjm skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_6f4.dat Object is locked skipped
C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\_restore{DD9CB1FB-3F7A-40CF-B44C-DD1502404737}\RP672\change.log Object is locked skipped
Scan process completed.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:33:19 PM, on 4/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\vsnpstd3.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\PopSubtract\PopSub.exe
C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\XActive\WebCam.exe
C:\Program Files\XActive\CompParams.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\program files\hp\digital imaging\bin\hpdtlk02.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O3 - Toolbar: TrendProtect - {F83BE649-1CC3-48EE-B2E2-0826CEF3822A} - C:\Program Files\Trend Micro\TrendProtect\MSIE\wrs.dll (file missing)
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [m7] "C:\progra~1\common~1\m7\in.vbs"
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKCU\..\Run: [BackupNotify] C:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: PopSubtract.lnk = C:\Program Files\PopSubtract\PopSub.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Open with &ZipScan - C:\DOCUME~1\Owner\Desktop\NEWFOL~2\ZIPSCA~2\zs_ie.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O15 - Trusted Zone: http://www.kaspersky.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MI1933~1\Office12\GR99D3~1.DLL
O18 - Protocol: trendprotect - {BC3A5F6F-12A0-4B14-A184-32939F413823} - C:\Program Files\Trend Micro\TrendProtect\MSIE\wrs.dll (file missing)
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
--
End of file - 7634 bytes
KASPERSKY ONLINE SCANNER REPORT
Wednesday, April 09, 2008 5:35:34 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 9/04/2008
Kaspersky Anti-Virus database records: 692312
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
Scan Statistics:
Total number of scanned objects: 224836
Number of viruses found: 18
Number of infected objects: 49
Number of suspicious objects: 0
Duration of the scan process: 04:08:37
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\comodo\Firewall Pro\cfplogdb.sdb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\639c3166518e983c17e84dc5dcb0031e_6f3324c0-e6c0-43af-a294-494862771fd2 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\665c45d6dce5914eed25b3b26379502f_6f3324c0-e6c0-43af-a294-494862771fd2 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\719a6dca64a96c4f20cb1d0158c7e740_6f3324c0-e6c0-43af-a294-494862771fd2 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\75ba7c32e6deb56f07813bb009dbabd8_6f3324c0-e6c0-43af-a294-494862771fd2 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\b3f71b335bcea0427fe9de13433698c6_6f3324c0-e6c0-43af-a294-494862771fd2 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\ea5f041d6ace5d5e8f576312e0cd5bfb_6f3324c0-e6c0-43af-a294-494862771fd2 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\.housecall6.6\Quarantine\braviax.exe.bac_a01732 Infected: Trojan-Downloader.Win32.FraudLoad.x skipped
C:\Documents and Settings\Owner\.housecall6.6\Quarantine\braviax.exe.bac_a02192 Infected: Trojan-Downloader.Win32.FraudLoad.x skipped
C:\Documents and Settings\Owner\.housecall6.6\Quarantine\Dc1.exe.bac_a02424 Infected: Trojan-Downloader.Win32.FraudLoad.x skipped
C:\Documents and Settings\Owner\.housecall6.6\Quarantine\ddaba.dll.bac_a01732 Infected: Packed.Win32.Monder.gen skipped
C:\Documents and Settings\Owner\.housecall6.6\Quarantine\setup_akl.exe.bac_a01732/stream/data0005 Infected: not-a-virus:Monitor.Win32.Ardamax.ae skipped
C:\Documents and Settings\Owner\.housecall6.6\Quarantine\setup_akl.exe.bac_a01732/stream/data0007 Infected: not-a-virus:Monitor.Win32.Ardamax.o skipped
C:\Documents and Settings\Owner\.housecall6.6\Quarantine\setup_akl.exe.bac_a01732/stream/data0009 Infected: Trojan-Spy.Win32.Ardamax.n skipped
C:\Documents and Settings\Owner\.housecall6.6\Quarantine\setup_akl.exe.bac_a01732/stream/data0010 Infected: not-a-virus:Monitor.Win32.Ardamax.af skipped
C:\Documents and Settings\Owner\.housecall6.6\Quarantine\setup_akl.exe.bac_a01732/stream Infected: not-a-virus:Monitor.Win32.Ardamax.af skipped
C:\Documents and Settings\Owner\.housecall6.6\Quarantine\setup_akl.exe.bac_a01732 NSIS: infected - 5 skipped
C:\Documents and Settings\Owner\.housecall6.6\Quarantine\setup_akl.exe.bac_a01732 CryptFF.b: infected - 5 skipped
C:\Documents and Settings\Owner\.housecall6.6\Quarantine\tejgsbxj.dll.bac_a01732 Infected: Packed.Win32.Monder.gen skipped
C:\Documents and Settings\Owner\.housecall6.6\Quarantine\uwscixeo.dll.bac_a01732 Infected: Packed.Win32.Monder.gen skipped
C:\Documents and Settings\Owner\.housecall6.6\Quarantine\uxcmmsie.dll.bac_a01732 Infected: Packed.Win32.Monder.gen skipped
C:\Documents and Settings\Owner\.housecall6.6\Quarantine\whqtintp.dll.bac_a01732 Infected: Packed.Win32.Monder.gen skipped
C:\Documents and Settings\Owner\.housecall6.6\Quarantine\winivstr.exe.bac_a01732 Infected: not-a-virus:FraudTool.Win32.Reanimator.a skipped
C:\Documents and Settings\Owner\.housecall6.6\Quarantine\wyslkjks.dll.bac_a01732 Infected: Packed.Win32.Monder.gen skipped
C:\Documents and Settings\Owner\.housecall6.6\Quarantine\wyslkjks.dll.bac_a02192 Infected: Packed.Win32.Monder.gen skipped
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-51fad18-3d89459f.zip/vmain.class Infected: Exploit.Java.Gimsh.a skipped
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-51fad18-3d89459f.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\ApplicationHistory\cli.exe.c88dbd71.ini.inuse Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\Perflib_Perfdata_b78.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\Perflib_Perfdata_d6c.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\Perflib_Perfdata_d9c.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DF28AB.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DF28E6.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Shared\me so horney.mp3 Infected: Trojan-Downloader.WMA.Wimad.n skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\integ\avast.int Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\Program Files\Updates from HP\137903\Users\Default\Data\chandir.dat Object is locked skipped
C:\Program Files\Updates from HP\137903\Users\Default\Data\chandir.idx Object is locked skipped
C:\Program Files\Updates from HP\137903\Users\Default\Data\chn.dat Object is locked skipped
C:\Program Files\Updates from HP\137903\Users\Default\Data\chn.idx Object is locked skipped
C:\Program Files\Updates from HP\137903\Users\Default\Data\D0000000.FCS Object is locked skipped
C:\Program Files\Updates from HP\137903\Users\Default\Data\inuse.txt Object is locked skipped
C:\Program Files\Updates from HP\137903\Users\Default\Data\L0000011.FCS Object is locked skipped
C:\Program Files\Updates from HP\137903\Users\Default\Data\main.log Object is locked skipped
C:\Program Files\Updates from HP\137903\Users\Default\Data\prs.dat Object is locked skipped
C:\Program Files\Updates from HP\137903\Users\Default\Data\prs.idx Object is locked skipped
C:\Program Files\Updates from HP\137903\Users\Default\Data\prs_die.dat Object is locked skipped
C:\Program Files\Updates from HP\137903\Users\Default\Data\prs_die.idx Object is locked skipped
C:\Program Files\Updates from HP\137903\Users\Default\Data\prs_dnd.dat Object is locked skipped
C:\Program Files\Updates from HP\137903\Users\Default\Data\prs_dnd.idx Object is locked skipped
C:\Program Files\Updates from HP\137903\Users\Default\Data\prs_ext.dat Object is locked skipped
C:\Program Files\Updates from HP\137903\Users\Default\Data\prs_ext.idx Object is locked skipped
C:\Program Files\Updates from HP\137903\Users\Default\Data\prs_rcv.dat Object is locked skipped
C:\Program Files\Updates from HP\137903\Users\Default\Data\prs_rcv.idx Object is locked skipped
C:\Program Files\Updates from HP\137903\Users\Default\Data\storydb.dat Object is locked skipped
C:\Program Files\Updates from HP\137903\Users\Default\Data\storydb.idx Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{DD9CB1FB-3F7A-40CF-B44C-DD1502404737}\RP644\A0091919.exe Infected: not-a-virus
erver-Proxy.Win32.3proxy.l skippedC:\System Volume Information\_restore{DD9CB1FB-3F7A-40CF-B44C-DD1502404737}\RP645\A0092139.exe Infected: not-a-virus:Monitor.Win32.Ardamax.af skipped
C:\System Volume Information\_restore{DD9CB1FB-3F7A-40CF-B44C-DD1502404737}\RP645\A0092154.exe Infected: not-a-virus:Monitor.Win32.Ardamax.af skipped
C:\System Volume Information\_restore{DD9CB1FB-3F7A-40CF-B44C-DD1502404737}\RP645\A0092170.exe Infected: not-a-virus:Monitor.Win32.Ardamax.af skipped
C:\System Volume Information\_restore{DD9CB1FB-3F7A-40CF-B44C-DD1502404737}\RP645\A0092185.exe Infected: not-a-virus:Monitor.Win32.Ardamax.af skipped
C:\System Volume Information\_restore{DD9CB1FB-3F7A-40CF-B44C-DD1502404737}\RP645\A0092239.exe Infected: not-a-virus:Monitor.Win32.Ardamax.af skipped
C:\System Volume Information\_restore{DD9CB1FB-3F7A-40CF-B44C-DD1502404737}\RP645\A0093258.exe Infected: not-a-virus:Monitor.Win32.Ardamax.af skipped
C:\System Volume Information\_restore{DD9CB1FB-3F7A-40CF-B44C-DD1502404737}\RP656\A0096436.exe Infected: Trojan-Clicker.Win32.Costrat.fe skipped
C:\System Volume Information\_restore{DD9CB1FB-3F7A-40CF-B44C-DD1502404737}\RP656\A0096438.exe Infected: Trojan-Downloader.Win32.Adload.xh skipped
C:\System Volume Information\_restore{DD9CB1FB-3F7A-40CF-B44C-DD1502404737}\RP656\A0096439.exe Infected: Trojan.Win32.Agent.giy skipped
C:\System Volume Information\_restore{DD9CB1FB-3F7A-40CF-B44C-DD1502404737}\RP656\A0096440.exe Infected: Trojan-Downloader.Win32.Agent.lxt skipped
C:\System Volume Information\_restore{DD9CB1FB-3F7A-40CF-B44C-DD1502404737}\RP656\A0096556.exe Infected: not-a-virus:FraudTool.Win32.Reanimator.a skipped
C:\System Volume Information\_restore{DD9CB1FB-3F7A-40CF-B44C-DD1502404737}\RP656\A0096562.exe Infected: not-a-virus:FraudTool.Win32.Reanimator.b skipped
C:\System Volume Information\_restore{DD9CB1FB-3F7A-40CF-B44C-DD1502404737}\RP657\A0096627.exe Infected: not-a-virus:Monitor.Win32.Perflogger.bs skipped
C:\System Volume Information\_restore{DD9CB1FB-3F7A-40CF-B44C-DD1502404737}\RP659\A0096783.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{DD9CB1FB-3F7A-40CF-B44C-DD1502404737}\RP659\A0096783.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{DD9CB1FB-3F7A-40CF-B44C-DD1502404737}\RP659\A0096783.exe RarSFX: infected - 2 skipped
C:\System Volume Information\_restore{DD9CB1FB-3F7A-40CF-B44C-DD1502404737}\RP659\A0096790.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{DD9CB1FB-3F7A-40CF-B44C-DD1502404737}\RP660\A0097012.exe/stream/data0005 Infected: not-a-virus:Monitor.Win32.Ardamax.ae skipped
C:\System Volume Information\_restore{DD9CB1FB-3F7A-40CF-B44C-DD1502404737}\RP660\A0097012.exe/stream/data0007 Infected: not-a-virus:Monitor.Win32.Ardamax.o skipped
C:\System Volume Information\_restore{DD9CB1FB-3F7A-40CF-B44C-DD1502404737}\RP660\A0097012.exe/stream/data0009 Infected: Trojan-Spy.Win32.Ardamax.n skipped
C:\System Volume Information\_restore{DD9CB1FB-3F7A-40CF-B44C-DD1502404737}\RP660\A0097012.exe/stream/data0010 Infected: not-a-virus:Monitor.Win32.Ardamax.af skipped
C:\System Volume Information\_restore{DD9CB1FB-3F7A-40CF-B44C-DD1502404737}\RP660\A0097012.exe/stream Infected: not-a-virus:Monitor.Win32.Ardamax.af skipped
C:\System Volume Information\_restore{DD9CB1FB-3F7A-40CF-B44C-DD1502404737}\RP660\A0097012.exe NSIS: infected - 5 skipped
C:\System Volume Information\_restore{DD9CB1FB-3F7A-40CF-B44C-DD1502404737}\RP660\A0097013.exe Infected: not-a-virus:FraudTool.Win32.Reanimator.a skipped
C:\System Volume Information\_restore{DD9CB1FB-3F7A-40CF-B44C-DD1502404737}\RP661\A0098078.exe Infected: Trojan-Downloader.Win32.FraudLoad.x skipped
C:\System Volume Information\_restore{DD9CB1FB-3F7A-40CF-B44C-DD1502404737}\RP672\A0103929.exe Infected: not-a-virus
erver-Proxy.Win32.3proxy.l skippedC:\System Volume Information\_restore{DD9CB1FB-3F7A-40CF-B44C-DD1502404737}\RP672\change.log Object is locked skipped
C:\WINDOWS\$NtUninstallKB833987$\sxs.dll Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\msconfig.exe Infected: Backdoor.Win32.Rbot.jjm skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_6f4.dat Object is locked skipped
C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\_restore{DD9CB1FB-3F7A-40CF-B44C-DD1502404737}\RP672\change.log Object is locked skipped
Scan process completed.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:33:19 PM, on 4/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\vsnpstd3.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\PopSubtract\PopSub.exe
C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\XActive\WebCam.exe
C:\Program Files\XActive\CompParams.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\program files\hp\digital imaging\bin\hpdtlk02.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O3 - Toolbar: TrendProtect - {F83BE649-1CC3-48EE-B2E2-0826CEF3822A} - C:\Program Files\Trend Micro\TrendProtect\MSIE\wrs.dll (file missing)
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [m7] "C:\progra~1\common~1\m7\in.vbs"
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKCU\..\Run: [BackupNotify] C:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: PopSubtract.lnk = C:\Program Files\PopSubtract\PopSub.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Open with &ZipScan - C:\DOCUME~1\Owner\Desktop\NEWFOL~2\ZIPSCA~2\zs_ie.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O15 - Trusted Zone: http://www.kaspersky.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MI1933~1\Office12\GR99D3~1.DLL
O18 - Protocol: trendprotect - {BC3A5F6F-12A0-4B14-A184-32939F413823} - C:\Program Files\Trend Micro\TrendProtect\MSIE\wrs.dll (file missing)
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
--
End of file - 7634 bytes
You need to clear this Quarantine folder;
C:\Documents and Settings\Owner\.housecall6.6\Quarantine
==
Delete this file;
C:\Documents and Settings\Owner\Shared\me so horney.mp3
==
Go to Start | Run and type msconfig and press enter.
When msconfig opens, click the Launch System Restore Button.
On the next page, click the System Restore Settings link on the left.
Check the box labelled 'Turn off System restore'.
Reboot. Go back in and Turn System Restore Back on. A new Restore Point will be created.
Note that all previous restore points will be lost.
==
Do you know what this is?
O4 - HKLM\..\Run: [m7] "C:\progra~1\common~1\m7\in.vbs"
C:\Documents and Settings\Owner\.housecall6.6\Quarantine
==
Delete this file;
C:\Documents and Settings\Owner\Shared\me so horney.mp3
==
Go to Start | Run and type msconfig and press enter.
When msconfig opens, click the Launch System Restore Button.
On the next page, click the System Restore Settings link on the left.
Check the box labelled 'Turn off System restore'.
Reboot. Go back in and Turn System Restore Back on. A new Restore Point will be created.
Note that all previous restore points will be lost.
==
Do you know what this is?
O4 - HKLM\..\Run: [m7] "C:\progra~1\common~1\m7\in.vbs"
Proud member of ASAP (Alliance of Security analysis Professionals).
Opera AVAST anti-virus Comodo Firewall Spywareblaster
Opera AVAST anti-virus Comodo Firewall Spywareblaster
|
Similar Threads
- blank desktop after cleaning trojan (Viruses, Spyware and other Nasties)
- Cleaning a friend's computer (Viruses, Spyware and other Nasties)
- Spyware troubles even after cleaning / HT Log (Viruses, Spyware and other Nasties)
- Cleaning out Popup Problems on XP (Viruses, Spyware and other Nasties)
- Canned air to cleaning boards (Cases, Fans and Power Supplies)
- XP & Cleaning Temp files (Windows 95 / 98 / Me)
- keyboard not working after opening for cleaning (USB Devices and other Peripherals)
- Cleaning up duaghter's pc - slow and buggy (Viruses, Spyware and other Nasties)
- Recurring problem cleaning pc with hijackthis (Viruses, Spyware and other Nasties)
Other Threads in the Viruses, Spyware and other Nasties Forum
- Previous Thread: zapchast.reg
- Next Thread: explorer keeps shutting down
| Thread Tools | Search this Thread |
You need to join our community in order to build your list of favorite forums. You can visit the forum index for a listing of all forums.
Related Forum Features
Latest Viruses, Spyware and other Nasties Posts
adware anti-malware anti-virussitesaccessissue antivirus apple audio avg backtoschoolspeech bar blackhat botnet botnets censorship china commercial commercials conficker connect control crosssitescripting cyber cybercrime cyberwarfare domains e-mafia education email europe exam facebook fake fancheckvirus gaming gtaiv halloween hijack hosting internet iphone kaspersky legal logfiles mail malware mcafee messagelabs microsoft mobile msn nazi news obama onlinethreats paedophile panel parents patch phishing police policeprovirusmba-mblockedinternetaccess president privacy pro problem reliability report research risk rogueantivirus samhain sans scareware school search security seopoisoning sites software spam spyware spywareexternalwindows7adminstratortrojans sqlinjection symantec system teen translate trojan unabletoaccessanti-virussites unwanted update usa virus viruses war warning windows worm yahoo zeroday