1,105,578 Community Members

hijackthis.exe is not a valid win32 application

Member Avatar
tsahima
Newbie Poster
21 posts since Mar 2008
Reputation Points: 0 [?]
Q&As Helped to Solve: 0 [?]
Skill Endorsements: 0 [?]
 
0
 

Hi,

I wanted to make the steps before posting, but I cant run the avg and the others as you see.

It all worked ok, until I downloaded a 900K file called f-15 eagle..... and after that, no cccleaner, no avg, no hijackthis.

I really dont get it. I guess its a virus, maybe a very old one (file seems like an old file)

appreciate any suggestions,
Good day

Tsahi.

EDIT: I have windows XP.

Member Avatar
gerbil
Industrious Poster
4,624 posts since May 2005
Reputation Points: 190 [?]
Q&As Helped to Solve: 338 [?]
Skill Endorsements: 5 [?]
 
0
 

Tricky. Was the eagle file meant to be of the actual warplane? Anyway, try running those scans in Safe mode.... and if they work there you might try running hijackthis again in normal mode - if it does then post that log [hijackthis run in safe mode leaves us a little blind because some processes are not started there]

Member Avatar
bobbyraw
Nearly a Posting Virtuoso
1,336 posts since Oct 2006
Reputation Points: 16 [?]
Q&As Helped to Solve: 106 [?]
Skill Endorsements: 0 [?]
 
0
 

download vundofix and run in safe mode. also download combofix and run in safe mode (follow instruction for combofix. carefully)

Member Avatar
tsahima
Newbie Poster
21 posts since Mar 2008
Reputation Points: 0 [?]
Q&As Helped to Solve: 0 [?]
Skill Endorsements: 0 [?]
 
0
 

I will try that

Is it possible that the message "not a valid win32 application" happened just because I tried to run a win98 application on the XP?
(it seems like I downloaded a very old file)

maybe I just changed some settings?

Member Avatar
tsahima
Newbie Poster
21 posts since Mar 2008
Reputation Points: 0 [?]
Q&As Helped to Solve: 0 [?]
Skill Endorsements: 0 [?]
 
0
 

I was frustrated since even safe mode could not run.
at last I succeded getting some info:

Deckard's System Scanner v20071014.68
Run by Osnat on 2008-03-26 00:58:38
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
65: 2008-03-25 22:59:15 UTC - RP420 - Deckard's System Scanner Restore Point
64: 2008-03-25 19:49:04 UTC - RP419 - System Checkpoint
63: 2008-03-24 19:40:08 UTC - RP418 - System Checkpoint
62: 2008-03-23 18:59:35 UTC - RP417 - System Checkpoint
61: 2008-03-22 18:58:57 UTC - RP416 - Software Distribution Service 3.0


-- First Restore Point --
1: 2008-01-18 15:21:43 UTC - RP356 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-03-26 01:05:15
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wintems.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Osnat\Local Settings\Temporary Internet Files\Content.IE5\G5O3SIR7\dss[1].exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uzit.co.il/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: Babylon - {965B54B0-71E0-4611-8DE7-F73FA0B20E26} - C:\Program Files\Babylon\Babylon Toolbar\BabylonIEToolBar.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Babylon Client] C:\Program Files\Babylon\Babylon-Pro\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart17.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Translate with &Babylon - res://C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: מחקר - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: https://fighterace.ketsujin.com (HKCU)
O15 - Trusted Zone: https://primary.ketsujin.com (HKCU)
O15 - Trusted Zone: https://update.ketsujin.com (HKCU)
O15 - Trusted Zone: https://www.ketsujin.com (HKCU)
O15 - Trusted Zone: https://www.stormofaces.com (HKCU)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {8436FE12-31DB-48BF-83BF-FE682F9160B4} (NanoInstaller Class) - http://www.nanoscan.com/cabs/nanoinst.cab
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{59C67374-3365-46A0-A05C-2EDF058CCD43}: NameServer = 62.219.186.7 192.117.235.235
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\system32\PCANotify.dll (file missing)
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe


--
End of file - 8583 bytes

-- File Associations -----------------------------------------------------------

.scr - AutoCADScriptFile - shell\open\command - "C:\WINDOWS\notepad.exe" "%1"


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 PQV2i - c:\windows\system32\drivers\pqv2i.sys <Not Verified; StorageCraft; V2i Protector>
R1 PQIMount - c:\windows\system32\drivers\pqimount.sys <Not Verified; PowerQuest Corporation; V2i Protector>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S3 GEARSecurity - c:\windows\system32\gearsec.exe <Not Verified; GEAR Software; gearsec>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2008-02-26 and 2008-03-26 -----------------------------

2008-03-25 23:50:41 0 d-------- C:\Program Files\Panda Security
2008-03-25 23:45:16 0 d-------- C:\WINDOWS\system32\ActiveScan
2008-03-25 23:45:15 0 d-------- C:\WINDOWS\LastGood
2008-03-22 17:54:53 0 d-------- C:\Program Files\Trend Micro
2008-03-22 17:46:36 0 d-------- C:\Documents and Settings\Osnat\Application Data\Uniblue
2008-03-22 17:37:53 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-22 17:14:17 58372 --a------ C:\WINDOWS\system32\1.exe
2008-03-21 16:48:31 0 d-------- C:\Program Files\Yahoo!
2008-03-21 13:52:20 72196 --a------ C:\WINDOWS\system32\mdelk.exe
2008-03-21 13:51:38 89954 --a------ C:\WINDOWS\system32\drivers\srosa.sys
2008-03-21 10:43:48 0 dr-h----- C:\Documents and Settings\Osnat\Recent


-- Find3M Report ---------------------------------------------------------------

2008-03-26 00:59:18 0 d-------- C:\Program Files\DAEMON Tools
2008-03-25 23:28:13 0 d-------- C:\Program Files\Winamp
2008-03-21 15:42:20 0 d-------- C:\Documents and Settings\Osnat\Application Data\SecondLife
2008-03-21 15:28:12 0 d-------- C:\Program Files\eMule
2008-03-21 14:29:43 0 d-------- C:\Documents and Settings\Osnat\Application Data\AVG7
2008-03-16 14:54:52 0 d-------- C:\Documents and Settings\Osnat\Application Data\Adobe
2008-02-03 20:40:29 0 d-------- C:\Documents and Settings\Osnat\Application Data\TeamViewer


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{965B54B0-71E0-4611-8DE7-F73FA0B20E26}"= C:\Program Files\Babylon\Babylon Toolbar\BabylonIEToolBar.dll [11/01/2007 03:09 PM 265952]

[-HKEY_CLASSES_ROOT\CLSID\{965B54B0-71E0-4611-8DE7-F73FA0B20E26}]
[HKEY_CLASSES_ROOT\BabylonTBLib.BabylonTB.1]
[HKEY_CLASSES_ROOT\TypeLib\{162484B8-B114-453f-A344-C0B24B0F1D99}]
[HKEY_CLASSES_ROOT\BabylonTBLib.BabylonTB]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 11:50 AM]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [08/11/2006 09:43 PM]
"nwiz"="nwiz.exe" [08/11/2006 09:43 PM C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [08/11/2006 09:43 PM]
"Norton Ghost 9.0"="C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe" [05/17/2006 04:02 AM]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [11/09/2005 12:00 AM]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [12/13/2003 02:50 AM]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe" [03/08/2005 06:42 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 01:11 AM]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [05/11/2005 11:12 PM]
"Babylon Client"="C:\Program Files\Babylon\Babylon-Pro\Babylon.exe" [11/01/2007 03:09 PM]
"RTHDCPL"="RTHDCPL.EXE" [09/22/2005 01:36 PM C:\WINDOWS\RTHDCPL.EXE]
"Alcmtr"="ALCMTR.EXE" [05/03/2005 06:43 PM C:\WINDOWS\ALCMTR.EXE]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 01:56 AM]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [07/11/2006 19:38:10]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [14/12/2004 04:44:06]
AutoCAD Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart17.exe [05/03/2006 04:43:54]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [11/05/2005 23:23:26]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [12/05/2005 00:49:24]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
PCANotify.dll

SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RpcSs]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{261d9058-9a66-11db-9c7b-0014858a3979}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL copy.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2b995f78-6e3d-11db-9c36-0014858a3979}]
AutoRun\command- .\Recycler\S-1-5-21-0173166775-727612127-5344617085-500\~WRL6058.tmp
explore\command- .\Recycler\S-1-5-21-0173166775-727612127-5344617085-500\~WRL6058.tmp
Open\command- .\Recycler\S-1-5-21-0173166775-727612127-5344617085-500\~WRL6058.tmp

*Newly Created Service* - RKPAVPROC

-- End of Deckard's System Scanner: finished at 2008-03-26 01:06:40 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel(R) Pentium(R) D CPU 2.80GHz
CPU 1: Intel(R) Pentium(R) D CPU 2.80GHz
Percentage of Memory in Use: 44%
Physical Memory (total/avail): 1023.48 MiB / 567.58 MiB
Pagefile Memory (total/avail): 2460.14 MiB / 2163.67 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1907.7 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 58.59 GiB total, 22.88 GiB free.
D: is Fixed (NTFS) - 90.45 GiB total, 28.75 GiB free.
E: is CDROM (No Media)
F: is CDROM (CDFS)

\\.\PHYSICALDRIVE0 - WDC WD1600JS-00NCB1 - 149.05 GiB - 2 partitions
\PARTITION0 (bootable) - Installable File System - 58.59 GiB - C:
\PARTITION1 - Extended w/Extended Int 13 - 90.45 GiB - D:

-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.
AntiVirusDisableNotify is set.
FirewallDisableNotify is set.
UpdatesDisableNotify is set.


[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"="C:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe:*:Enabled:TrueVector Service"
"D:\\3dsmax7\\3dsmax.exe"="D:\\3dsmax7\\3dsmax.exe:*:Enabled:3ds max 7"
"C:\\Program Files\\backburner 2\\monitor.exe"="C:\\Program Files\\backburner 2\\monitor.exe:*:Enabled:backburner 2.3 monitor"
"C:\\Program Files\\backburner 2\\manager.exe"="C:\\Program Files\\backburner 2\\manager.exe:*:Enabled:backburner 2.3 manager"
"C:\\Program Files\\backburner 2\\server.exe"="C:\\Program Files\\backburner 2\\server.exe:*:Enabled:backburner 2.3 server"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\FlashGet\\flashget.exe"="C:\\Program Files\\FlashGet\\flashget.exe:*:Enabled:Flashget"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\Crave\\Global Operations\\globalops.exe"="C:\\Program Files\\Crave\\Global Operations\\globalops.exe:*:Enabled:Global Operations"
"C:\\Program Files\\America's Army\\System\\ArmyOps.exe"="C:\\Program Files\\America's Army\\System\\ArmyOps.exe:*:Enabled:ArmyOps"
"C:\\Program Files\\Fighter Ace\\rsync.exe"="C:\\Program Files\\Fighter Ace\\rsync.exe:*:Disabled:rsync"
"C:\\Program Files\\SecondLife\\SLVoice.exe"="C:\\Program Files\\SecondLife\\SLVoice.exe:*:Disabled:SLVoice"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe:*:Enabled:hpqtra08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe:*:Enabled:hpqste08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe:*:Enabled:hpofxm08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe:*:Enabled:hposfx08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe:*:Enabled:hposid01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe:*:Enabled:hpqscnvw.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe:*:Enabled:hpqcopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe:*:Enabled:hpfccopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe:*:Enabled:hpzwiz01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe:*:Enabled:hpqphunl.exe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe:*:Enabled:hpqdia.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe:*:Enabled:hpoews01.exe"
"C:\\Program Files\\softnyx\\GunboundWC\\GunBound.gme"="C:\\Program Files\\softnyx\\GunboundWC\\GunBound.gme:*:Disabled:GunBound"
"F:\\Speed.exe"="F:\\Speed.exe:*:Disabled:Speed"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Crave\\Global Operations\\goserver.exe"="C:\\Program Files\\Crave\\Global Operations\\goserver.exe:*:Disabled:Global Operations Server"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Osnat\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=OSNAT-COMPUTER
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Osnat
LOGONSERVER=\\OSNAT-COMPUTER
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\Program Files\Internet Explorer;;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Common Files\Autodesk Shared\;C:\Program Files\backburner 2\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 4, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0404
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Osnat\LOCALS~1\Temp
TMP=C:\DOCUME~1\Osnat\LOCALS~1\Temp
USERDOMAIN=OSNAT-COMPUTER
USERNAME=Osnat
USERPROFILE=C:\Documents and Settings\Osnat
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Osnat (admin)
Administrator (new local, admin)
Garage (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
3ds max 7 --> MsiExec.exe /I{F92AB933-9FE7-4335-92BD-D1C3BA27613C}
3ds max 7 Additional Maps and Materials --> MsiExec.exe /I{5EB4C5CA-962C-486B-81FF-A41B7B8FFBEC}
3ds max 7 Architectural Materials --> MsiExec.exe /I{54199443-342B-4162-B10D-CAA1C211E7A6}
3ds max 7 Reference Files --> MsiExec.exe /I{E5F6E1A6-44AA-4CF7-883E-4F7FA7C4BCA5}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Photoshop CS --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EFB21DE7-8C19-4A88-BB28-A766E16493BC}\setup.exe" -l0x40d
Adobe Reader 7.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70000000000}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
ARC+ v14 English --> C:\WINDOWS\IsUninst.exe -fC:\ARCPLUS\Uninst.isu
AutoCAD 2005 - English --> MsiExec.exe /I{5783F2D7-0301-0409-0002-0060B0CE6BBA}
AutoCAD 2007 - English --> MsiExec.exe /I{5783F2D7-5001-0409-0002-0060B0CE6BBA}
Autodesk DWF Viewer --> C:\PROGRA~1\Autodesk\AUTODE~1\Setup.exe /remove /q0
Babylon --> C:\Program Files\Babylon\Babylon-Pro\Utils\uninstbb.exe
Babylon Toolbar --> MsiExec.exe /I{67A339E5-D8AA-4E88-9278-A571B397F798}
Codec Pack - All In 1 6.0.3.0 --> C:\WINDOWS\iun6002.exe "C:\Program Files\Codec Pack - All In 1\irunin.ini"
DFX for Winamp --> "C:\Program Files\Winamp\uninstall_dfx.exe"
eMule --> "C:\Program Files\eMule\Uninstall.exe"
Global Operations --> C:\Program Files\InstallShield Installation Information\{ED5AACB5-F387-4DF0-961D-C2E5EA8702CF}\setup.exe -l0x9 Uninstall
Global Operations Update --> MsiExec.exe /I{4210E644-6E5F-4F13-919C-92406BE0FE2C}
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
HP Document Viewer 5.3 --> C:\Program Files\HP\Digital Imaging\DocumentViewer\hpzscr01.exe -datfile hpqbud04.dat
HP Image Zone 5.3 --> C:\Program Files\HP\Digital Imaging\uninstall\hpzscr01.exe -datfile hpqscr01.dat
HP Imaging Device Functions 5.3 --> C:\Program Files\HP\Digital Imaging\DigitalImagingMonitor\hpzscr01.exe -datfile hpqbud01.dat
HP PSC & OfficeJet 5.3.B --> "C:\Program Files\HP\Digital Imaging\{5B79CFD1-6845-4158-9D7D-6BE89DF2C135}\setup\hpzscr01.exe" -datfile hposcr07.dat
HP Software Update --> MsiExec.exe /X{15EE79F4-4ED1-4267-9B0F-351009325D7D}
HP Solution Center & Imaging Support Tools 5.3 --> C:\Program Files\HP\Digital Imaging\eSupport\hpzscr01.exe -datfile hpqbud05.dat
J2SE Runtime Environment 5.0 Update 10 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150100}
J2SE Runtime Environment 5.0 Update 11 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150110}
Java(TM) 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java(TM) 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java(TM) SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
Kyodai Mahjongg --> "C:\Program Files\Kyodai Mahjongg\unins000.exe"
LiveUpdate 2.0 (Symantec Corporation) --> C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
Mahjong Escape --> "C:\Program Files\Mahjong Escape\ReflexiveArcade\unins000.exe"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{9011040D-6000-11D3-8CFE-0150048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Mozilla Firefox (2.0.0.3) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
Nero 6 Ultra Edition --> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
Nero Digital --> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
Norton Ghost 9.0 --> MsiExec.exe /X{3C759736-8347-4031-BB9C-D75ADFE6B101}
NVIDIA Drivers --> C:\WINDOWS\system32\nvudisp.exe UninstallGUI
Panda ActiveScan --> C:\WINDOWS\system32\ASUninst.exe Panda ActiveScan
Panda NanoScan --> C:\Program Files\Panda Security\NanoScan\nanounst.exe
Pdf995 --> C:\Program Files\pdf995\setup.exe uninstall
Poser 6 --> C:\WINDOWS\unvise32.exe C:\Program Files\Curious Labs\Poser 6\uninstal.log
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall
Realtek High Definition Audio Driver --> RtlUpd.exe -r
Roger Wilco --> C:\PROGRA~1\ROGERW~1\rwbs\UNWISE.EXE C:\PROGRA~1\ROGERW~1\rwbs\INSTALL.LOG
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Tumble Bugs --> "C:\Program Files\Tumble Bugs\unins000.exe"
Winamp (remove only) --> "C:\Program Files\Winamp\UninstWA.exe"
Windows Communication Foundation --> MsiExec.exe /X{491DD792-AD81-429C-9EB4-86DD3D22E333}
Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Presentation Foundation --> MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
Windows Workflow Foundation --> MsiExec.exe /I{7D1B85BD-AA07-48B8-808D-67A4067FC6BD}
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
WinZip --> "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall
XML Paper Specification Shared Components Pack 1.0 -->


-- Application Event Log -------------------------------------------------------

Event Record #/Type3982 / Warning
Event Submitted/Written: 03/24/2008 10:47:30 PM
Event ID/Source: 1001 / MsiInstaller
Event Description:
Detection of product '{9011040D-6000-11D3-8CFE-0150048383C9}', feature 'EXCELFiles' failed during request for component '{A2B280D4-20FB-4720-99F7-40C09FBCE10A}'

Event Record #/Type3981 / Warning
Event Submitted/Written: 03/24/2008 10:47:30 PM
Event ID/Source: 1004 / MsiInstaller
Event Description:
Detection of product '{9011040D-6000-11D3-8CFE-0150048383C9}', feature 'EXCELFiles', component '{43A46B81-37A6-11D2-AA89-00A0C90F57B0}' failed. The resource 'C:\Program Files\Microsoft Office\OFFICE11\XLSTART\' does not exist.

Event Record #/Type3977 / Error
Event Submitted/Written: 03/23/2008 08:18:06 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application iexplore.exe, version 7.0.6000.16608, faulting module flash9c.ocx, version 9.0.45.0, fault address 0x00099baf.
Processing media-specific event for [iexplore.exe!ws!]

Event Record #/Type3973 / Error
Event Submitted/Written: 03/22/2008 09:04:27 PM
Event ID/Source: 1024 / MsiInstaller
Event Description:
Product: Microsoft Office Professional Edition 2003 - Update 'Office 2003 Service Pack 3 (SP3): MAINSP3' could not be installed. Error code 1603. Windows Installer can create logs to help troubleshoot issues with installing software packages. Use the following link for instructions on turning on logging support: http://go.microsoft.com/fwlink/?LinkId=23127

Event Record #/Type3972 / Error
Event Submitted/Written: 03/22/2008 09:04:09 PM
Event ID/Source: 11706 / MsiInstaller
Event Description:
Product: Microsoft Office Professional Edition 2003 -- Error 1706. Setup cannot find the required files. Check your connection to the network, or CD-ROM drive. For other potential solutions to this problem, see C:\Program Files\Microsoft Office\OFFICE11\1033\SETUP.CHM.

-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type24267 / Error
Event Submitted/Written: 03/25/2008 11:36:04 PM
Event ID/Source: 7006 / Service Control Manager
Event Description:
The ScRegSetValueExW call failed for Type with the following error:
%%5

Event Record #/Type24260 / Error
Event Submitted/Written: 03/25/2008 11:36:04 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The AVG Anti-Spyware Guard service failed to start due to the following error:
%%193

Event Record #/Type24259 / Error
Event Submitted/Written: 03/25/2008 11:35:20 PM
Event ID/Source: 12 / PlugPlayManager
Event Description:
The device 'Microsoft System Management BIOS Driver' (Root\SYSTEM\0002) disappeared from the system without first being prepared for removal.

Event Record #/Type24258 / Error
Event Submitted/Written: 03/25/2008 11:35:20 PM
Event ID/Source: 12 / PlugPlayManager
Event Description:
The device 'Microcode Update Device' (Root\SYSTEM\0001) disappeared from the system without first being prepared for removal.

Event Record #/Type24257 / Error
Event Submitted/Written: 03/25/2008 11:35:20 PM
Event ID/Source: 12 / PlugPlayManager
Event Description:
The device 'Plug and Play Software Device Enumerator' (Root\SYSTEM\0000) disappeared from the system without first being prepared for removal.

-- End of Deckard's System Scanner: finished at 2008-03-26 01:06:40 ------------

Member Avatar
gerbil
Industrious Poster
4,624 posts since May 2005
Reputation Points: 190 [?]
Q&As Helped to Solve: 338 [?]
Skill Endorsements: 5 [?]
 
0
 

Okay, I can see why some of your security softwares and scanners were disabled - you picked up the Bagle worm; it does that. You are quite badly infected otherwise. And at the moment you cannot enter Safe Mode because some registry entries have been altered - we will fix that later.
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs reboot to restore the desktop.
==Get CCleaner from http://www.ccleaner.com/ - and install it in a new folder. You should keep this one for general use. I set the installation checkboxes only to open from the recycle bin. It's neater that way.
Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...].
If you have FireFox open the Applications tab and ensure at least that Cookies and Cache are checked.
Select the Cleaner icon, press Run Cleaner.
[For future quick temp file cleaning select the options you wish to use via the Windows and Applications tabs ..]
==Please use IE to do an online scan at panda:- http://www.pandasoftware.com/products/activescan?
-select a link to the scan... free online virus scan...., enter a valid? email and follow through, choosing My Computer for a full system scan.
Post the log it produces here.

Member Avatar
gerbil
Industrious Poster
4,624 posts since May 2005
Reputation Points: 190 [?]
Q&As Helped to Solve: 338 [?]
Skill Endorsements: 5 [?]
 
0
 

When you have finished that procedure above I would like you to run this reg file I have zipped and attached. It will repair your SP2 safe boot key plus remove a couple of mapped drive entries in mountpoints2 that I do not like the look of.... one is recalling deleted files?
Just unzip the file and dclick it to run, agree to merge with your registry.
Come back with those logs.

Attachments SafeBootXP_SP2plus.zip (1.72KB)
Member Avatar
tsahima
Newbie Poster
21 posts since Mar 2008
Reputation Points: 0 [?]
Q&As Helped to Solve: 0 [?]
Skill Endorsements: 0 [?]
 
0
 

First, Thank you for your answer.

I failed running the combofix, and the cccleaner: both same problem:

"not a valid win32 application"
:(

Member Avatar
gerbil
Industrious Poster
4,624 posts since May 2005
Reputation Points: 190 [?]
Q&As Helped to Solve: 338 [?]
Skill Endorsements: 5 [?]
 
0
 

tsahima, then please apply what i set out in post #7 first - it will restore your safe mode; you may then be able to run combofix in safe mode, then try the others in normal mode... [you may need to delete combofix and dl a fresh copy].

Member Avatar
tsahima
Newbie Poster
21 posts since Mar 2008
Reputation Points: 0 [?]
Q&As Helped to Solve: 0 [?]
Skill Endorsements: 0 [?]
 
0
 

Sorry, combofix is not working even on safe-mode (Thanks for the file that gave me at least that :) )

But I succeded running the cccleaner on safe-mode, and than cleaned all registery errors.

I have loaded also the hijack-this on safe mode, and heres the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:32:22, on 27/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
D:\programs\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uzit.co.il/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: Babylon - {965B54B0-71E0-4611-8DE7-F73FA0B20E26} - C:\Program Files\Babylon\Babylon Toolbar\BabylonIEToolBar.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Babylon Client] C:\Program Files\Babylon\Babylon-Pro\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [drvsyskit] C:\WINDOWS\system32\drivers\hldrrr.exe
O4 - HKCU\..\Run: [german.exe] C:\WINDOWS\system32\wintems.exe
O4 - HKCU\..\Run: [ccleaner] "D:\programs\CCleaner\CCleaner.exe" /AUTO
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart17.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Translate with &Babylon - res://C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - Unknown owner - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe (file missing)
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe (file missing)

--
End of file - 5288 bytes


In normal mode, cccleaner and HJD arent working even now.

I can delete any entry I want in safe-mode- if you think I should.

I also deleted file called mdelk.exe from system32

Here is aprtially panda log (it was stuck in the middle for an hour):


Incident Status Location

Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Osnat\Cookies\osnat@doubleclick[1].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Osnat\Cookies\osnat@statcounter[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Osnat\Cookies\osnat@tribalfusion[2].txt
Virus:Trj/Bancos.RQ Not disinfected C:\Documents and Settings\Osnat\Desktop\ComboFix.exe[327882R2FWJFW\pv.cfexe]
Possible Virus. Not disinfected C:\Documents and Settings\Osnat\Desktop\danis_web_cleanup\my downloads\my virus vault-danger\1.exe
Hacktool:HackTool/EvID Not disinfected C:\Documents and Settings\Osnat\Desktop\emule config files\EvID4226Patch.exe
Hacktool:HackTool/EvID Not disinfected C:\Documents and Settings\Osnat\Desktop\emule_patch\EvID4226Patch.exe
Hacktool:HackTool/EvID Not disinfected C:\Documents and Settings\Osnat\Desktop\emule_patch\EvID4226Patch223d-en.zip[EvID4226Patch.exe]
Virus:W32/Bagle.RP.worm

Member Avatar
gerbil
Industrious Poster
4,624 posts since May 2005
Reputation Points: 190 [?]
Q&As Helped to Solve: 338 [?]
Skill Endorsements: 5 [?]
 
0
 

Nice effort. We have some leads from that.

==Please copy the text between the lines to a notepad [format/wordwrap unchecked] and save as fixkey.reg, as type "all files", to your desktop; dclick it to run... agree; if it opens in notepad instead rclick the icon [file], choose Open with, Registry editor....
__________________________________________________________
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"drvsyskit"=-
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"german.exe"=-
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"hldrrr" = -
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"hldrrr" = -
[HKEY_CURRENT_USER\Software\FirstRRun]
"FirstRRRun" = -
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ssgrate.exe" = -
__________________________________________________________

In safe mode, delete [if they exist]:

C:\WINDOWS\system32\wintems.exe
C:\WINDOWS\system32\mdelk.exe
C:\WINDOWS\system32\drivers\srosa.sy
C:\WINDOWS\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\1.exe
C:\WINDOWS\system32\forõ.exe
C:\WINDOWS\system32\noat.exe

Try now to restart your AV [switch to normal mode].
Then dl a fresh copy of Combofix and try to run it, safe or normal mode, but the latter would be more convenient. Run Panda again, also.

I have no idea what this is [from Panda rpt...]:
emule config files\EvID4226Patch.exe
or this: emule_patch\EvID4226Patch.exe
or this:emule_patch\EvID4226Patch223d-en.zip[EvID4226Patch.exe].

Member Avatar
gerbil
Industrious Poster
4,624 posts since May 2005
Reputation Points: 190 [?]
Q&As Helped to Solve: 338 [?]
Skill Endorsements: 5 [?]
 
0
 

Okay, I see they should be benign... the patch removes SP2's TCP/IP stack limit.

Member Avatar
gerbil
Industrious Poster
4,624 posts since May 2005
Reputation Points: 190 [?]
Q&As Helped to Solve: 338 [?]
Skill Endorsements: 5 [?]
 
0
 

On second thoughts, get rid of these files - just delete them:
C:\Documents and Settings\Osnat\Desktop\emule config files\EvID4226Patch.exe
C:\Documents and Settings\Osnat\Desktop\emule_patch\EvID4226Patch.exe
C:\Documents and Settings\Osnat\Desktop\emule_patch\EvID4226Patch223d-en.zip[EvID4226Patch.exe]
Panda is saying they contain a virus:W32/Bagle.RP.worm... and since you copped the effects of the Bagle worm I would say that they could be the source - a worm is some bit of malware you must download and install by your own actions.
The advantage of more ports is not worth the trouble.

Member Avatar
tsahima
Newbie Poster
21 posts since Mar 2008
Reputation Points: 0 [?]
Q&As Helped to Solve: 0 [?]
Skill Endorsements: 0 [?]
 
0
 

OK
I deleted the files and activates the registery cleaning file

Combo fix still doesnt workung on Safe-M or on Normal-M
Panda active scan keeps getting stuck (after 3-4 hours running), I will try to stop it after 2 hours and generate a log.

In the meantime I checked the nanoscan and it showed the bagle worm again.

Member Avatar
gerbil
Industrious Poster
4,624 posts since May 2005
Reputation Points: 190 [?]
Q&As Helped to Solve: 338 [?]
Skill Endorsements: 5 [?]
 
0
 

Hmmm, tsahi, Panda is usually supreme in removing Bagle. Let's try a different attack. Because Combofix will not run, even in Safe Mode please go Start, run and paste in ..
combofix /u
Okay, in Safe Mode with Networking:
Search for and delete this folder if it exists: C:\Windows\system32\drivers\down
-now go back to this site: http://download.bleepingcomputer.com/sUBs/ComboFix.exe -and instead of downloading click the Open box and see if it runs.
Try Panda once more; if it stalls then try this scan:
==Kaspersky Online Scan, from http://www.kaspersky.com/virusscanner -press the Kaspersky Online Scanner button, follow through....
or, if no success, this one:
==Bitdefender Online Scan using IE only from http://www.bitdefender.com/

Member Avatar
tsahima
Newbie Poster
21 posts since Mar 2008
Reputation Points: 0 [?]
Q&As Helped to Solve: 0 [?]
Skill Endorsements: 0 [?]
 
0
 

Sorry, I am not sure I understand the steps

I have tried writting combofix /u in the cmd->run but its not working

I also tried safe-m with network, but I dont know how to connect (the internet icon failes to react)
sorry...

anyway, I succede in deleting the exe-full folder you asked me too (drivers/down)
and deleted the mdelk.exe and the hldrrr.exe (again....5th time...)

EDIT:

I succeded activating the combofix without DL (as you suggested- "http:download...") but on normal-mode

heres the log (it showed like he cant find some files on the FIND3M process):

ComboFix 08-03-30.2 - Osnat 03/30/2008 19:50:53.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1255.1.1033.18.640 [GMT 3:00]
Running from: C:\Documents and Settings\Osnat\Local Settings\Temporary Internet Files\Content.IE5\U5BM4PDD\ComboFix[1].exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe
C:\WINDOWS\system32\ban_list.txt
C:\WINDOWS\system32\drivers\down
C:\WINDOWS\system32\drivers\down\664140.exe
C:\WINDOWS\system32\drivers\down\667187.exe
C:\WINDOWS\system32\drivers\down\676515.exe
C:\WINDOWS\system32\drivers\down\695718.exe
C:\WINDOWS\system32\drivers\down\704687.exe
C:\WINDOWS\system32\drivers\down\712515.exe
C:\WINDOWS\system32\drivers\down\805500.exe
C:\WINDOWS\system32\drivers\down\813640.exe
C:\WINDOWS\system32\drivers\down\829937.exe
C:\WINDOWS\system32\drivers\down\852140.exe
C:\WINDOWS\system32\drivers\down\860671.exe
C:\WINDOWS\system32\drivers\down\870468.exe
C:\WINDOWS\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\drivers\srosa.sys
C:\WINDOWS\system32\mdelk.exe
C:\WINDOWS\system32\wintems.exe

----- BITS: Possible infected sites -----

hxxp://au.download.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_GB
-------\Legacy_SROSA
-------\Service_gb


((((((((((((((((((((((((( Files Created from 2008-02-28 to 2008-03-30 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-29 16:16 --------- d-----w C:\Program Files\DAEMON Tools
2008-03-29 15:51 --------- d-----w C:\Program Files\Common Files\Autodesk Shared
2008-03-29 14:44 --------- d-----w C:\Program Files\Panda Security
2008-03-29 13:08 --------- d-----w C:\Program Files\eMule
2008-03-29 10:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-03-29 00:16 --------- d-----w C:\Program Files\CCleaner
2008-03-28 15:07 --------- d-----w C:\Program Files\Winamp
2008-03-27 19:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-27 19:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-03-25 23:41 --------- d-----w C:\Program Files\Spyware Doctor
2008-03-25 23:40 --------- d-----w C:\Documents and Settings\Osnat\Application Data\PC Tools
2008-03-22 15:54 --------- d-----w C:\Program Files\Trend Micro
2008-03-22 15:46 --------- d-----w C:\Documents and Settings\Osnat\Application Data\Uniblue
2008-03-21 14:48 --------- d-----w C:\Program Files\Yahoo!
2008-03-21 13:42 --------- d-----w C:\Documents and Settings\Osnat\Application Data\SecondLife
2008-03-21 12:29 --------- d-----w C:\Documents and Settings\Osnat\Application Data\AVG7
2008-02-03 18:40 --------- d-----w C:\Documents and Settings\Osnat\Application Data\TeamViewer
2008-02-01 10:55 42,376 ----a-w C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-05-21 19:50 25,990,392 ----a-w C:\Program Files\FLV PlayerRCSetup.exe
2007-05-21 19:50 2,874,926 ----a-w C:\Program Files\FLV PlayerRCATSetup.exe
2007-03-31 15:03 915,744 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2007-03-31 15:03 11,040 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{965B54B0-71E0-4611-8DE7-F73FA0B20E26}"= "C:\Program Files\Babylon\Babylon Toolbar\BabylonIEToolBar.dll" [11/01/2007 04:09 PM 265952]

[HKEY_CLASSES_ROOT\clsid\{965b54b0-71e0-4611-8de7-f73fa0b20e26}]
[HKEY_CLASSES_ROOT\BabylonTBLib.BabylonTB.1]
[HKEY_CLASSES_ROOT\TypeLib\{162484B8-B114-453f-A344-C0B24B0F1D99}]
[HKEY_CLASSES_ROOT\BabylonTBLib.BabylonTB]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{965B54B0-71E0-4611-8DE7-F73FA0B20E26}"= C:\Program Files\Babylon\Babylon Toolbar\BabylonIEToolBar.dll [11/01/2007 04:09 PM 265952]

[HKEY_CLASSES_ROOT\clsid\{965b54b0-71e0-4611-8de7-f73fa0b20e26}]
[HKEY_CLASSES_ROOT\BabylonTBLib.BabylonTB.1]
[HKEY_CLASSES_ROOT\TypeLib\{162484B8-B114-453f-A344-C0B24B0F1D99}]
[HKEY_CLASSES_ROOT\BabylonTBLib.BabylonTB]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 02:56 AM 15360]
"ccleaner"="D:\programs\CCleaner\CCleaner.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 12:50 PM 155648]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [08/11/2006 10:43 PM 7630848]
"nwiz"="nwiz.exe" [08/11/2006 10:43 PM 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [08/11/2006 10:43 PM 86016]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [11/09/2005 01:00 AM 128920]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [12/13/2003 03:50 AM 33792]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe" [03/08/2005 07:42 AM 176128]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 02:11 AM 132496]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [05/12/2005 12:12 AM 49152]
"Babylon Client"="C:\Program Files\Babylon\Babylon-Pro\Babylon.exe" [11/01/2007 04:09 PM 3032800]
"RTHDCPL"="RTHDCPL.EXE" [09/22/2005 02:36 PM 14854144 C:\WINDOWS\RTHDCPL.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [08/04/2004 02:56 AM 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-11-07 20:38:10 113664]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 05:44:06 29696]
AutoCAD Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart17.exe [2006-03-05 05:43:54 11000]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-12 00:23:26 282624]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2005-05-12 01:49:24 73728]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
PCANotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"D:\\3dsmax7\\3dsmax.exe"=
"C:\\Program Files\\backburner 2\\monitor.exe"=
"C:\\Program Files\\backburner 2\\manager.exe"=
"C:\\Program Files\\backburner 2\\server.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\Crave\\Global Operations\\globalops.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"F:\\Speed.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Crave\\Global Operations\\goserver.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"C:\\Program Files\\NFO.co.il\\Fire eMule 7\\emule.exe"= 4662:UDP
"52926:TCP"= 52926:TCP:eMule
"60155:UDP"= 60155:UDP:eMule

R0 PQV2i;PQV2i;C:\WINDOWS\system32\drivers\PQV2i.sys [07/29/2004 04:33 AM]
R1 PQIMount;PQIMount;C:\WINDOWS\system32\drivers\PQIMount.sys [07/29/2004 05:13 AM]
S1 srosa;Megadrv3;C:\WINDOWS\system32\drivers\srosa.sys []

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-30 19:58:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\imapi.exe
C:\WINDOWS\system32\MsiExec.exe
.
**************************************************************************
.
Completion time: 03/30/2008 20:01:46 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-30 17:01:41
Pre-Run: 24,901,861,376 bytes free
Post-Run: 24,790,614,016 bytes free
.
2008-03-22 19:04:33 --- E O F ---


Do you think it deleted my ghost backup? (ghosttray.exe was deleted)

Member Avatar
tsahima
Newbie Poster
21 posts since Mar 2008
Reputation Points: 0 [?]
Q&As Helped to Solve: 0 [?]
Skill Endorsements: 0 [?]
 
0
 

HERE IS THE ANTI VIRUS LOG:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, March 30, 2008 11:49:04 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 30/03/2008
Kaspersky Anti-Virus database records: 673409
-------------------------------------------------------------------------------


Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true


Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\


Scan Statistics:
Total number of scanned objects: 96187
Number of viruses found: 4
Number of infected objects: 4
Number of suspicious objects: 0
Duration of the scan process: 02:39:43


Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\LocalService\Cookies\index.dat    Object is locked    skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat   Object is locked    skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG   Object is locked    skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked    skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat    Object is locked    skipped
C:\Documents and Settings\LocalService\NTUSER.DAT   Object is locked    skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG   Object is locked    skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked    skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked    skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked    skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked    skipped
C:\Documents and Settings\Osnat\Cookies\index.dat   Object is locked    skipped
C:\Documents and Settings\Osnat\Local Settings\Application Data\ApplicationHistory\hpqimzone.exe.3204510e.ini.inuse Object is locked    skipped
C:\Documents and Settings\Osnat\Local Settings\Application Data\HP\Digital Imaging\db\administrativeInfo.dbf    Object is locked    skipped
C:\Documents and Settings\Osnat\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.cdx  Object is locked    skipped
C:\Documents and Settings\Osnat\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.dbf  Object is locked    skipped
C:\Documents and Settings\Osnat\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.cdx    Object is locked    skipped
C:\Documents and Settings\Osnat\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.dbf    Object is locked    skipped
C:\Documents and Settings\Osnat\Local Settings\Application Data\HP\Digital Imaging\db\CB_Server_Errors.txt  Object is locked    skipped
C:\Documents and Settings\Osnat\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.cdx Object is locked    skipped
C:\Documents and Settings\Osnat\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.dbf Object is locked    skipped
C:\Documents and Settings\Osnat\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.cdx    Object is locked    skipped
C:\Documents and Settings\Osnat\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.dbf    Object is locked    skipped
C:\Documents and Settings\Osnat\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.fpt    Object is locked    skipped
C:\Documents and Settings\Osnat\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.cdx    Object is locked    skipped
C:\Documents and Settings\Osnat\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.dbf    Object is locked    skipped
C:\Documents and Settings\Osnat\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.cdx  Object is locked    skipped
C:\Documents and Settings\Osnat\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.dbf  Object is locked    skipped
C:\Documents and Settings\Osnat\Local Settings\Application Data\HP\Digital Imaging\db\managedFolderTable.dbf    Object is locked    skipped
C:\Documents and Settings\Osnat\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.cdx Object is locked    skipped
C:\Documents and Settings\Osnat\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.dbf Object is locked    skipped
C:\Documents and Settings\Osnat\Local Settings\Application Data\HP\Digital Imaging\db\propertiesTable.cdx   Object is locked    skipped
C:\Documents and Settings\Osnat\Local Settings\Application Data\HP\Digital Imaging\db\propertiesTable.dbf   Object is locked    skipped
C:\Documents and Settings\Osnat\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.cdx    Object is locked    skipped
C:\Documents and Settings\Osnat\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.dbf    Object is locked    skipped
C:\Documents and Settings\Osnat\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.cdx  Object is locked    skipped
C:\Documents and Settings\Osnat\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.dbf  Object is locked    skipped
C:\Documents and Settings\Osnat\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat  Object is locked    skipped
C:\Documents and Settings\Osnat\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG  Object is locked    skipped
C:\Documents and Settings\Osnat\Local Settings\History\History.IE5\index.dat    Object is locked    skipped
C:\Documents and Settings\Osnat\Local Settings\History\History.IE5\MSHist012008033020080331\index.dat   Object is locked    skipped
C:\Documents and Settings\Osnat\Local Settings\Temp\hpodvd09.log    Object is locked    skipped
C:\Documents and Settings\Osnat\Local Settings\Temp\~DF1430.tmp Object is locked    skipped
C:\Documents and Settings\Osnat\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat   Object is locked    skipped
C:\Documents and Settings\Osnat\Local Settings\Temporary Internet Files\Content.IE5\index.dat   Object is locked    skipped
C:\Documents and Settings\Osnat\NTUSER.DAT  Object is locked    skipped
C:\Documents and Settings\Osnat\ntuser.dat.LOG  Object is locked    skipped
C:\Program Files\DAEMON Tools\SetupDTSB.exe Infected: not-a-virus:AdTool.Win32.WhenU.a  skipped
C:\QooBox\Quarantine\C\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe.vir  Infected: Trojan-Downloader.Win32.Bagle.ma  skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down\667187.exe.vir Infected: Trojan.Win32.Pakes.ciw    skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down\704687.exe.vir Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\MountPointManagerRemoteDatabase    Object is locked    skipped
C:\System Volume Information\_restore{F09FB033-F71D-4FE1-971E-4DD0004ADE85}\RP1\change.log  Object is locked    skipped
C:\WINDOWS\CSC\00000001 Object is locked    skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked    skipped
C:\WINDOWS\SchedLgU.Txt Object is locked    skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{F063FAEC-1F4D-4AE7-BDAF-2A64A102876E}.bin   Object is locked    skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked    skipped
C:\WINDOWS\Sti_Trace.log    Object is locked    skipped
C:\WINDOWS\system32\CatRoot2\edb.log    Object is locked    skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb    Object is locked    skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked    skipped
C:\WINDOWS\system32\config\default  Object is locked    skipped
C:\WINDOWS\system32\config\default.LOG  Object is locked    skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked    skipped
C:\WINDOWS\system32\config\SAM  Object is locked    skipped
C:\WINDOWS\system32\config\SAM.LOG  Object is locked    skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked    skipped
C:\WINDOWS\system32\config\SECURITY Object is locked    skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked    skipped
C:\WINDOWS\system32\config\software Object is locked    skipped
C:\WINDOWS\system32\config\software.LOG Object is locked    skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked    skipped
C:\WINDOWS\system32\config\system   Object is locked    skipped
C:\WINDOWS\system32\config\system.LOG   Object is locked    skipped
C:\WINDOWS\system32\drivers\dtscsi.sys  Object is locked    skipped
C:\WINDOWS\system32\drivers\sptd.sys    Object is locked    skipped
C:\WINDOWS\system32\drivers\sptd5789.sys    Object is locked    skipped
C:\WINDOWS\system32\h323log.txt Object is locked    skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR    Object is locked    skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP    Object is locked    skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER  Object is locked    skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked    skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked    skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked    skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP  Object is locked    skipped
C:\WINDOWS\wiadebug.log Object is locked    skipped
C:\WINDOWS\wiaservc.log Object is locked    skipped
C:\WINDOWS\WindowsUpdate.log    Object is locked    skipped
D:\Photoshop Temp291967 Object is locked    skipped
D:\System Volume Information\MountPointManagerRemoteDatabase    Object is locked    skipped
D:\System Volume Information\_restore{F09FB033-F71D-4FE1-971E-4DD0004ADE85}\RP1\change.log  Object is locked    skipped


Scan process completed.
Member Avatar
gerbil
Industrious Poster
4,624 posts since May 2005
Reputation Points: 190 [?]
Q&As Helped to Solve: 338 [?]
Skill Endorsements: 5 [?]
 
0
 

Please go Start, run and paste in these commands:
sc stop srosa
sc delete srosa
sc stop Megadrv3
sc delete Megadrv3
Good. The combofix /u instruction : I guessed that you had tried to install it on your desktop [it did not run so I could not see its location] - this cmd would have uninstalled it and its components, but you can do it manually- delete C:\Qoobox and combofix.exe, there may also be a folder beside combofix.exe containing its extracted files.
It looks like your Norton GhostTray.exe was infected, Combofix isolated it and Kaspersky found the quarantined file to be infected also. You will have to get an uninfected app and reinstall it; your ghost may be okay, though:
C:\QooBox\Quarantine\C\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe.vir Infected: Trojan-Downloader.Win32.Bagle.ma skipped

Even after you deleted system32\driver\down directory it was recreated - Combofix found it again and quarantined two files. Kaspersky detected those:
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down\667187.exe.vir Infected: Trojan.Win32.Pakes.ciw skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down\704687.exe.vir Infected: Email-Worm.Win32.Bagle.of skipped

Run CCleaner.
Run Panda online scan. http://www.pandasoftware.com/products/activescan?
Dl a fresh copy of Combofix and run it, I'd like to see the remaining Recent Files list which did not show in the last scan. http://download.bleepingcomputer.com/sUBs/ComboFix.exe
And provide a fresh hijackthis scan from normal mode also.

Member Avatar
tsahima
Newbie Poster
21 posts since Mar 2008
Reputation Points: 0 [?]
Q&As Helped to Solve: 0 [?]
Skill Endorsements: 0 [?]
 
0
 

OK, done it all (stopped the panda scan in the middle after 400,000 files-looked too strange):

;***********************************************************************************************************************************************************************************
ANALYSIS: 2008-03-31 23:59:58
PROTECTIONS: 0
MALWARE: 2
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00529681 Adware/WhenUSearch Adware No 0 Yes No C:\Program Files\DAEMON Tools\SetupDTSB.exe
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{F09FB033-F71D-4FE1-971E-4DD0004ADE85}\RP1\A0000004.EXE
;===================================================================================================================================================================================
SUSPECTS
Sent Location
;===================================================================================================================================================================================
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description
;===================================================================================================================================================================================
;===================================================================================================================================================================================

and combofix:


ComboFix 08-03-30.4 - Osnat 04/01/2008 0:04:30.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1255.1.1033.18.575 [GMT 3:00]
Running from: C:\Documents and Settings\Osnat\Local Settings\Temporary Internet Files\Content.IE5\7K8PLQ29\ComboFix[1].exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\amvo.exe
C:\WINDOWS\system32\amvo0.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SROSA


((((((((((((((((((((((((( Files Created from 2008-02-28 to 2008-03-31 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-31 19:40 --------- d-----w C:\Program Files\Panda Security
2008-03-30 17:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-29 16:16 --------- d-----w C:\Program Files\DAEMON Tools
2008-03-29 15:51 --------- d-----w C:\Program Files\Common Files\Autodesk Shared
2008-03-29 13:08 --------- d-----w C:\Program Files\eMule
2008-03-29 10:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-03-29 00:16 --------- d-----w C:\Program Files\CCleaner
2008-03-28 15:07 --------- d-----w C:\Program Files\Winamp
2008-03-27 19:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-27 19:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-03-25 23:41 --------- d-----w C:\Program Files\Spyware Doctor
2008-03-25 23:40 --------- d-----w C:\Documents and Settings\Osnat\Application Data\PC Tools
2008-03-22 15:54 --------- d-----w C:\Program Files\Trend Micro
2008-03-22 15:46 --------- d-----w C:\Documents and Settings\Osnat\Application Data\Uniblue
2008-03-21 14:48 --------- d-----w C:\Program Files\Yahoo!
2008-03-21 13:42 --------- d-----w C:\Documents and Settings\Osnat\Application Data\SecondLife
2008-03-21 12:29 --------- d-----w C:\Documents and Settings\Osnat\Application Data\AVG7
2008-02-03 18:40 --------- d-----w C:\Documents and Settings\Osnat\Application Data\TeamViewer
2008-02-01 10:55 42,376 ----a-w C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-05-21 19:50 25,990,392 ----a-w C:\Program Files\FLV PlayerRCSetup.exe
2007-05-21 19:50 2,874,926 ----a-w C:\Program Files\FLV PlayerRCATSetup.exe
2007-03-31 15:03 915,744 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2007-03-31 15:03 11,040 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{965B54B0-71E0-4611-8DE7-F73FA0B20E26}"= "C:\Program Files\Babylon\Babylon Toolbar\BabylonIEToolBar.dll" [11/01/2007 04:09 PM 265952]

[HKEY_CLASSES_ROOT\clsid\{965b54b0-71e0-4611-8de7-f73fa0b20e26}]
[HKEY_CLASSES_ROOT\BabylonTBLib.BabylonTB.1]
[HKEY_CLASSES_ROOT\TypeLib\{162484B8-B114-453f-A344-C0B24B0F1D99}]
[HKEY_CLASSES_ROOT\BabylonTBLib.BabylonTB]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{965B54B0-71E0-4611-8DE7-F73FA0B20E26}"= C:\Program Files\Babylon\Babylon Toolbar\BabylonIEToolBar.dll [11/01/2007 04:09 PM 265952]

[HKEY_CLASSES_ROOT\clsid\{965b54b0-71e0-4611-8de7-f73fa0b20e26}]
[HKEY_CLASSES_ROOT\BabylonTBLib.BabylonTB.1]
[HKEY_CLASSES_ROOT\TypeLib\{162484B8-B114-453f-A344-C0B24B0F1D99}]
[HKEY_CLASSES_ROOT\BabylonTBLib.BabylonTB]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 02:56 AM 15360]
"ccleaner"="D:\programs\CCleaner\CCleaner.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 12:50 PM 155648]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [08/11/2006 10:43 PM 7630848]
"nwiz"="nwiz.exe" [08/11/2006 10:43 PM 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [08/11/2006 10:43 PM 86016]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [11/09/2005 01:00 AM 128920]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [12/13/2003 03:50 AM 33792]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe" [03/08/2005 07:42 AM 176128]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 02:11 AM 132496]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [05/12/2005 12:12 AM 49152]
"Babylon Client"="C:\Program Files\Babylon\Babylon-Pro\Babylon.exe" [11/01/2007 04:09 PM 3032800]
"RTHDCPL"="RTHDCPL.EXE" [09/22/2005 02:36 PM 14854144 C:\WINDOWS\RTHDCPL.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [08/04/2004 02:56 AM 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-11-07 20:38:10 113664]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 05:44:06 29696]
AutoCAD Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart17.exe [2006-03-05 05:43:54 11000]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-12 00:23:26 282624]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2005-05-12 01:49:24 73728]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
PCANotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"D:\\3dsmax7\\3dsmax.exe"=
"C:\\Program Files\\backburner 2\\monitor.exe"=
"C:\\Program Files\\backburner 2\\manager.exe"=
"C:\\Program Files\\backburner 2\\server.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\Crave\\Global Operations\\globalops.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"F:\\Speed.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Crave\\Global Operations\\goserver.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"C:\\Program Files\\NFO.co.il\\Fire eMule 7\\emule.exe"= 4662:UDP
"52926:TCP"= 52926:TCP:eMule
"60155:UDP"= 60155:UDP:eMule

R0 PQV2i;PQV2i;C:\WINDOWS\system32\drivers\PQV2i.sys [07/29/2004 04:33 AM]
R1 PQIMount;PQIMount;C:\WINDOWS\system32\drivers\PQIMount.sys [07/29/2004 05:13 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2b995f78-6e3d-11db-9c36-0014858a3979}]
\Shell\AutoRun\command - H:\rthrw.com
\Shell\explore\Command - H:\rthrw.com
\Shell\open\Command - H:\rthrw.com


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{18B0E5C2-99CB-11CF-AXX5-00401C648513}]
C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\keygen.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-01 00:07:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\imapi.exe
C:\WINDOWS\system32\MsiExec.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe
.
**************************************************************************
.
Completion time: 04/01/2008 0:10:33 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-31 21:10:28
ComboFix2.txt 2008-03-30 17:01:47
Pre-Run: 28,955,410,432 bytes free
Post-Run: 28,948,410,368 bytes free
.
2008-03-22 19:04:33 --- E O F ---

Member Avatar
gerbil
Industrious Poster
4,624 posts since May 2005
Reputation Points: 190 [?]
Q&As Helped to Solve: 338 [?]
Skill Endorsements: 5 [?]
 
0
 

==Please copy the text between the lines to a notepad [format/wordwrap unchecked] and save as showkey.bat, as type "all files", to your desktop; dclick it to run, then post the file C:\showkey.txt
__________________________________________________________
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA" /f
reg delete "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2b995f78-6e3d-11db-9c36-0014858a3979}" /f
reg delete "HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{18B0E5C2-99CB-11CF-AXX5-00401C648513}" /f
reg query "HKEY_LOCAL_MACHINE\SYSTEM" >C:\showkey.txt
start C:\showkey.txt
__________________________________________________________

=Delete file:
H:\rthrw.com
=Empty your Recycle bin.
=In case you are tempted to do a system restore we must clear all your system restore points because some have been infected.... So go control panel > system > system restore tab, check Turn off sys res on all drives, Apply and OK. Do it all again but uncheck that box, Apply and OK.
[[a quick way in is Start > run, paste: control sysdm.cpl,,4 -and OK]]
Now make a fresh, clean restore point: Start > programs > accessories > system tools > system restore and create a restore point now!!
[[the quick way to System Restore is Start > run, paste: %systemroot%\system32\restore\rstrui.exe -and OK]]

There appears to be a backdoor trojan operating; I cannot yet pinpoint what is disrupting Panda and Combofix.
A trace of malware does show in that Panda log fragment, this scan should work on it:
==Bitdefender Online Scan using IE only from http://www.bitdefender.com/

You
This question has already been solved: Start a new discussion instead
Post:
Start New Discussion
Tags Related to this Article