Tech Support Forum - View Single Post - pc very slow, multiple trojans/malware, hijackthis log

jimmyfishcake · 10-08-2007, 07:39 PM

Hi, I didnt have any problem performing these steps, my pc is a bit faster now. Here are requested log files:

ComboFix 07-10-05.3 - Jon_W 2007-10-09 11:02:47.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.626 [GMT 13:00]
Running from: C:\Documents and Settings\Jon_W\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jon_W\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\DOCUME~1\Jon_W\LOCALS~1\Temp\jbridgep.sys
.

((((((((((((((((((((((((( Files Created from 2007-09-08 to 2007-10-08 )))))))))))))))))))))))))))))))
.

2007-10-05 21:25 <DIR> d-------- C:\WINDOWS\ERUNT
2007-10-05 19:40 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-02 22:32 <DIR> d-------- C:\Deckard
2007-09-30 22:34 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-30 22:10 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-09-30 06:38 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-09-30 00:58 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-09-28 08:04 66,872 --a------ C:\WINDOWS\system32\PnkBstrA.exe
2007-09-28 08:04 22,328 --a------ C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-09-28 08:04 103,736 --a------ C:\WINDOWS\system32\PnkBstrB.exe
2007-09-12 09:22 <DIR> d-------- C:\Program Files\Mobiola Web Camera for S60 3Ed

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-09 07:57 --------- d-------- C:\Documents and Settings\Jon_W\Application Data\OpenOffice.org2
2007-09-30 18:04 --------- d-------- C:\Program Files\Softdiv Audio Converter
2007-09-30 18:03 --------- d-------- C:\Program Files\Shareaza
2007-09-30 18:03 --------- d-------- C:\Program Files\PowerISO
2007-09-30 18:03 --------- d-------- C:\Program Files\PKR
2007-09-30 17:55 --------- d-------- C:\Program Files\Multimedia Combo Set
2007-09-30 17:55 --------- d-------- C:\Program Files\Microsoft IntelliPoint
2007-09-30 17:55 --------- d-------- C:\Program Files\Microsoft ActiveSync
2007-09-30 06:37 --------- d-------- C:\Program Files\Common Files\Real
2007-09-30 06:36 --------- d-------- C:\Documents and Settings\Jon_W\Application Data\Real
2007-09-30 04:31 --------- d-------- C:\Program Files\WinAce
2007-09-30 04:31 --------- d-------- C:\Program Files\QuickTime
2007-09-20 22:45 --------- d-------- C:\Program Files\Activision Value
2007-09-18 01:14 --------- d-------- C:\Program Files\TexasCalculatem
2007-09-17 21:21 --------- d-------- C:\Program Files\Poker.com
2007-09-15 19:32 --------- d-------- C:\Program Files\Axis & Allies
2007-09-03 10:27 --------- d-------- C:\Program Files\jetflash
2007-09-02 20:53 --------- d-------- C:\Program Files\ShotOnline International
2007-08-30 16:56 --------- d-------- C:\Program Files\CDisplay
2007-08-26 11:45 --------- d-------- C:\Documents and Settings\Jon_W\Application Data\GrabIt
2007-08-21 23:14 --------- d-------- C:\Program Files\Steam
2007-08-21 15:42 --------- d-------- C:\Program Files\Winamp
2007-08-19 20:50 --------- d-------- C:\Program Files\American Systems
2007-08-19 20:44 2772480 --a------ C:\Program Files\psdlx.exe
2007-08-18 00:25 --------- d-------- C:\Documents and Settings\Jon_W\Application Data\Media Player Classic
2007-08-17 21:33 --------- d-------- C:\Program Files\K-Lite Codec Pack
2007-08-17 21:23 --------- d-------- C:\Program Files\Morgan
2007-08-17 21:23 --------- d-------- C:\Program Files\DivX
2007-08-17 21:22 13043226 --a------ C:\Program Files\klcodec330f.exe
2007-08-17 16:39 --------- d-------- C:\Program Files\GameSpy Arcade
2007-08-17 16:38 --------- d-------- C:\Program Files\GRETECH
2007-08-17 16:28 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-17 16:14 --------- d-------- C:\Program Files\Real
2007-08-17 15:54 --------- d-------- C:\Program Files\Video Server E
2007-08-16 04:00 --------- d-------- C:\Program Files\MSXML 4.0
2007-08-13 17:08 --------- d-------- C:\Documents and Settings\Jon_W\Application Data\SecondLife
2007-08-12 02:11 --------- d-------- C:\Program Files\NZBPlayer
2007-08-11 16:19 --------- d-------- C:\Program Files\PartyGaming
2007-08-11 15:46 --------- d-------- C:\Program Files\Cypress USB 2.0 DVR
2007-08-11 15:17 --------- d-------- C:\Documents and Settings\Jon_W\Application Data\Microsoft Games
2007-08-10 20:37 --------- d-------- C:\Documents and Settings\Jon_W\Application Data\Skype
2007-08-09 01:49 --------- d-------- C:\Program Files\id Software
2007-08-06 04:24 9453630 --a------ C:\Program Files\vlc-0.8.6a-win32.exe
2007-06-30 04:59 1572511 --a------ C:\Program Files\SetupImgBurn_2.3.2.0.exe
2007-06-30 04:53 8166272 --a------ C:\Program Files\Alcohol120_trial_1.9.6.5403.exe
2007-05-19 22:19 6182805 --a------ C:\Program Files\Firefox Setup 2.0.0.3.exe
2007-05-19 09:33 6136608 --a------ C:\Program Files\winamp535_pro.exe
2007-04-28 02:07 20942920 --a------ C:\Program Files\SkypeSetup.exe
2007-04-17 21:46 113849647 --a------ C:\Program Files\OOo_2.2.0_Win32Intel_install_wJRE_en-US.exe
2007-04-16 07:43 5051008 --a------ C:\Program Files\TradeManagerInstall.exe
2007-02-08 01:56 25886966 --a------ C:\Program Files\WDM_R154.exe
2007-02-08 00:53 25886966 --a------ C:\Program Files\RTLCPL.exe
2007-01-19 13:23 14994392 --a------ C:\Program Files\GoogleEarthWin.exe
2006-11-23 19:51 611017728 --a------ C:\Program Files\PRISMGuardShield_Demo.exe
2006-11-22 04:21 43099 --a------ C:\Program Files\simpleviewer.zip
2006-11-21 19:50 535421557 --a------ C:\Program Files\WAR_FRONT_MULTIPLAYER_DEMO.EXE
2006-11-06 16:34 855344 --a------ C:\Program Files\WGAPluginInstall.exe
2005-11-23 21:07 4878136 --a------ C:\Program Files\Firefox Setup 1.0.7.exe
2005-10-06 12:47 2266608 --a------ C:\Program Files\ec22.exe
2005-10-05 21:21 3797975 --a------ C:\Program Files\BitTorrent-4.0.4.exe
2005-10-03 11:59 895488 --a------ C:\Program Files\iview397.exe
2005-02-04 16:24 10810909 --a------ C:\Program Files\avg70free_300a419.exe
2004-06-23 09:27 1531833 --a------ C:\Program Files\NT187.EXE
1999-05-06 01:30 956 --a------ C:\Program Files\DXINFO.CFG
1999-05-06 01:30 8170 --a------ C:\Program Files\README.TXT
1999-05-06 01:30 35328 --a------ C:\Program Files\DXLAUNCH.EXE
1999-05-06 01:30 35 --a------ C:\Program Files\AUTOPLAY.BAT
2005-06-26 20:32:28 616,448 --sha-r C:\WINDOWS\system32\cygwin1.dll
2005-06-22 03:37:42 45,568 --sha-r C:\WINDOWS\system32\cygz.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))

---- Directory of C:\WINDOWS\MustRead\ ----

2005-01-10 20:18 40960 -rah----- C:\WINDOWS\MustRead\\Must Read.exe
2004-12-31 21:37 79775 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.htm
2004-12-31 21:37 369 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\border_index.css
2004-12-31 21:37 194 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\bord01.css
2004-12-31 21:35 5286 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\V-301_150.jpg
2004-12-31 15:08 696 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\icon-question-1.gif
2004-12-31 15:08 664 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\profile_manual.gif
2004-12-31 15:08 648 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\icon-download-2.gif
2004-12-31 15:08 624 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\PRODUCTS_manual.gif
2004-12-31 15:08 549 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\news_manual.gif
2004-12-31 15:08 527 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\award_manual.gif
2004-12-31 15:08 403 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\FAQ_MANUAL.gif
2004-12-31 15:08 245 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\line_index.gif
2004-12-30 20:54 774 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\icon-buy.gif
2004-12-30 20:54 761 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\registration_1.gif
2004-12-30 20:54 7560 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\nvidia.jpg
2004-12-30 20:54 7114 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\winXPMC.gif
2004-12-30 20:54 6612 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\402_PlayTV500DVB-T.gif
2004-12-30 20:54 6532 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\G6600_Box%20GT_128_150.jpg
2004-12-30 20:54 648 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\3DVGA_manual.gif
2004-12-30 20:54 619 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\partners_manual.gif
2004-12-30 20:54 553 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\icon-award.gif
2004-12-30 20:54 550 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\certificate_manual.gif
2004-12-30 20:54 540 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\contact_manual.gif
2004-12-30 20:54 5334 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\PROLINKNEWS.jpg
2004-12-30 20:54 515 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\iabu_01.gif
2004-12-30 20:54 435 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\home-2.gif
2004-12-30 20:54 4004 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\CeBIT.jpg
2004-12-30 20:54 3581 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\print-icon1.jpg
2004-12-30 20:54 30741 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\mm_menu.js
2004-12-30 20:54 30029 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\400USB_BoxCard_150.jpg
2004-12-30 20:54 24913 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\DVB-T_mark.jpg
2004-12-30 20:54 2181 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\new04.gif
2004-12-30 20:54 2116 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\aboutprolink_manual.gif
2004-12-30 20:54 19675 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\vmax_products.gif
2004-12-30 20:54 19504 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\PCX_POR.jpg
2004-12-30 20:54 1664 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\support_manual.gif
2004-12-30 20:54 160 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\work.gif
2004-12-30 20:54 129 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\tower.gif
2004-12-29 14:05 450270 -ra------ C:\WINDOWS\MustRead\\bmp\SPA.bmp
2004-12-29 14:03 450270 -ra------ C:\WINDOWS\MustRead\\bmp\GER.bmp
2004-12-29 14:02 450270 -ra------ C:\WINDOWS\MustRead\\bmp\FRE.bmp
2004-12-29 14:01 450270 -ra------ C:\WINDOWS\MustRead\\bmp\ENU.bmp
2004-12-29 14:01 450270 -ra------ C:\WINDOWS\MustRead\\bmp\CHS.bmp
2004-12-29 14:00 450270 -ra------ C:\WINDOWS\MustRead\\bmp\KOR.bmp
2004-12-29 14:00 450270 -ra------ C:\WINDOWS\MustRead\\bmp\JPN.bmp
2004-12-29 13:59 450270 -ra------ C:\WINDOWS\MustRead\\bmp\CHT.bmp

((((((((((((((((((((((((((((( snapshot@2007-10-05_19.43.36.71 )))))))))))))))))))))))))))))))))))))))))
.
----a-w 163,328 2007-09-27 09:03:23 C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
----a-w 17,260,544 2007-10-05 17:16:42 C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat
----a-w 487,424 2007-10-05 17:16:42 C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
----a-w 163,328 2007-09-27 09:03:23 C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
----a-w 17,260,544 2007-10-05 08:25:52 C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\ntuser.dat
----a-w 487,424 2007-10-05 08:25:52 C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-09-14 10:03]
"AVG7_EMC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe" [2007-08-17 10:04]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-01-28 19:40]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2006-06-06 03:06]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2005-03-24 12:26]
"DSLSTATEXE"="C:\Program Files\D-Link\DSL-200\dslstat.exe" [2005-01-21 21:04]
"DSLAGENTEXE"="C:\Program Files\D-Link\DSL-200\dslagent.exe" [2005-01-21 21:04]
"WMC_AutoUpdate"="" []
"RaidTool"="C:\Program Files\VIA\RAID\raid_tool.exe" [2006-01-04 14:43]
"VTTimer"="VTTimer.exe" [2005-03-08 08:33 C:\WINDOWS\system32\VTTimer.exe]
"VTTrayp"="VTtrayp.exe" [2005-11-01 09:15 C:\WINDOWS\system32\VTTrayp.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22]
"nwiz"="nwiz.exe" [2006-10-22 12:22 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="NvMCTray.dll" [2006-10-22 12:22 C:\WINDOWS\system32\nvmctray.dll]
"P17Helper"="SPIRun.dll" [2006-07-03 12:43 C:\WINDOWS\system32\SPIRun.dll]
"VolPanel"="C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" [2006-07-28 09:56]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 05:00]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\gnotify.exe" [2005-07-16 10:48]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 22:25]
"WireLessMouse "="C:\Program Files\Multimedia Combo Set\MouseDrv.exe" [2004-06-27 15:54]
"WireLessKeyboard "="C:\Program Files\Multimedia Combo Set\PS2USBKbdDrv.exe" [2005-08-02 23:55]
"PKR Pal"="C:\Program Files\PKR\pkrpal.exe" [2007-09-19 00:40]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-09-30 06:36]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Shareaza"="C:\Program Files\Shareaza\Shareaza.exe" [2005-10-27 19:44]
"FreeRAM XP"="C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" [2006-03-23 00:13]
"SetDefaultMIDI"="MIDIDef.exe" [2005-04-22 11:27 C:\WINDOWS\MIDIDEF.EXE]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-06-20 23:36]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"FFTI"=C:\Documents and Settings\Jon_W\Application Data\Mozilla\Firefox\Profiles\uknct2rc.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\ffti.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /DestPath="C:\Documents and Settings\Jon_W\Application Data\Mozilla\Firefox\Profiles/uknct2rc.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}"

C:\Documents and Settings\Jon_W\Start Menu\Programs\Startup\
OpenOffice.org 2.2.lnk - C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe [2007-02-02 17:54:56]
PowerReg Scheduler.exe [2006-01-24 01:36:36]
Registration Lock On [2007-07-02 07:56:07]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

R0 viamraid;viamraid;C:\WINDOWS\system32\DRIVERS\viamraid.sys
R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys
R3 BTCAMDRV;Mobiola Web Camera driver;C:\WINDOWS\system32\DRIVERS\BTCamDrv.sys
R3 P17xfi;Sound Blaster X-Fi Xtreme Audio;C:\WINDOWS\system32\drivers\P17xfi.sys
R3 p17xfilt;p17xfilt;C:\WINDOWS\system32\drivers\p17xfilt.sys
R3 wanusb;D-Link DSL-200 USB ADSL Modem(WAN);C:\WINDOWS\system32\DRIVERS\gwausb.sys
S2 DCamUSB20;USB 2.0 Capture;C:\WINDOWS\system32\Drivers\CsMini20.sys
S2 Usb20Scan;USB 2.0 Still Image;C:\WINDOWS\system32\Drivers\CresScan.sys
S3 VNic;ULan Network Driver Module;C:\WINDOWS\system32\DRIVERS\VNic.sys

.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-09 11:07:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\wininit.ini
C:\WINDOWS\winnt.bmp
C:\WINDOWS\winnt256.bmp
C:\WINDOWS\WinSxS
C:\WINDOWS\WMFDist11.log
C:\WINDOWS\wmp11.log
C:\WINDOWS\wmp11Uninst.log
C:\WINDOWS\wmsetup.log
C:\WINDOWS\wmsetup10.log
C:\WINDOWS\WMSysPr9.prx
C:\WINDOWS\WMSysPrx.prx
C:\WINDOWS\WSST_Screen_Saver.ini
C:\WINDOWS\Wudf01000Inst.log
C:\WINDOWS\wwdslcfg.ini
C:\WINDOWS\wwdslcfg.log
C:\WINDOWS\XDICT.INI
C:\WINDOWS\Zapotec.bmp
C:\WINDOWS\_default.pif
C:\WINDOWS\_MSRSTRT.EXE
C:\WINDOWS\Windows Update.log
C:\WINDOWS\WindowsShell.Manifest
C:\WINDOWS\WindowsUpdate.log
C:\WINDOWS\winhelp.exe
C:\WINDOWS\winhlp32.exe

scan completed successfully
hidden files: 24

**************************************************************************
.
Completion time: 2007-10-09 11:09:46 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-10-09 11:09
C:\ComboFix2.txt ... 2007-10-06 06:08
C:\ComboFix3.txt ... 2007-10-05 19:44
.
--- E O F ---
KASPERSKY ONLINE SCANNER REPORT
Tuesday, October 09, 2007 2:11:20 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 9/10/2007
Kaspersky Anti-Virus database records: 429470

Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\
E:\
F:\
G:\
H:\

Scan Statistics
Total number of scanned objects 127180
Number of viruses found 3
Number of infected objects 11
Number of suspicious objects 0
Duration of the scan process 01:23:08

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\AVG7\AVG7QT.DAT Infected: Trojan.Win32.Qhost.kc skipped

C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped

C:\Documents and Settings\Jon_W\Application Data\$_hpcst$.hpc Object is locked skipped

C:\Documents and Settings\Jon_W\Application Data\AVG7\Log\emc.log Object is locked skipped

C:\Documents and Settings\Jon_W\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Jon_W\Desktop\setup.exe/stream/data0006 Infected: Trojan-Downloader.Win32.Zlob.btu skipped

C:\Documents and Settings\Jon_W\Desktop\setup.exe/stream Infected: Trojan-Downloader.Win32.Zlob.btu skipped

C:\Documents and Settings\Jon_W\Desktop\setup.exe NSIS: infected - 2 skipped

C:\Documents and Settings\Jon_W\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Jon_W\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Jon_W\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Jon_W\Local Settings\Temp\WCESLog.log Object is locked skipped

C:\Documents and Settings\Jon_W\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Jon_W\ntuser.dat Object is locked skipped

C:\Documents and Settings\Jon_W\NTUSER.DAT.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\SDFix\backups_old1\backups.zip/backups/setup.exe/data0007 Infected: Trojan-Downloader.Win32.Zlob.bqu skipped

C:\SDFix\backups_old1\backups.zip/backups/setup.exe Infected: Trojan-Downloader.Win32.Zlob.bqu skipped

C:\SDFix\backups_old1\backups.zip ZIP: infected - 2 skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{CFA48CF2-59EA-46D3-A312-1F329C8A297C}\RP459\A0224602.exe/data0007 Infected: Trojan-Downloader.Win32.Zlob.bqu skipped

C:\System Volume Information\_restore{CFA48CF2-59EA-46D3-A312-1F329C8A297C}\RP459\A0224602.exe NSIS: infected - 1 skipped

C:\System Volume Information\_restore{CFA48CF2-59EA-46D3-A312-1F329C8A297C}\RP459\A0224610.exe/data0007 Infected: Trojan-Downloader.Win32.Zlob.bqu skipped

C:\System Volume Information\_restore{CFA48CF2-59EA-46D3-A312-1F329C8A297C}\RP459\A0224610.exe NSIS: infected - 1 skipped

C:\System Volume Information\_restore{CFA48CF2-59EA-46D3-A312-1F329C8A297C}\RP462\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\pfirewall.log Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:25:31 p.m., on 9/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\D-Link\DSL-200\dslstat.exe
C:\Program Files\D-Link\DSL-200\dslagent.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Multimedia Combo Set\MouseDrv.exe
C:\Program Files\Multimedia Combo Set\PS2USBKbdDrv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: IEWatchObj Class - {9527D42F-D666-11D3-B8DD-00600838CD5F} - C:\WINDOWS\system32\IETie.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\D-Link\DSL-200\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\D-Link\DSL-200\dslagent.exe
O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [P17Helper] Rundll32 SPIRun.dll,RunDLLEntry
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [WireLessMouse ] C:\Program Files\Multimedia Combo Set\MouseDrv.exe
O4 - HKLM\..\Run: [WireLessKeyboard ] C:\Program Files\Multimedia Combo Set\PS2USBKbdDrv.exe
O4 - HKLM\..\Run: [PKR Pal] "C:\Program Files\PKR\pkrpal.exe" -osboot
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Shareaza] "C:\Program Files\Shareaza\Shareaza.exe" -tray
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\RunOnce: [FFTI] C:\Documents and Settings\Jon_W\Application Data\Mozilla\Firefox\Profiles\uknct2rc.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\ffti.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /DestPath="C:\Documents and Settings\Jon_W\Application Data\Mozilla\Firefox\Profiles/uknct2rc.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: GhostSurf Privacy Center - {578FC4E3-151E-456c-AF8E-B63061EFE228} - C:\Program Files\GhostSurf\LaunchPCC.exe (file missing)
O9 - Extra 'Tools' menuitem: GhostSurf Privacy Center - {578FC4E3-151E-456c-AF8E-B63061EFE228} - C:\Program Files\GhostSurf\LaunchPCC.exe (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Poker.com - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Program Files\Poker.com\Poker.exe (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {02ECD07A-22D0-4AF0-BA0A-3F6B06086D08} (GamesCampus Control) - http://www.gamescampus.com/xiah/luncher/GamesCampus.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {156BF4B7-AE3A-4365-BD88-95A75AF8F09D} (HPSDDX Class) - http://www.hp.com/cpso-support-new/S...dObjSigned.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/pa.../GSManager.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} - http://launch.gamespyarcade.com/soft...ch/alaunch.cab
O16 - DPF: {7DFDB8FD-B498-4958-B930-38021B94351D} (imlUCID Class) - http://imlive.com/chatsource/ImlCID.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://212.150.183.238/activex/AxisCamControl.ocx
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab
O16 - DPF: {D3A7982E-915D-4589-8ECE-249F70D0C941} (Launch Control) - http://aaotracker.4players.de/LaunchGame.cab
O16 - DPF: {FDF6378C-7B5D-4ABF-BA1F-92748305FFAC} (DownloadManagerInstall Control) - http://beta.byteswarm.com/agent/1.3.0.1/DMInstall.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F2B011FC-52BC-4B06-A2C6-284118F8F318}: NameServer = 210.48.65.2 210.48.66.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{F8F125C6-8B6C-4CDF-88B4-6FD4DA61A6E4}: NameServer = 203.0.178.191
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

--
End of file - 10507 bytes

10-08-2007, 07:39 PM	#6 (permalink)
jimmyfishcake Registered User Join Date: Sep 2007 Posts: 5 OS: XP	Re: pc very slow, multiple trojans/malware, hijackthis log Hi, I didnt have any problem performing these steps, my pc is a bit faster now. Here are requested log files: ComboFix 07-10-05.3 - Jon_W 2007-10-09 11:02:47.3 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.626 [GMT 13:00] Running from: C:\Documents and Settings\Jon_W\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Jon_W\Desktop\CFScript.txt * Created a new restore point FILE:: C:\DOCUME~1\Jon_W\LOCALS~1\Temp\jbridgep.sys . ((((((((((((((((((((((((( Files Created from 2007-09-08 to 2007-10-08 ))))))))))))))))))))))))))))))) . 2007-10-05 21:25 <DIR> d-------- C:\WINDOWS\ERUNT 2007-10-05 19:40 51,200 --a------ C:\WINDOWS\NirCmd.exe 2007-10-02 22:32 <DIR> d-------- C:\Deckard 2007-09-30 22:34 <DIR> d-------- C:\Program Files\Trend Micro 2007-09-30 22:10 <DIR> d-------- C:\Program Files\SpywareBlaster 2007-09-30 06:38 <DIR> d-------- C:\Program Files\Common Files\xing shared 2007-09-30 00:58 <DIR> d-------- C:\WINDOWS\system32\ActiveScan 2007-09-28 08:04 66,872 --a------ C:\WINDOWS\system32\PnkBstrA.exe 2007-09-28 08:04 22,328 --a------ C:\WINDOWS\system32\drivers\PnkBstrK.sys 2007-09-28 08:04 103,736 --a------ C:\WINDOWS\system32\PnkBstrB.exe 2007-09-12 09:22 <DIR> d-------- C:\Program Files\Mobiola Web Camera for S60 3Ed . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-10-09 07:57 --------- d-------- C:\Documents and Settings\Jon_W\Application Data\OpenOffice.org2 2007-09-30 18:04 --------- d-------- C:\Program Files\Softdiv Audio Converter 2007-09-30 18:03 --------- d-------- C:\Program Files\Shareaza 2007-09-30 18:03 --------- d-------- C:\Program Files\PowerISO 2007-09-30 18:03 --------- d-------- C:\Program Files\PKR 2007-09-30 17:55 --------- d-------- C:\Program Files\Multimedia Combo Set 2007-09-30 17:55 --------- d-------- C:\Program Files\Microsoft IntelliPoint 2007-09-30 17:55 --------- d-------- C:\Program Files\Microsoft ActiveSync 2007-09-30 06:37 --------- d-------- C:\Program Files\Common Files\Real 2007-09-30 06:36 --------- d-------- C:\Documents and Settings\Jon_W\Application Data\Real 2007-09-30 04:31 --------- d-------- C:\Program Files\WinAce 2007-09-30 04:31 --------- d-------- C:\Program Files\QuickTime 2007-09-20 22:45 --------- d-------- C:\Program Files\Activision Value 2007-09-18 01:14 --------- d-------- C:\Program Files\TexasCalculatem 2007-09-17 21:21 --------- d-------- C:\Program Files\Poker.com 2007-09-15 19:32 --------- d-------- C:\Program Files\Axis & Allies 2007-09-03 10:27 --------- d-------- C:\Program Files\jetflash 2007-09-02 20:53 --------- d-------- C:\Program Files\ShotOnline International 2007-08-30 16:56 --------- d-------- C:\Program Files\CDisplay 2007-08-26 11:45 --------- d-------- C:\Documents and Settings\Jon_W\Application Data\GrabIt 2007-08-21 23:14 --------- d-------- C:\Program Files\Steam 2007-08-21 15:42 --------- d-------- C:\Program Files\Winamp 2007-08-19 20:50 --------- d-------- C:\Program Files\American Systems 2007-08-19 20:44 2772480 --a------ C:\Program Files\psdlx.exe 2007-08-18 00:25 --------- d-------- C:\Documents and Settings\Jon_W\Application Data\Media Player Classic 2007-08-17 21:33 --------- d-------- C:\Program Files\K-Lite Codec Pack 2007-08-17 21:23 --------- d-------- C:\Program Files\Morgan 2007-08-17 21:23 --------- d-------- C:\Program Files\DivX 2007-08-17 21:22 13043226 --a------ C:\Program Files\klcodec330f.exe 2007-08-17 16:39 --------- d-------- C:\Program Files\GameSpy Arcade 2007-08-17 16:38 --------- d-------- C:\Program Files\GRETECH 2007-08-17 16:28 --------- d--h----- C:\Program Files\InstallShield Installation Information 2007-08-17 16:14 --------- d-------- C:\Program Files\Real 2007-08-17 15:54 --------- d-------- C:\Program Files\Video Server E 2007-08-16 04:00 --------- d-------- C:\Program Files\MSXML 4.0 2007-08-13 17:08 --------- d-------- C:\Documents and Settings\Jon_W\Application Data\SecondLife 2007-08-12 02:11 --------- d-------- C:\Program Files\NZBPlayer 2007-08-11 16:19 --------- d-------- C:\Program Files\PartyGaming 2007-08-11 15:46 --------- d-------- C:\Program Files\Cypress USB 2.0 DVR 2007-08-11 15:17 --------- d-------- C:\Documents and Settings\Jon_W\Application Data\Microsoft Games 2007-08-10 20:37 --------- d-------- C:\Documents and Settings\Jon_W\Application Data\Skype 2007-08-09 01:49 --------- d-------- C:\Program Files\id Software 2007-08-06 04:24 9453630 --a------ C:\Program Files\vlc-0.8.6a-win32.exe 2007-06-30 04:59 1572511 --a------ C:\Program Files\SetupImgBurn_2.3.2.0.exe 2007-06-30 04:53 8166272 --a------ C:\Program Files\Alcohol120_trial_1.9.6.5403.exe 2007-05-19 22:19 6182805 --a------ C:\Program Files\Firefox Setup 2.0.0.3.exe 2007-05-19 09:33 6136608 --a------ C:\Program Files\winamp535_pro.exe 2007-04-28 02:07 20942920 --a------ C:\Program Files\SkypeSetup.exe 2007-04-17 21:46 113849647 --a------ C:\Program Files\OOo_2.2.0_Win32Intel_install_wJRE_en-US.exe 2007-04-16 07:43 5051008 --a------ C:\Program Files\TradeManagerInstall.exe 2007-02-08 01:56 25886966 --a------ C:\Program Files\WDM_R154.exe 2007-02-08 00:53 25886966 --a------ C:\Program Files\RTLCPL.exe 2007-01-19 13:23 14994392 --a------ C:\Program Files\GoogleEarthWin.exe 2006-11-23 19:51 611017728 --a------ C:\Program Files\PRISMGuardShield_Demo.exe 2006-11-22 04:21 43099 --a------ C:\Program Files\simpleviewer.zip 2006-11-21 19:50 535421557 --a------ C:\Program Files\WAR_FRONT_MULTIPLAYER_DEMO.EXE 2006-11-06 16:34 855344 --a------ C:\Program Files\WGAPluginInstall.exe 2005-11-23 21:07 4878136 --a------ C:\Program Files\Firefox Setup 1.0.7.exe 2005-10-06 12:47 2266608 --a------ C:\Program Files\ec22.exe 2005-10-05 21:21 3797975 --a------ C:\Program Files\BitTorrent-4.0.4.exe 2005-10-03 11:59 895488 --a------ C:\Program Files\iview397.exe 2005-02-04 16:24 10810909 --a------ C:\Program Files\avg70free_300a419.exe 2004-06-23 09:27 1531833 --a------ C:\Program Files\NT187.EXE 1999-05-06 01:30 956 --a------ C:\Program Files\DXINFO.CFG 1999-05-06 01:30 8170 --a------ C:\Program Files\README.TXT 1999-05-06 01:30 35328 --a------ C:\Program Files\DXLAUNCH.EXE 1999-05-06 01:30 35 --a------ C:\Program Files\AUTOPLAY.BAT 2005-06-26 20:32:28 616,448 --sha-r C:\WINDOWS\system32\cygwin1.dll 2005-06-22 03:37:42 45,568 --sha-r C:\WINDOWS\system32\cygz.dll . (((((((((((((((((((((((((((((((((((((((((((( Look ))))))))))))))))))))))))))))))))))))))))))))))))))))))))) ---- Directory of C:\WINDOWS\MustRead\ ---- 2005-01-10 20:18 40960 -rah----- C:\WINDOWS\MustRead\\Must Read.exe 2004-12-31 21:37 79775 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.htm 2004-12-31 21:37 369 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\border_index.css 2004-12-31 21:37 194 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\bord01.css 2004-12-31 21:35 5286 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\V-301_150.jpg 2004-12-31 15:08 696 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\icon-question-1.gif 2004-12-31 15:08 664 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\profile_manual.gif 2004-12-31 15:08 648 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\icon-download-2.gif 2004-12-31 15:08 624 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\PRODUCTS_manual.gif 2004-12-31 15:08 549 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\news_manual.gif 2004-12-31 15:08 527 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\award_manual.gif 2004-12-31 15:08 403 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\FAQ_MANUAL.gif 2004-12-31 15:08 245 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\line_index.gif 2004-12-30 20:54 774 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\icon-buy.gif 2004-12-30 20:54 761 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\registration_1.gif 2004-12-30 20:54 7560 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\nvidia.jpg 2004-12-30 20:54 7114 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\winXPMC.gif 2004-12-30 20:54 6612 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\402_PlayTV500DVB-T.gif 2004-12-30 20:54 6532 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\G6600_Box%20GT_128_150.jpg 2004-12-30 20:54 648 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\3DVGA_manual.gif 2004-12-30 20:54 619 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\partners_manual.gif 2004-12-30 20:54 553 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\icon-award.gif 2004-12-30 20:54 550 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\certificate_manual.gif 2004-12-30 20:54 540 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\contact_manual.gif 2004-12-30 20:54 5334 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\PROLINKNEWS.jpg 2004-12-30 20:54 515 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\iabu_01.gif 2004-12-30 20:54 435 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\home-2.gif 2004-12-30 20:54 4004 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\CeBIT.jpg 2004-12-30 20:54 3581 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\print-icon1.jpg 2004-12-30 20:54 30741 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\mm_menu.js 2004-12-30 20:54 30029 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\400USB_BoxCard_150.jpg 2004-12-30 20:54 24913 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\DVB-T_mark.jpg 2004-12-30 20:54 2181 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\new04.gif 2004-12-30 20:54 2116 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\aboutprolink_manual.gif 2004-12-30 20:54 19675 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\vmax_products.gif 2004-12-30 20:54 19504 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\PCX_POR.jpg 2004-12-30 20:54 1664 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\support_manual.gif 2004-12-30 20:54 160 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\work.gif 2004-12-30 20:54 129 -ra------ C:\WINDOWS\MustRead\\Prolink Microsystems Corporation_ Copyright c 2002.files\tower.gif 2004-12-29 14:05 450270 -ra------ C:\WINDOWS\MustRead\\bmp\SPA.bmp 2004-12-29 14:03 450270 -ra------ C:\WINDOWS\MustRead\\bmp\GER.bmp 2004-12-29 14:02 450270 -ra------ C:\WINDOWS\MustRead\\bmp\FRE.bmp 2004-12-29 14:01 450270 -ra------ C:\WINDOWS\MustRead\\bmp\ENU.bmp 2004-12-29 14:01 450270 -ra------ C:\WINDOWS\MustRead\\bmp\CHS.bmp 2004-12-29 14:00 450270 -ra------ C:\WINDOWS\MustRead\\bmp\KOR.bmp 2004-12-29 14:00 450270 -ra------ C:\WINDOWS\MustRead\\bmp\JPN.bmp 2004-12-29 13:59 450270 -ra------ C:\WINDOWS\MustRead\\bmp\CHT.bmp ((((((((((((((((((((((((((((( snapshot@2007-10-05_19.43.36.71 ))))))))))))))))))))))))))))))))))))))))) . ----a-w 163,328 2007-09-27 09:03:23 C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE ----a-w 17,260,544 2007-10-05 17:16:42 C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat ----a-w 487,424 2007-10-05 17:16:42 C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat ----a-w 163,328 2007-09-27 09:03:23 C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE ----a-w 17,260,544 2007-10-05 08:25:52 C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\ntuser.dat ----a-w 487,424 2007-10-05 08:25:52 C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-09-14 10:03] "AVG7_EMC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe" [2007-08-17 10:04] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-01-28 19:40] "PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2006-06-06 03:06] "IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2005-03-24 12:26] "DSLSTATEXE"="C:\Program Files\D-Link\DSL-200\dslstat.exe" [2005-01-21 21:04] "DSLAGENTEXE"="C:\Program Files\D-Link\DSL-200\dslagent.exe" [2005-01-21 21:04] "WMC_AutoUpdate"="" [] "RaidTool"="C:\Program Files\VIA\RAID\raid_tool.exe" [2006-01-04 14:43] "VTTimer"="VTTimer.exe" [2005-03-08 08:33 C:\WINDOWS\system32\VTTimer.exe] "VTTrayp"="VTtrayp.exe" [2005-11-01 09:15 C:\WINDOWS\system32\VTTrayp.exe] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22] "nwiz"="nwiz.exe" [2006-10-22 12:22 C:\WINDOWS\system32\nwiz.exe] "NvMediaCenter"="NvMCTray.dll" [2006-10-22 12:22 C:\WINDOWS\system32\nvmctray.dll] "P17Helper"="SPIRun.dll" [2006-07-03 12:43 C:\WINDOWS\system32\SPIRun.dll] "VolPanel"="C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" [2006-07-28 09:56] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 05:00] "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50] "{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\gnotify.exe" [2005-07-16 10:48] "!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 22:25] "WireLessMouse "="C:\Program Files\Multimedia Combo Set\MouseDrv.exe" [2004-06-27 15:54] "WireLessKeyboard "="C:\Program Files\Multimedia Combo Set\PS2USBKbdDrv.exe" [2005-08-02 23:55] "PKR Pal"="C:\Program Files\PKR\pkrpal.exe" [2007-09-19 00:40] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-09-30 06:36] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Shareaza"="C:\Program Files\Shareaza\Shareaza.exe" [2005-10-27 19:44] "FreeRAM XP"="C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" [2006-03-23 00:13] "SetDefaultMIDI"="MIDIDef.exe" [2005-04-22 11:27 C:\WINDOWS\MIDIDEF.EXE] "H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-06-20 23:36] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce] "FFTI"=C:\Documents and Settings\Jon_W\Application Data\Mozilla\Firefox\Profiles\uknct2rc.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\ffti.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /DestPath="C:\Documents and Settings\Jon_W\Application Data\Mozilla\Firefox\Profiles/uknct2rc.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}" C:\Documents and Settings\Jon_W\Start Menu\Programs\Startup\ OpenOffice.org 2.2.lnk - C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe [2007-02-02 17:54:56] PowerReg Scheduler.exe [2006-01-24 01:36:36] Registration Lock On [2007-07-02 07:56:07] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableRegistryTools"=0 (0x0) R0 viamraid;viamraid;C:\WINDOWS\system32\DRIVERS\viamraid.sys R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys R3 BTCAMDRV;Mobiola Web Camera driver;C:\WINDOWS\system32\DRIVERS\BTCamDrv.sys R3 P17xfi;Sound Blaster X-Fi Xtreme Audio;C:\WINDOWS\system32\drivers\P17xfi.sys R3 p17xfilt;p17xfilt;C:\WINDOWS\system32\drivers\p17xfilt.sys R3 wanusb;D-Link DSL-200 USB ADSL Modem(WAN);C:\WINDOWS\system32\DRIVERS\gwausb.sys S2 DCamUSB20;USB 2.0 Capture;C:\WINDOWS\system32\Drivers\CsMini20.sys S2 Usb20Scan;USB 2.0 Still Image;C:\WINDOWS\system32\Drivers\CresScan.sys S3 VNic;ULan Network Driver Module;C:\WINDOWS\system32\DRIVERS\VNic.sys . ************************************************************************ catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-10-09 11:07:22 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... C:\WINDOWS\wininit.ini C:\WINDOWS\winnt.bmp C:\WINDOWS\winnt256.bmp C:\WINDOWS\WinSxS C:\WINDOWS\WMFDist11.log C:\WINDOWS\wmp11.log C:\WINDOWS\wmp11Uninst.log C:\WINDOWS\wmsetup.log C:\WINDOWS\wmsetup10.log C:\WINDOWS\WMSysPr9.prx C:\WINDOWS\WMSysPrx.prx C:\WINDOWS\WSST_Screen_Saver.ini C:\WINDOWS\Wudf01000Inst.log C:\WINDOWS\wwdslcfg.ini C:\WINDOWS\wwdslcfg.log C:\WINDOWS\XDICT.INI C:\WINDOWS\Zapotec.bmp C:\WINDOWS\_default.pif C:\WINDOWS\_MSRSTRT.EXE C:\WINDOWS\Windows Update.log C:\WINDOWS\WindowsShell.Manifest C:\WINDOWS\WindowsUpdate.log C:\WINDOWS\winhelp.exe C:\WINDOWS\winhlp32.exe scan completed successfully hidden files: 24 ************************************************************************ . Completion time: 2007-10-09 11:09:46 - machine was rebooted C:\ComboFix-quarantined-files.txt ... 2007-10-09 11:09 C:\ComboFix2.txt ... 2007-10-06 06:08 C:\ComboFix3.txt ... 2007-10-05 19:44 . --- E O F --- KASPERSKY ONLINE SCANNER REPORT Tuesday, October 09, 2007 2:11:20 PM Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600) Kaspersky Online Scanner version: 5.0.98.0 Kaspersky Anti-Virus database last update: 9/10/2007 Kaspersky Anti-Virus database records: 429470 Scan Settings Scan using the following antivirus database extended Scan Archives true Scan Mail Bases true Scan Target My Computer A:\ C:\ D:\ E:\ F:\ G:\ H:\ Scan Statistics Total number of scanned objects 127180 Number of viruses found 3 Number of infected objects 11 Number of suspicious objects 0 Duration of the scan process 01:23:08 Infected Object Name Virus Name Last Action C:\Documents and Settings\All Users\Application Data\AVG7\AVG7QT.DAT Infected: Trojan.Win32.Qhost.kc skipped C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped C:\Documents and Settings\Jon_W\Application Data\$_hpcst$.hpc Object is locked skipped C:\Documents and Settings\Jon_W\Application Data\AVG7\Log\emc.log Object is locked skipped C:\Documents and Settings\Jon_W\Cookies\index.dat Object is locked skipped C:\Documents and Settings\Jon_W\Desktop\setup.exe/stream/data0006 Infected: Trojan-Downloader.Win32.Zlob.btu skipped C:\Documents and Settings\Jon_W\Desktop\setup.exe/stream Infected: Trojan-Downloader.Win32.Zlob.btu skipped C:\Documents and Settings\Jon_W\Desktop\setup.exe NSIS: infected - 2 skipped C:\Documents and Settings\Jon_W\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\Jon_W\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\Jon_W\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\Jon_W\Local Settings\Temp\WCESLog.log Object is locked skipped C:\Documents and Settings\Jon_W\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\Jon_W\ntuser.dat Object is locked skipped C:\Documents and Settings\Jon_W\NTUSER.DAT.LOG Object is locked skipped C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped C:\SDFix\backups_old1\backups.zip/backups/setup.exe/data0007 Infected: Trojan-Downloader.Win32.Zlob.bqu skipped C:\SDFix\backups_old1\backups.zip/backups/setup.exe Infected: Trojan-Downloader.Win32.Zlob.bqu skipped C:\SDFix\backups_old1\backups.zip ZIP: infected - 2 skipped C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped C:\System Volume Information\_restore{CFA48CF2-59EA-46D3-A312-1F329C8A297C}\RP459\A0224602.exe/data0007 Infected: Trojan-Downloader.Win32.Zlob.bqu skipped C:\System Volume Information\_restore{CFA48CF2-59EA-46D3-A312-1F329C8A297C}\RP459\A0224602.exe NSIS: infected - 1 skipped C:\System Volume Information\_restore{CFA48CF2-59EA-46D3-A312-1F329C8A297C}\RP459\A0224610.exe/data0007 Infected: Trojan-Downloader.Win32.Zlob.bqu skipped C:\System Volume Information\_restore{CFA48CF2-59EA-46D3-A312-1F329C8A297C}\RP459\A0224610.exe NSIS: infected - 1 skipped C:\System Volume Information\_restore{CFA48CF2-59EA-46D3-A312-1F329C8A297C}\RP462\change.log Object is locked skipped C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped C:\WINDOWS\pfirewall.log Object is locked skipped C:\WINDOWS\SchedLgU.Txt Object is locked skipped C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped C:\WINDOWS\Sti_Trace.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\default Object is locked skipped C:\WINDOWS\system32\config\default.LOG Object is locked skipped C:\WINDOWS\system32\config\SAM Object is locked skipped C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\SECURITY Object is locked skipped C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped C:\WINDOWS\system32\config\software Object is locked skipped C:\WINDOWS\system32\config\software.LOG Object is locked skipped C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\system Object is locked skipped C:\WINDOWS\system32\config\system.LOG Object is locked skipped C:\WINDOWS\system32\h323log.txt Object is locked skipped C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped C:\WINDOWS\wiadebug.log Object is locked skipped C:\WINDOWS\wiaservc.log Object is locked skipped C:\WINDOWS\WindowsUpdate.log Object is locked skipped E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped Scan process completed. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 2:25:31 p.m., on 9/10/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\PnkBstrA.exe C:\WINDOWS\system32\PnkBstrB.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\WgaTray.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\Program Files\Microsoft IntelliPoint\point32.exe C:\Program Files\D-Link\DSL-200\dslstat.exe C:\Program Files\D-Link\DSL-200\dslagent.exe C:\Program Files\VIA\RAID\raid_tool.exe C:\WINDOWS\system32\VTTimer.exe C:\WINDOWS\system32\RunDLL32.exe C:\WINDOWS\system32\Rundll32.exe C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe C:\Program Files\Google\Gmail Notifier\gnotify.exe C:\Program Files\Multimedia Combo Set\MouseDrv.exe C:\Program Files\Multimedia Combo Set\PS2USBKbdDrv.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Microsoft ActiveSync\wcescomm.exe C:\PROGRA~1\MI3AA1~1\rapimgr.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O2 - BHO: IEWatchObj Class - {9527D42F-D666-11D3-B8DD-00600838CD5F} - C:\WINDOWS\system32\IETie.dll O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe" O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\D-Link\DSL-200\dslstat.exe icon O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\D-Link\DSL-200\dslagent.exe O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe O4 - HKLM\..\Run: [VTTimer] VTTimer.exe O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [P17Helper] Rundll32 SPIRun.dll,RunDLLEntry O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" /r O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKLM\..\Run: [WireLessMouse ] C:\Program Files\Multimedia Combo Set\MouseDrv.exe O4 - HKLM\..\Run: [WireLessKeyboard ] C:\Program Files\Multimedia Combo Set\PS2USBKbdDrv.exe O4 - HKLM\..\Run: [PKR Pal] "C:\Program Files\PKR\pkrpal.exe" -osboot O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKCU\..\Run: [Shareaza] "C:\Program Files\Shareaza\Shareaza.exe" -tray O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe" O4 - HKCU\..\RunOnce: [FFTI] C:\Documents and Settings\Jon_W\Application Data\Mozilla\Firefox\Profiles\uknct2rc.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\ffti.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /DestPath="C:\Documents and Settings\Jon_W\Application Data\Mozilla\Firefox\Profiles/uknct2rc.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}" O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user') O4 - Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe O4 - Startup: PowerReg Scheduler.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll O9 - Extra button: GhostSurf Privacy Center - {578FC4E3-151E-456c-AF8E-B63061EFE228} - C:\Program Files\GhostSurf\LaunchPCC.exe (file missing) O9 - Extra 'Tools' menuitem: GhostSurf Privacy Center - {578FC4E3-151E-456c-AF8E-B63061EFE228} - C:\Program Files\GhostSurf\LaunchPCC.exe (file missing) O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra button: Poker.com - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Program Files\Poker.com\Poker.exe (HKCU) O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O16 - DPF: {02ECD07A-22D0-4AF0-BA0A-3F6B06086D08} (GamesCampus Control) - http://www.gamescampus.com/xiah/luncher/GamesCampus.cab O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab O16 - DPF: {156BF4B7-AE3A-4365-BD88-95A75AF8F09D} (HPSDDX Class) - http://www.hp.com/cpso-support-new/S...dObjSigned.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/pa.../GSManager.cab O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} - http://launch.gamespyarcade.com/soft...ch/alaunch.cab O16 - DPF: {7DFDB8FD-B498-4958-B930-38021B94351D} (imlUCID Class) - http://imlive.com/chatsource/ImlCID.cab O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://212.150.183.238/activex/AxisCamControl.ocx O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab O16 - DPF: {D3A7982E-915D-4589-8ECE-249F70D0C941} (Launch Control) - http://aaotracker.4players.de/LaunchGame.cab O16 - DPF: {FDF6378C-7B5D-4ABF-BA1F-92748305FFAC} (DownloadManagerInstall Control) - http://beta.byteswarm.com/agent/1.3.0.1/DMInstall.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{F2B011FC-52BC-4B06-A2C6-284118F8F318}: NameServer = 210.48.65.2 210.48.66.2 O17 - HKLM\System\CCS\Services\Tcpip\..\{F8F125C6-8B6C-4CDF-88B4-6FD4DA61A6E4}: NameServer = 203.0.178.191 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe -- End of file - 10507 bytes