Tech Support Forum - View Single Post - iso help w/ this log from hijackthis v1.99.1

NihLathak · 05-09-2007, 10:11 PM

thus far, the help here has been wonderful especially since its free ftw?

anyway lemme post these logs.

this is the combo one :

"Compaq_Administrator" - 2007-05-09 21:08:52 Service Pack 2
ComboFix 07-05.09.V - Running from: "C:\Documents and Settings\Compaq_Administrator\Desktop\"

((((((((((((((((((((((((((((((( Files Created from 2007-04-09 to 2007-05-09 ))))))))))))))))))))))))))))))))))

2007-05-09 20:59 2,714,784 --a------ C:\ccsetup139.exe
2007-05-09 20:59 <DIR> d-------- C:\Program Files\CCleaner
2007-05-06 18:06 <DIR> d-------- C:\Program Files\Opera
2007-05-06 18:06 <DIR> d-------- C:\DOCUME~1\COMPAQ~1\APPLIC~1\Opera
2007-05-06 02:15 6,561,496 --a------ C:\Opera_9.20_International_Setup.exe
2007-05-05 22:43 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2007-05-05 22:07 80,384 --a------ C:\WINDOWS\system32\charmap.exe
2007-05-05 22:07 605,696 --a------ C:\WINDOWS\system32\getuname.dll
2007-05-05 22:07 56,832 --a------ C:\WINDOWS\system32\sol.exe
2007-05-05 22:07 55,296 --a------ C:\WINDOWS\system32\freecell.exe
2007-05-05 22:07 538,624 --a------ C:\WINDOWS\system32\spider.exe
2007-05-05 22:07 5,632 --a------ C:\WINDOWS\system32\write.exe
2007-05-05 22:07 343,040 --a------ C:\WINDOWS\system32\mspaint.exe
2007-05-05 22:07 126,976 --a------ C:\WINDOWS\system32\mshearts.exe
2007-05-05 22:07 119,808 --a------ C:\WINDOWS\system32\winmine.exe
2007-05-05 22:07 114,688 --a------ C:\WINDOWS\system32\calc.exe
2007-05-05 22:07 102,912 --a------ C:\WINDOWS\system32\clipbrd.exe

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-10 00:00:16 -------- d-----w C:\Program Files\Diablo II
2007-05-09 23:37:35 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
2007-05-09 23:13:58 -------- d-----w C:\Program Files\Trillian
2007-05-06 02

36 -------- d-----w C:\Program Files\Online Services
2007-05-06 02

07 -------- d-----w C:\Program Files\Windows NT
2007-03-27 04:02:48 -------- d-----w C:\DOCUME~1\COMPAQ~1\APPLIC~1\U3
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ------w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys
2007-03-07 14:36:06 2,010,624 ----a-w C:\ventrilo-2.3.0-Windows-i386.exe
2007-02-25 03:17:56 254,680 ----a-w C:\wddu.exe
2007-02-14 21:25:30 11,352,928 ----a-w C:\sdsetup.exe

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
"{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}"="C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll"
"{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}"="C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll"
"{AA58ED58-01DD-4d91-8333-CF10577473F7}"="c:\program files\google\googletoolbar2.dll"
"{AAAE832A-5FFF-4661-9C8F-369692D1DCB9}"="C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll"
"{B56A7D7D-6927-48C8-A975-17DF180C71AC}"="C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"
"Spyware Doctor"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,\
63,65,73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,5c,52,6f,79,61,6c,65,2e,\
6d,73,73,74,79,6c,65,73,00
"InstallTheme"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,63,65,\
73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,2e,74,68,65,6d,65,00

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages msv1_0\0\0
Security Packages kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages scecli\0\0

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^all users^start menu^programs^startup^microsoft office.lnk
C:\PROGRA~1\MICROS~4\Office\OSA9.EXE -b -l

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^all users^start menu^programs^startup^reschedhpsu.lnk
C:\hp\bin\CLOAKER.EXE c:\hp\bin\commands /c /ww C:\hp\drivers\hpsu\ReSchedHPSU.bat

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\alwaysready power message app
ARPWRMSG.EXE

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\aniwzcs2service
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avg7_cc
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bgmonitor_{79662e04-7c6c-4d9f-84c7-88d8a56b10aa}
"C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccapp
"c:\Program Files\Common Files\Symantec Shared\ccApp.exe"

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe
C:\WINDOWS\system32\ctfmon.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\d-link airplus g
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\discover
C:\Program Files\DISC\DISCover.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\discupdatemanager
C:\Program Files\DISC\DiscUpdMgr.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehtray
C:\WINDOWS\ehome\ehtray.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpbootop
"C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\is cfgwiz
c:\Program Files\Norton Internet Security\cfgwiz.exe /GUID {F073BDC9-0D67-4ff0-879E-27241C843828} /MODE CfgWiz /CMDLINE "REBOOT"

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ituneshelper
"C:\Program Files\iTunes\iTunesHelper.exe"

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msmsgs
"C:\Program Files\Messenger\msmsgs.exe" /background

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nerofiltercheck
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nvcpldaemon
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz
nwiz.exe /install

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pcdrprofiler
"C:\Program Files\PC-Doctor 5 for Windows\RunProfiler.exe" -r

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\quicktime task
"C:\Program Files\QuickTime\qttask.exe" -atboottime

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\recguard
C:\WINDOWS\SMINST\RECGUARD.EXE

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\reminder
"C:\Windows\Creator\Remind_XP.exe"

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rthdcpl
RTHDCPL.EXE

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ssc_userprompt
"c:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tkbellexe
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter HTTPFilter\0\0
LocalService Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService DnsCache\0\0
DcomLaunch DcomLaunch\0TermService\0\0
rpcss RpcSs\0\0
imgsvc StiSvc\0\0
termsvcs TermService\0\0

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\K]
Shell\AutoRun\command K:\LaunchU3.exe -a

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-09 21:10:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 2007-05-09 21:10:48
C:\ComboFix-quarantined-files.txt ... 2007-05-09 21:10

okay, this is the panda scan :

Incident Status Location

Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\ComboFix.exe[ComboFixT\nircmd.exe]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\mbfv08x7.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\mbfv08x7.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\mbfv08x7.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\mbfv08x7.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\mbfv08x7.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\mbfv08x7.default\cookies.txt[.adultfriendfinder.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\mbfv08x7.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\mbfv08x7.default\cookies.txt[.yadro.ru/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\mbfv08x7.default\cookies.txt[.hitbox.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\mbfv08x7.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\mbfv08x7.default\cookies.txt[.hitbox.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\mbfv08x7.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\mbfv08x7.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\mbfv08x7.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\mbfv08x7.default\cookies.txt[.com.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\mbfv08x7.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\mbfv08x7.default\cookies.txt[.adrevolver.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\mbfv08x7.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/MediaTickets Not disinfected C:\Documents and Settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\mbfv08x7.default\cookies.txt[.kinghost.com/]
Spyware:Cookie/FortuneCity Not disinfected C:\Documents and Settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\mbfv08x7.default\cookies.txt[.fortunecity.com/]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Compaq_Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\mbfv08x7.default\Cache\C2152591d01[ComboFixT\nircmd.exe]
Potentially unwanted tool:Application/KillApp.B Not disinfected C:\hp\bin\KillIt.exe
Spyware:Spyware/PeoplePC Not disinfected C:\Program Files\Online Services\PeoplePC\ISP5900\Dll\RAS.DLL
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\nircmd.exe

okay this is the kavscan :

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, May 10, 2007 12:02:46 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 10/05/2007
Kaspersky Anti-Virus database records: 315991
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan Statistics:
Total number of scanned objects: 98527
Number of viruses found: 1
Number of infected objects: 1 / 0
Number of suspicious objects: 0
Duration of the scan process: 00:56:48

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
C:\Documents and Settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\mbfv08x7.default\cert8.db Object is locked skipped
C:\Documents and Settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\mbfv08x7.default\history.dat Object is locked skipped
C:\Documents and Settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\mbfv08x7.default\key3.db Object is locked skipped
C:\Documents and Settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\mbfv08x7.default\parent.lock Object is locked skipped
C:\Documents and Settings\Compaq_Administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Compaq_Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Compaq_Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Compaq_Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\mbfv08x7.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Compaq_Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\mbfv08x7.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Compaq_Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\mbfv08x7.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Compaq_Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\mbfv08x7.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Compaq_Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Compaq_Administrator\Local Settings\History\History.IE5\MSHist012007050920070510\index.dat Object is locked skipped
C:\Documents and Settings\Compaq_Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Compaq_Administrator\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Compaq_Administrator\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\hp\bin\KillWind.exe Infected: not-a-virus:RiskTool.Win32.PsKill.p skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP57\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{41FA48B2-A2FC-4FB9-8C3C-9B6ACF7E9880}.crmlog Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{6FCDBC63-1446-4F21-8248-2CEDE52139A2}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP57\change.log Object is locked skipped

Scan process completed.

and last but not least, the hijackthis scan :

Logfile of HijackThis v1.99.1
Scan saved at 12

13 AM, on 5/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\WINDOWS\arservice.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...RIO&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?.home=ytie
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?.home=ytie
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...RIO&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...RIO&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TY...RIO&pf=desktop
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: HpWebHelper - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

okay i shall await for the helpers Lol :P

05-09-2007, 10:11 PM	#6 (permalink)
NihLathak Registered User Join Date: May 2007 Posts: 6 OS: windows xp	Re: iso help w/ this log from hijackthis v1.99.1 thus far, the help here has been wonderful especially since its free ftw? anyway lemme post these logs. this is the combo one : "Compaq_Administrator" - 2007-05-09 21:08:52 Service Pack 2 ComboFix 07-05.09.V - Running from: "C:\Documents and Settings\Compaq_Administrator\Desktop\" ((((((((((((((((((((((((((((((( Files Created from 2007-04-09 to 2007-05-09 )))))))))))))))))))))))))))))))))) 2007-05-09 20:59 2,714,784 --a------ C:\ccsetup139.exe 2007-05-09 20:59 <DIR> d-------- C:\Program Files\CCleaner 2007-05-06 18:06 <DIR> d-------- C:\Program Files\Opera 2007-05-06 18:06 <DIR> d-------- C:\DOCUME~1\COMPAQ~1\APPLIC~1\Opera 2007-05-06 02:15 6,561,496 --a------ C:\Opera_9.20_International_Setup.exe 2007-05-05 22:43 <DIR> d-------- C:\WINDOWS\system32\NtmsData 2007-05-05 22:07 80,384 --a------ C:\WINDOWS\system32\charmap.exe 2007-05-05 22:07 605,696 --a------ C:\WINDOWS\system32\getuname.dll 2007-05-05 22:07 56,832 --a------ C:\WINDOWS\system32\sol.exe 2007-05-05 22:07 55,296 --a------ C:\WINDOWS\system32\freecell.exe 2007-05-05 22:07 538,624 --a------ C:\WINDOWS\system32\spider.exe 2007-05-05 22:07 5,632 --a------ C:\WINDOWS\system32\write.exe 2007-05-05 22:07 343,040 --a------ C:\WINDOWS\system32\mspaint.exe 2007-05-05 22:07 126,976 --a------ C:\WINDOWS\system32\mshearts.exe 2007-05-05 22:07 119,808 --a------ C:\WINDOWS\system32\winmine.exe 2007-05-05 22:07 114,688 --a------ C:\WINDOWS\system32\calc.exe 2007-05-05 22:07 102,912 --a------ C:\WINDOWS\system32\clipbrd.exe (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-05-10 00:00:16 -------- d-----w C:\Program Files\Diablo II 2007-05-09 23:37:35 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll 2007-05-09 23:13:58 -------- d-----w C:\Program Files\Trillian 2007-05-06 0236 -------- d-----w C:\Program Files\Online Services 2007-05-06 0207 -------- d-----w C:\Program Files\Windows NT 2007-03-27 04:02:48 -------- d-----w C:\DOCUME~1\COMPAQ~1\APPLIC~1\U3 2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll 2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll 2007-03-08 15:36:28 40,960 ------w C:\WINDOWS\system32\mf3216.dll 2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll 2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys 2007-03-07 14:36:06 2,010,624 ----a-w C:\ventrilo-2.3.0-Windows-i386.exe 2007-02-25 03:17:56 254,680 ----a-w C:\wddu.exe 2007-02-14 21:25:30 11,352,928 ----a-w C:\sdsetup.exe (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) Note empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] "{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}"="C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" "{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}"="C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll" "{AA58ED58-01DD-4d91-8333-CF10577473F7}"="c:\program files\google\googletoolbar2.dll" "{AAAE832A-5FFF-4661-9C8F-369692D1DCB9}"="C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll" "{B56A7D7D-6927-48C8-A975-17DF180C71AC}"="C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup" [HKEY_USERS\.default\software\microsoft\windows\currentversion\run] "AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE" "Spyware Doctor"="" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "InstallVisualStyle"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,\ 63,65,73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,5c,52,6f,79,61,6c,65,2e,\ 6d,73,73,74,79,6c,65,73,00 "InstallTheme"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,63,65,\ 73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,2e,74,68,65,6d,65,00 HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa Authentication Packages msv1_0\0\0 Security Packages kerberos\0msv1_0\0schannel\0wdigest\0\0 Notification Packages scecli\0\0 HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^all users^start menu^programs^startup^microsoft office.lnk C:\PROGRA~1\MICROS~4\Office\OSA9.EXE -b -l HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^all users^start menu^programs^startup^reschedhpsu.lnk C:\hp\bin\CLOAKER.EXE c:\hp\bin\commands /c /ww C:\hp\drivers\hpsu\ReSchedHPSU.bat HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\alwaysready power message app ARPWRMSG.EXE HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\aniwzcs2service C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast! C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avg7_cc C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bgmonitor_{79662e04-7c6c-4d9f-84c7-88d8a56b10aa} "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccapp "c:\Program Files\Common Files\Symantec Shared\ccApp.exe" HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe C:\WINDOWS\system32\ctfmon.exe HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\d-link airplus g C:\Program Files\D-Link\AirPlus G\AirGCFG.exe HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\discover C:\Program Files\DISC\DISCover.exe HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\discupdatemanager C:\Program Files\DISC\DiscUpdMgr.exe HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehtray C:\WINDOWS\ehome\ehtray.exe HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpbootop "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\is cfgwiz c:\Program Files\Norton Internet Security\cfgwiz.exe /GUID {F073BDC9-0D67-4ff0-879E-27241C843828} /MODE CfgWiz /CMDLINE "REBOOT" HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ituneshelper "C:\Program Files\iTunes\iTunesHelper.exe" HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msmsgs "C:\Program Files\Messenger\msmsgs.exe" /background HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nerofiltercheck C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nvcpldaemon RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz nwiz.exe /install HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pcdrprofiler "C:\Program Files\PC-Doctor 5 for Windows\RunProfiler.exe" -r HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\quicktime task "C:\Program Files\QuickTime\qttask.exe" -atboottime HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\recguard C:\WINDOWS\SMINST\RECGUARD.EXE HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\reminder "C:\Windows\Creator\Remind_XP.exe" HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rthdcpl RTHDCPL.EXE HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ssc_userprompt "c:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tkbellexe "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost] HTTPFilter HTTPFilter\0\0 LocalService Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService DnsCache\0\0 DcomLaunch DcomLaunch\0TermService\0\0 rpcss RpcSs\0\0 imgsvc StiSvc\0\0 termsvcs TermService\0\0 HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\K] Shell\AutoRun\command K:\LaunchU3.exe -a ****************************************************************** catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-05-09 21:10:45 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden services ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 ****************************************************************** Completion time: 2007-05-09 21:10:48 C:\ComboFix-quarantined-files.txt ... 2007-05-09 21:10 okay, this is the panda scan : Incident Status Location Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\ComboFix.exe[ComboFixT\nircmd.exe] Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\mbfv08x7.default\cookies.txt[.tribalfusion.com/] Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\mbfv08x7.default\cookies.txt[.statcounter.com/] Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\mbfv08x7.default\cookies.txt[.atdmt.com/] Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\mbfv08x7.default\cookies.txt[.doubleclick.net/] Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\mbfv08x7.default\cookies.txt[.ads.pointroll.com/] Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\mbfv08x7.default\cookies.txt[.adultfriendfinder.com/] Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\mbfv08x7.default\cookies.txt[.advertising.com/] Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\mbfv08x7.default\cookies.txt[.yadro.ru/] Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\mbfv08x7.default\cookies.txt[.hitbox.com/] Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\mbfv08x7.default\cookies.txt[.questionmarket.com/] Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\mbfv08x7.default\cookies.txt[.hitbox.com/] Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\mbfv08x7.default\cookies.txt[.questionmarket.com/] Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\mbfv08x7.default\cookies.txt[.fastclick.net/] Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\mbfv08x7.default\cookies.txt[.mediaplex.com/] Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\mbfv08x7.default\cookies.txt[.com.com/] Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\mbfv08x7.default\cookies.txt[ad.yieldmanager.com/] Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\mbfv08x7.default\cookies.txt[.adrevolver.com/] Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\mbfv08x7.default\cookies.txt[ad.yieldmanager.com/] Spyware:Cookie/MediaTickets Not disinfected C:\Documents and Settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\mbfv08x7.default\cookies.txt[.kinghost.com/] Spyware:Cookie/FortuneCity Not disinfected C:\Documents and Settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\mbfv08x7.default\cookies.txt[.fortunecity.com/] Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Compaq_Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\mbfv08x7.default\Cache\C2152591d01[ComboFixT\nircmd.exe] Potentially unwanted tool:Application/KillApp.B Not disinfected C:\hp\bin\KillIt.exe Spyware:Spyware/PeoplePC Not disinfected C:\Program Files\Online Services\PeoplePC\ISP5900\Dll\RAS.DLL Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\nircmd.exe okay this is the kavscan : ------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER REPORT Thursday, May 10, 2007 12:02:46 AM Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600) Kaspersky Online Scanner version: 5.0.83.0 Kaspersky Anti-Virus database last update: 10/05/2007 Kaspersky Anti-Virus database records: 315991 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: extended Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: C:\ D:\ E:\ F:\ G:\ H:\ I:\ Scan Statistics: Total number of scanned objects: 98527 Number of viruses found: 1 Number of infected objects: 1 / 0 Number of suspicious objects: 0 Duration of the scan process: 00:56:48 Infected Object Name / Virus Name / Last Action C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped C:\Documents and Settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\mbfv08x7.default\cert8.db Object is locked skipped C:\Documents and Settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\mbfv08x7.default\history.dat Object is locked skipped C:\Documents and Settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\mbfv08x7.default\key3.db Object is locked skipped C:\Documents and Settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\mbfv08x7.default\parent.lock Object is locked skipped C:\Documents and Settings\Compaq_Administrator\Cookies\index.dat Object is locked skipped C:\Documents and Settings\Compaq_Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\Compaq_Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\Compaq_Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\mbfv08x7.default\Cache\_CACHE_001_ Object is locked skipped C:\Documents and Settings\Compaq_Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\mbfv08x7.default\Cache\_CACHE_002_ Object is locked skipped C:\Documents and Settings\Compaq_Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\mbfv08x7.default\Cache\_CACHE_003_ Object is locked skipped C:\Documents and Settings\Compaq_Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\mbfv08x7.default\Cache\_CACHE_MAP_ Object is locked skipped C:\Documents and Settings\Compaq_Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\Compaq_Administrator\Local Settings\History\History.IE5\MSHist012007050920070510\index.dat Object is locked skipped C:\Documents and Settings\Compaq_Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\Compaq_Administrator\NTUSER.DAT Object is locked skipped C:\Documents and Settings\Compaq_Administrator\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped C:\hp\bin\KillWind.exe Infected: not-a-virus:RiskTool.Win32.PsKill.p skipped C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP57\change.log Object is locked skipped C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{41FA48B2-A2FC-4FB9-8C3C-9B6ACF7E9880}.crmlog Object is locked skipped C:\WINDOWS\SoftwareDistribution\EventCache\{6FCDBC63-1446-4F21-8248-2CEDE52139A2}.bin Object is locked skipped C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped C:\WINDOWS\Sti_Trace.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\default Object is locked skipped C:\WINDOWS\system32\config\default.LOG Object is locked skipped C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped C:\WINDOWS\system32\config\SAM Object is locked skipped C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\SECURITY Object is locked skipped C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped C:\WINDOWS\system32\config\software Object is locked skipped C:\WINDOWS\system32\config\software.LOG Object is locked skipped C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\system Object is locked skipped C:\WINDOWS\system32\config\system.LOG Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped C:\WINDOWS\wiadebug.log Object is locked skipped C:\WINDOWS\wiaservc.log Object is locked skipped C:\WINDOWS\WindowsUpdate.log Object is locked skipped D:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP57\change.log Object is locked skipped Scan process completed. and last but not least, the hijackthis scan : Logfile of HijackThis v1.99.1 Scan saved at 1213 AM, on 5/10/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe C:\WINDOWS\arservice.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Spyware Doctor\sdhelp.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\ehome\mcrdsvc.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\system32\wbem\wmiprvse.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\HiJackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...RIO&pf=desktop R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?.home=ytie R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?.home=ytie R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...RIO&pf=desktop R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...RIO&pf=desktop R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TY...RIO&pf=desktop O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O2 - BHO: HpWebHelper - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe okay i shall await for the helpers Lol :P