Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 




Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > HijackThis Log Help
Hacktool, Trojan Horse, w32.Spybot.Worm, Trojan.Startpage, Downloader., Multiple Infe Hacktool, Trojan Horse, w32.Spybot.Worm, Trojan.Startpage, Downloader., Multiple Infe
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read

HijackThis Log Help Get Rid Of Malware With Help From Our Analysts. Follow the "First Steps" link at the top right of each page before posting for help.

Reply
 
Thread Tools
Old 03-11-2008, 07:09 AM   #1 (permalink)
Registered User
 
Join Date: Mar 2008
Posts: 6
OS: XP Pro


Hacktool, Trojan Horse, w32.Spybot.Worm, Trojan.Startpage, Downloader., Multiple Infe
Hello guys, Thanks for the help with this.
I get a Norton AV window that pops up all the time with file names like $055C6D52.t$m for example. When I look in the quarantine folder I find Hacktool, Trojan Horse, w32.Spybot.Worm, Trojan.Startpage, Downloader.Lop,Bloodhound.Overpacked, Infostealer.Wowcraft, Backdoor.Graybird as files in quarantine. I would like to eliminate whatever it is that keeps attempting to re-infect my machine.

I'm running Norton and AVG, Spybot, and Windows Defender.
I appreciate any help.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:14:45 PM, on 3/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\system32\gearsec.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
C:\WINDOWS\system32\devldr32.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Winamp\winampa.exe
C:\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Maxtor\MaxBlast\MaxBlastMonitor.exe
C:\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\Maxtor\MaxBlast\TimounterMonitor.exe
C:\Program Files\Common Files\Maxtor\Schedule2\schedhlp.exe
C:\Program Files\Cyberlink\Shared Files\brs.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\DNA\btdna.exe
C:\Musicmatch\Musicmatch Jukebox\mim.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Creative Home\Hallmark Card Studio 2006\Planner\PLNRnote.exe
C:\PROGRA~1\Grisoft\AVG7\avgw.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\HijackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [BCWipeTM Startup] "C:\Program Files\Jetico\BCWipe\BCWipeTM.exe" startup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [MimBoot] C:\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [MMTray] "C:\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [MaxBlastMonitor.exe] C:\Program Files\Maxtor\MaxBlast\MaxBlastMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Maxtor\MaxBlast\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Maxtor\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [BDRegion] C:\Program Files\Cyberlink\Shared Files\brs.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Event Planner Reminder.lnk = C:\Program Files\Creative Home\Hallmark Card Studio 2006\Planner\PLNRnote.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1180201189984
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: gearsec - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe

--
End of file - 9594 bytes
thedishdoc is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 03-16-2008, 02:01 AM   #2 (permalink)
Moderator, Analyst, Security Team
 
amateur's Avatar
 
Join Date: Jun 2006
Location: Rhode Island, USA
Posts: 2,755
OS: XP Home SP3, XP Media Center Edition SP3


Re: Hacktool, Trojan Horse, w32.Spybot.Worm, Trojan.Startpage, Downloader., Multiple
Hello and welcome to TSF.

Sorry for the delayed response. If you have not received help elsewhere and still need help please follow the instructions in IMPORTANT - Read This Before Posting A Log and post the two text files, main.txt and extra.txt produced by the Deckard's System Scanner, as it has been a while since you posted.
__________________
My services are free. However, you can donate to TSF to help keep it running and prospering.
ASAP

amateur is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 03-17-2008, 03:17 PM   #3 (permalink)
Registered User
 
Join Date: Mar 2008
Posts: 6
OS: XP Pro


Re: Hacktool, Trojan Horse, w32.Spybot.Worm, Trojan.Startpage, Downloader., Multiple
Thanks for the reply and for your assistance with this.


Deckard's System Scanner v20071014.68
Run by Henderson Holman on 2008-03-17 17:10:04
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
5: 2008-03-17 22:10:09 UTC - RP6 - Deckard's System Scanner Restore Point
4: 2008-03-17 21:59:02 UTC - RP5 - Software Distribution Service 3.0
3: 2008-03-11 13:40:06 UTC - RP4 - System Checkpoint
2: 2008-03-09 00:43:48 UTC - RP3 - System Checkpoint
1: 2008-03-07 00:21:14 UTC - RP2 - March 6th 2008


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Henderson Holman.exe) ------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:10:49 PM, on 3/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\system32\gearsec.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
C:\Program Files\Winamp\winampa.exe
C:\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\Maxtor\MaxBlast\MaxBlastMonitor.exe
C:\Program Files\Maxtor\MaxBlast\TimounterMonitor.exe
C:\Program Files\Common Files\Maxtor\Schedule2\schedhlp.exe
C:\Program Files\Cyberlink\Shared Files\brs.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Musicmatch\Musicmatch Jukebox\mim.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Creative Home\Hallmark Card Studio 2006\Planner\PLNRnote.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Documents and Settings\Henderson Holman\Local Settings\Temporary Internet Files\Content.IE5\RGUA6FSU\dss[1].exe
C:\PROGRA~1\HIJACK~1\Henderson Holman.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [BCWipeTM Startup] "C:\Program Files\Jetico\BCWipe\BCWipeTM.exe" startup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [MimBoot] C:\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [MMTray] "C:\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [MaxBlastMonitor.exe] C:\Program Files\Maxtor\MaxBlast\MaxBlastMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Maxtor\MaxBlast\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Maxtor\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [BDRegion] C:\Program Files\Cyberlink\Shared Files\brs.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Event Planner Reminder.lnk = C:\Program Files\Creative Home\Hallmark Card Studio 2006\Planner\PLNRnote.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1180201189984
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: gearsec - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe

--
End of file - 9708 bytes

-- File Associations -----------------------------------------------------------

.reg - regfile - shell\open\command - "regedit.exe" "%1"


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 timounter (Acronis True Image Backup Archive Explorer) - c:\windows\system32\drivers\timntr.sys <Not Verified; Acronis; Acronis True Image>
R2 tifsfilter (Acronis True Image FS Filter) - c:\windows\system32\drivers\tifsfilt.sys <Not Verified; Acronis; Acronis True Image>

S3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus(R) ASPI Shell>
S3 SYMIDSCO - c:\windows\system32\drivers\symidsco.sys (file missing)
S4 BCSWAP - c:\windows\system32\drivers\bcswap.sys <Not Verified; Jetico, Inc.; Jetico(R) BestCrypt(TM) Security System for Windows NT/2000/XP(TM)>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 gearsec - c:\windows\system32\gearsec.exe <Not Verified; GEAR Software; gearsec>

S3 TUWinStylerThemeSvc (TuneUp WinStyler Theme Service) - "c:\program files\tuneup utilities 2006\winstylerthemesvc.exe" <Not Verified; TuneUp Software GmbH; TuneUp Utilities>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E96C-E325-11CE-BFC1-08002BE10318}
Description: WebcamMax, WDM Video Capture
Device ID: ROOT\MEDIA\0000
Manufacturer: YewSoft
Name: WebcamMax, WDM Video Capture
PNP Device ID: ROOT\MEDIA\0000
Service: CamthWDM

Class GUID: {EEC5AD98-8080-425F-922A-DABF3DE3F69A}
Description: MTP Device
Device ID: ROOT\WPD\0000
Manufacturer: (Standard MTP-Compliant Device)
Name: MTP Device
PNP Device ID: ROOT\WPD\0000
Service: WUDFRd


-- Scheduled Tasks -------------------------------------------------------------

2008-03-17 16:56:35 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job
2008-01-18 18:15:50 412 --a------ C:\WINDOWS\Tasks\1-Click Maintenance.job


-- Files created between 2008-02-17 and 2008-03-17 -----------------------------

2008-03-17 17:07:41 0 d-------- C:\ZonedOut
2008-03-17 17:05:15 0 d-------- C:\Program Files\SpywareBlaster
2008-03-06 19:11:09 0 d-------- C:\Documents and Settings\LocalService\Application Data\Help
2008-02-24 12:00:38 0 d-------- C:\Documents and Settings\All Users\Application Data\CyberLink
2008-02-24 11:20:31 24576 --a------ C:\WINDOWS\system32\Ulead Photo Explorer.scr <Not Verified; ; pexSaver Application>
2008-02-24 11:20:28 0 d-------- C:\Program Files\Ulead Systems


-- Find3M Report ---------------------------------------------------------------

2008-03-17 17:04:44 0 d-------- C:\Documents and Settings\Henderson Holman\Application Data\DNA
2008-03-17 16:55:04 0 d-------- C:\Documents and Settings\Henderson Holman\Application Data\AVG7
2008-02-24 12:02:45 0 d-------- C:\Documents and Settings\Henderson Holman\Application Data\CyberLink
2008-02-24 12:00:55 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-02-24 11:59:52 0 d-------- C:\Program Files\CyberLink
2008-02-13 20:17:31 0 d-------- C:\Documents and Settings\Henderson Holman\Application Data\Adobe
2008-01-29 19:20:33 0 d-------- C:\Program Files\Microsoft Digital Image 2006
2008-01-28 21:01:02 0 d-------- C:\Documents and Settings\Henderson Holman\Application Data\BitTorrent
2008-01-28 18:40:06 0 d-------- C:\Program Files\BitTorrent
2008-01-28 18:40:05 0 d-------- C:\Program Files\DNA
2007-12-22 13:36:17 0 --a------ C:\WINDOWS\nsreg.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [05/21/2003 12:21 AM]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [10/17/2006 09:03 PM]
"nwiz"="nwiz.exe" [10/17/2006 09:03 PM C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="NvMCTray.dll" [10/17/2006 09:03 PM C:\WINDOWS\system32\nvmctray.dll]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [11/03/2006 06:20 PM]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [02/08/2007 01:12 AM]
"LVCOMSX"="C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe" [02/06/2007 05:43 PM]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" [02/08/2007 01:13 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [05/27/2007 12:57 PM]
"CloneCDTray"="C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" [09/28/2006 02:21 PM]
"BCWipeTM Startup"="C:\Program Files\Jetico\BCWipe\BCWipeTM.exe" [10/20/2004 11:12 PM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [12/25/2007 10:54 AM]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [10/10/2007 12:28 AM]
"MimBoot"="C:\MUSICM~1\MUSICM~1\mimboot.exe" [05/10/2005 05:04 PM]
"MMTray"="C:\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [05/10/2005 05:04 PM]
"MaxBlastMonitor.exe"="C:\Program Files\Maxtor\MaxBlast\MaxBlastMonitor.exe" [04/20/2007 08:59 AM]
"AcronisTimounterMonitor"="C:\Program Files\Maxtor\MaxBlast\TimounterMonitor.exe" [04/20/2007 09:09 AM]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Maxtor\Schedule2\schedhlp.exe" [04/20/2007 09:03 AM]
"BDRegion"="C:\Program Files\Cyberlink\Shared Files\brs.exe" [11/16/2007 08:20 PM]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [10/28/2007 10:35 AM]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [10/11/2007 01:06 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 12:56 AM]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [08/31/2007 05:46 PM]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [10/18/2007 12:34 PM]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [03/17/2008 04:54 PM]

C:\Documents and Settings\Henderson Holman\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [3/16/2005 8:16:50 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [7/23/2007 6:00:34 PM]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [3/16/2005 8:16:50 PM]
Event Planner Reminder.lnk - C:\Program Files\Creative Home\Hallmark Card Studio 2006\Planner\PLNRnote.exe [8/30/2005 5:18:30 PM]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 relog_ap

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{81c0377e-1ce5-11dc-8ab1-00196616b467}]
AutoRun\command- K:\setupSNK.exe




-- End of Deckard's System Scanner: finished at 2008-03-17 17:12:06 ------------
Attached Files
File Type: txt extra.txt (15.1 KB, 0 views)
Last edited by thedishdoc : 03-17-2008 at 03:19 PM.
thedishdoc is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 03-18-2008, 12:02 AM   #4 (permalink)
Moderator, Analyst, Security Team
 
amateur's Avatar
 
Join Date: Jun 2006
Location: Rhode Island, USA
Posts: 2,755
OS: XP Home SP3, XP Media Center Edition SP3


Re: Hacktool, Trojan Horse, w32.Spybot.Worm, Trojan.Startpage, Downloader., Multiple
Hi,

First of all, it appears that you are running two antivirus programs, i.e. Symantec and AVG. Never install more than one Antivirus and Firewall! Rather than giving you extra protection, it will decrease the reliability of system security seriously! The reason for this is that if both products have their automatic (Real-Time) protection switched on, your system may lock up due to both of them attempting to access the same file at the same time. The same rule applies to the firewalls.

I would strongly advise you to only have one Anti-Virus with the Auto-Protect feature running at any one time! Please keep one and uninstall the other one. AVG can be removed via Add or Remove Programs in Control Panel, but Symantec requires its special tool. Please use the instructions on this page if you decide to uninstall your Symantec/Norton products.

===================================

After removing one of these antivirus applications, restart your computer if you have not been prompted to do so.

===================================

Looking at the main.txt, I cannot see any indications of the infections you mention in your original post. Let's do some house cleaning and run an online scan and see what we get.

Download ATF Cleaner by Atribune and save it to your Desktop.
Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:

Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache
The rest are optional - if you want to remove the lot, check "Select All".

Finally click Empty Selected. When you get the "Done Cleaning" message, click OK.

If you use the Firefox or Opera browsers, you can use this program as a quick way to tidy those up as well.

Firefox :
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Opera :
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

When you have finished, click on the Exit button in the Main menu.

For Technical Support, double-click the e-mail address located at the bottom of each menu

======================================

Go to Start>Control Panel>Add/Remove Programs and remove if Kaspersky online scanner is present prior to downloading the most up-to-date one.

Now run this online scan using Internet Explorer:
Kaspersky Online Scanner from http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html

Next Click on Launch Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
  • Scan using the following Anti-Virus database:
  • Standard
  • Scan Options:
  • Scan Archives
  • Scan Mail Bases
  • Click OK
  • Now under select a target to scan:
  • Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
  • Save the file to your desktop in txt format.

Copy and paste that information from Kapersky in your next post.

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans for no conflicts and to speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Or use Firefox with IE-Tab plugin

======================

Please post back the Kaspersky report along with a fresh HijackThis log.
__________________
My services are free. However, you can donate to TSF to help keep it running and prospering.
ASAP

amateur is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 03-19-2008, 02:55 PM   #5 (permalink)
Registered User
 
Join Date: Mar 2008
Posts: 6
OS: XP Pro


Re: Hacktool, Trojan Horse, w32.Spybot.Worm, Trojan.Startpage, Downloader., Multiple
Deckard's System Scanner v20071014.68
Run by Henderson Holman on 2008-03-19 16:52:14
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Henderson Holman.exe) ------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:52:16 PM, on 3/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\system32\gearsec.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Winamp\winampa.exe
C:\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Maxtor\MaxBlast\MaxBlastMonitor.exe
C:\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\Maxtor\MaxBlast\TimounterMonitor.exe
C:\Program Files\Common Files\Maxtor\Schedule2\schedhlp.exe
C:\Program Files\Cyberlink\Shared Files\brs.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Musicmatch\Musicmatch Jukebox\mim.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Creative Home\Hallmark Card Studio 2006\Planner\PLNRnote.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\Henderson Holman\Desktop\dss.exe
C:\PROGRA~1\HIJACK~1\HENDER~1.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [BCWipeTM Startup] "C:\Program Files\Jetico\BCWipe\BCWipeTM.exe" startup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [MimBoot] C:\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [MMTray] "C:\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [MaxBlastMonitor.exe] C:\Program Files\Maxtor\MaxBlast\MaxBlastMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Maxtor\MaxBlast\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Maxtor\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [BDRegion] C:\Program Files\Cyberlink\Shared Files\brs.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Event Planner Reminder.lnk = C:\Program Files\Creative Home\Hallmark Card Studio 2006\Planner\PLNRnote.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1180201189984
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: gearsec - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe

--
End of file - 9790 bytes

-- Files created between 2008-02-19 and 2008-03-19 -----------------------------

2008-03-18 17:21:11 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-18 17:21:09 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-18 17:21:05 0 d-------- C:\WINDOWS\LastGood
2008-03-17 17:07:41 0 d-------- C:\ZonedOut
2008-03-17 17:05:15 0 d-------- C:\Program Files\SpywareBlaster
2008-03-06 19:11:09 0 d-------- C:\Documents and Settings\LocalService\Application Data\Help
2008-02-24 12:00:38 0 d-------- C:\Documents and Settings\All Users\Application Data\CyberLink
2008-02-24 11:20:31 24576 --a------ C:\WINDOWS\system32\Ulead Photo Explorer.scr <Not Verified; ; pexSaver Application>
2008-02-24 11:20:28 0 d-------- C:\Program Files\Ulead Systems


-- Find3M Report ---------------------------------------------------------------

2008-03-19 16:50:21 0 d-------- C:\Documents and Settings\Henderson Holman\Application Data\DNA
2008-03-19 08:00:06 0 d-------- C:\Documents and Settings\Henderson Holman\Application Data\AVG7
2008-02-24 12:02:45 0 d-------- C:\Documents and Settings\Henderson Holman\Application Data\CyberLink
2008-02-24 12:00:55 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-02-24 11:59:52 0 d-------- C:\Program Files\CyberLink
2008-02-13 20:17:31 0 d-------- C:\Documents and Settings\Henderson Holman\Application Data\Adobe
2008-01-29 19:20:33 0 d-------- C:\Program Files\Microsoft Digital Image 2006
2008-01-28 21:01:02 0 d-------- C:\Documents and Settings\Henderson Holman\Application Data\BitTorrent
2008-01-28 18:40:06 0 d-------- C:\Program Files\BitTorrent
2008-01-28 18:40:05 0 d-------- C:\Program Files\DNA
2007-12-22 13:36:17 0 --a------ C:\WINDOWS\nsreg.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [05/21/2003 12:21 AM]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [10/17/2006 09:03 PM]
"nwiz"="nwiz.exe" [10/17/2006 09:03 PM C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="NvMCTray.dll" [10/17/2006 09:03 PM C:\WINDOWS\system32\nvmctray.dll]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [11/03/2006 06:20 PM]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [02/08/2007 01:12 AM]
"LVCOMSX"="C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe" [02/06/2007 05:43 PM]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" [02/08/2007 01:13 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [05/27/2007 12:57 PM]
"CloneCDTray"="C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" [09/28/2006 02:21 PM]
"BCWipeTM Startup"="C:\Program Files\Jetico\BCWipe\BCWipeTM.exe" [10/20/2004 11:12 PM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [12/25/2007 10:54 AM]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [10/10/2007 12:28 AM]
"MimBoot"="C:\MUSICM~1\MUSICM~1\mimboot.exe" [05/10/2005 05:04 PM]
"MMTray"="C:\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [05/10/2005 05:04 PM]
"MaxBlastMonitor.exe"="C:\Program Files\Maxtor\MaxBlast\MaxBlastMonitor.exe" [04/20/2007 08:59 AM]
"AcronisTimounterMonitor"="C:\Program Files\Maxtor\MaxBlast\TimounterMonitor.exe" [04/20/2007 09:09 AM]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Maxtor\Schedule2\schedhlp.exe" [04/20/2007 09:03 AM]
"BDRegion"="C:\Program Files\Cyberlink\Shared Files\brs.exe" [11/16/2007 08:20 PM]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [10/28/2007 10:35 AM]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [10/11/2007 01:06 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 12:56 AM]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [08/31/2007 05:46 PM]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [10/18/2007 12:34 PM]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [03/17/2008 04:54 PM]

C:\Documents and Settings\Henderson Holman\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [3/16/2005 8:16:50 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [7/23/2007 6:00:34 PM]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [3/16/2005 8:16:50 PM]
Event Planner Reminder.lnk - C:\Program Files\Creative Home\Hallmark Card Studio 2006\Planner\PLNRnote.exe [8/30/2005 5:18:30 PM]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 relog_ap

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{81c0377e-1ce5-11dc-8ab1-00196616b467}]
AutoRun\command- K:\setupSNK.exe




-- End of Deckard's System Scanner: finished at 2008-03-19 16:52:32 ------------
Attached Files
File Type: txt kapersky Log.txt (57.4 KB, 1 views)
thedishdoc is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 03-20-2008, 12:17 AM   #6 (permalink)
Moderator, Analyst, Security Team
 
amateur's Avatar
 
Join Date: Jun 2006
Location: Rhode Island, USA
Posts: 2,755
OS: XP Home SP3, XP Media Center Edition SP3


Re: Hacktool, Trojan Horse, w32.Spybot.Worm, Trojan.Startpage, Downloader., Multiple
Hi,

First of all, I am not sure if you read my instructions. Your log is still showing two antivirus applications running. Please read my instructions again and remove one of them.

Using P2P filesharing applications such as LimeWire,Bittorent, KaZaa,etc., visiting crack sites, downloading crack and keygens are sure ways of getting infected, which appears to be the case here.

Please remove/uninstall all of these p2p filesharing programs via Add or Remove Programs in Control Panel. P2P filesharing is so that even if one is using a "clean" program, many of the files downloaded from non-documented sources have the potential of being infected. So, regardless of whether one is using a "clean" program, one may still be prone to infection by malware because more than half of all files available for download from peer-to-peer networks have been deliberately infected with some form of malware. Also by default, most P2P file sharing programs are configured to automatically launch at startup. They are also configured to allow other P2P users on the same network open access to a shared directory on your computer. The reason for this is simple, file sharing relies on its members giving and gaining unfettered access to computers across the P2P network. However, this practice can make you vulnerable to data and identity theft.

==============================

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    Code:
    C:\MP3\GrandRidgeDance\Wicked Remix (lighthouse).wma
C:\MP3\Incoming\Eighties classic.wma
C:\MP3\Limewire\TOTALLY HIP TRACK.wma
C:\MP3\MashupsJuly2007\Wicked Remix (lighthouse).wma
D:\10GiG7-25-05\mcescher.exe
D:\MP3\Incoming\Eighties classic.wma
D:\MP3\Limewire\TOTALLY HIP TRACK.wma
D:\MP3\MashupsJuly2007\Wicked Remix (lighthouse).wma
E:\BittorrentDownloads\Hide_IP_Platinum_3.3_with_keygen.rar
E:\MP3\GrandRidgeDance\Wicked Remix (lighthouse).wma
E:\MP3\Incoming\Eighties classic.wma
E:\MP3\Limewire\TOTALLY HIP TRACK.wma
E:\MP3\MashupsJuly2007\Wicked Remix (lighthouse).wma
H:\40 GIG D drive\MP3\Programs\Battlefield 1942 Full Version Cracked.exe
H:\40 GIG D drive\MP3\Programs\kmd161_en.exe
H:\40 GIG D drive\NewDownloads\dss\10-28HU\sui30.zip
H:\MP3\Newdownloads\LOMALKA[1].RU-Macromedia_ColdFusionMX.zip
H:\MP3\Programs\Battlefield 1942 Full Version Cracked.exe
H:\MP3\Programs\kmd161_en.exe
H:\RECYCLER\S-1-5-21-2947827476-2713188391-3190703810-1004\Dj28\DownloadWare\Downloads\89.dat
H:\RECYCLER\S-1-5-21-2947827476-2713188391-3190703810-1004\Dj28\DownloadWare\Temp\casino1.exe
H:\RECYCLER\S-1-5-21-2947827476-2713188391-3190703810-1004\Dj28\KFH\cl\casino1.exe
H:\RECYCLER\S-1-5-21-2947827476-2713188391-3190703810-1004\Dj34\TEMP\A0445912.CPY
I:\40 GIG D drive\MP3\KaZaATemp\Programs\Battlefield 1942 Full Version Cracked.exe
I:\40 GIG D drive\MP3\KaZaATemp\Programs\kmd161_en.exe
I:\40 GIG D drive\MP3\NewrKazaaTemp\kmd161_en.exe
I:\40 GIG D drive\MP3\Programs\Battlefield 1942 Full Version Cracked.exe
I:\40 GIG D drive\MP3\Programs\kmd161_en.exe
I:\40 GIG D drive\NewDownloads\dss\10-28HU\sui30.zip
I:\Bittorrent\COREL DRAW 12 Multilanguage + KeyGen .iso
I:\Bittorrent\Crackpack 1.5 (Code Fusion-Hackers Util-HackMan-Hex Workshop-MemSpy-Nifty-Resource Hacker-ShoWin-SoftIce-w32dasm).zip
I:\Bittorrent\Programs\kmd161_en.exe
I:\NewDownloads\dss\10-28HU\sui30.zip
I:\RECYCLER\S-1-5-21-1292428093-1123561945-839522115-1003\Di3.exe
J:\Bittorrent2007\YouTube.FLV.to.AVI.Suite.Enterprise.v2.0.7.Cracked\f4cg.rar
J:\MP3\Incoming\Eighties classic.wma
J:\MP3\Limewire\TOTALLY HIP TRACK.wma
J:\PCGames\Battlefield 1942 Full Version Cracked.exe
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.[/code]

===================================================

You also have some old infected mail in your Outlook inbox. Please delete them

D:\outlook.pst
/Personal Folders/Deleted Items/22 Jun 2005 22:45:New Security Requirements.html
/Personal Folders/Deleted Items/24 Jul 2005 11:51:New Security Requirements.html
/Personal Folders/Inbox/08 Apr 2005 00:21 from aurora_sales@tellurian.com:Question for i.eml
/Personal Folders/Inbox/08 Apr 2005 10:31 from deadaliven@hotmail.com:Question for item .eml
/Personal Folders/Inbox/09 Apr 2005 02:37 from sales@maconlyofwa.com:Question for item #.eml
/Personal Folders/Inbox/09 Apr 2005 15:31 from bradley.dickerson@geps.ge.com:Question fo.eml
/Personal Folders/Inbox/14 Apr 2005 15:55 from aw-confirm@ebay.com:Question about shippi.eml
/Personal Folders/Inbox/15 Apr 2005 10:47 from raulm777@yahoo.com:Question for item #731.eml
/Personal Folders/Inbox/27 Apr 2005 22:04 from karnita2@comcast.net:Question for item #7.eml
/Personal Folders/Inbox/30 Apr 2005 23:33 from axl_blitz@hotmail.com:Question for item #.eml
/Personal Folders/Inbox/01 May 2005 05:13 from dpeters9@cox.net:Question for item #71533.eml
/Personal Folders/Inbox/01 May 2005 09:30 from musado@o2online.de:Question about shippin.eml
/Personal Folders/Inbox/03 May 2005 18:55 from eBay Member: 1964lam:Question about shipp.eml
/Personal Folders/Inbox/04 May 2005 18:57 from eBay Member: alanadam2:Question for eBay .eml
/Personal Folders/Inbox/04 May 2005 12:25 from eBay Member: thedishdoc:Question for eBay.eml
/Personal Folders/Inbox/04 May 2005 18:53 from eBay Member: thedishdoc:Question for eBay.eml
/Personal Folders/Inbox/05 May 2005 18:41 from eBay Member: wygoslo:Question for eBay it.eml
/Personal Folders/Inbox/10 May 2005 13:09 from eBay Member: wygoslo:Question for eBay it.eml
/Personal Folders/Inbox/10 May 2005 12:35 from eBay Member: thedishdoc:Question about sh.eml
/Personal Folders/Inbox/11 May 2005 02:35 from eBay Member: jz-bay:Question about shippi.eml
/Personal Folders/Inbox/11 May 2005 12:31 from eBay Member: thedishdoc:Question about sh.eml
/Personal Folders/Inbox/12 May 2005 22:10 from eBay Member: thedishdoc:Question about sh.eml
/Personal Folders/Inbox/12 May 2005 22:12 from eBay Member: thedishdoc:Question for eBay.eml
/Personal Folders/Inbox/12 May 2005 22:29 from eBay Member: thedishdoc:Question about sh.eml
/Personal Folders/Inbox/12 May 2005 23:02 from eBay Member: thedishdoc:Question about sh.eml
/Personal Folders/Inbox/17 May 2005 15:15 from eBay Member: eddiemiggs631:Question about.eml
/Personal Folders/Inbox/02 Jun 2005 15:34 to hlh4@earthlink.net:Question for eBay item #.eml

==================================

Also empty the Quarantine folder of Norton. . You can use Symantec's guide to remove the files from quarantine. http://service1.symantec.com/SUPPORT...on=1#_Section1, if you don't know how:

==================================

Restart your computer and post a fresh HijackThis log along with the OTMoveIt log, please.
__________________
My services are free. However, you can donate to TSF to help keep it running and prospering.
ASAP

amateur is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 04-09-2008, 05:34 PM   #7 (permalink)
Registered User
 
Join Date: Mar 2008
Posts: 6
OS: XP Pro


Re: Hacktool, Trojan Horse, w32.Spybot.Worm, Trojan.Startpage, Downloader., Multiple
I’ve read your instructions carefully. My antivirus programs are not configured so as to cause a lock-up. I update them both religiously. Sometimes one picks up an issue that the other doesn’t. I would prefer to keep them in place. I GREATLY appreciate your help and advice. I’ve followed all your other instructions to the letter. The P2P stuff was installed by the kids. I have removed it. Thank you very much for help repairing this. You are a real gentleman. Here is the current log file.

Your friend, Henderson


OT Move It Log Below

C:\MP3\GrandRidgeDance\Wicked Remix (lighthouse).wma moved successfully.
C:\MP3\Incoming\Eighties classic.wma moved successfully.
C:\MP3\Limewire\TOTALLY HIP TRACK.wma moved successfully.
C:\MP3\MashupsJuly2007\Wicked Remix (lighthouse).wma moved successfully.
D:\10GiG7-25-05\mcescher.exe moved successfully.
D:\MP3\Incoming\Eighties classic.wma moved successfully.
D:\MP3\Limewire\TOTALLY HIP TRACK.wma moved successfully.
D:\MP3\MashupsJuly2007\Wicked Remix (lighthouse).wma moved successfully.
E:\BittorrentDownloads\Hide_IP_Platinum_3.3_with_keygen.rar moved successfully.
E:\MP3\GrandRidgeDance\Wicked Remix (lighthouse).wma moved successfully.
E:\MP3\Incoming\Eighties classic.wma moved successfully.
E:\MP3\Limewire\TOTALLY HIP TRACK.wma moved successfully.
E:\MP3\MashupsJuly2007\Wicked Remix (lighthouse).wma moved successfully.
File/Folder H:\40 GIG D drive\MP3\Programs\Battlefield 1942 Full Version Cracked.exe not found.
File/Folder H:\40 GIG D drive\MP3\Programs\kmd161_en.exe not found.
File/Folder H:\40 GIG D drive\NewDownloads\dss\10-28HU\sui30.zip not found.
File/Folder H:\MP3\Newdownloads\LOMALKA[1].RU-Macromedia_ColdFusionMX.zip not found.
File/Folder H:\MP3\Programs\Battlefield 1942 Full Version Cracked.exe not found.
File/Folder H:\MP3\Programs\kmd161_en.exe not found.
File/Folder H:\RECYCLER\S-1-5-21-2947827476-2713188391-3190703810-1004\Dj28\DownloadWare\Downloads\89.dat not found.
File/Folder H:\RECYCLER\S-1-5-21-2947827476-2713188391-3190703810-1004\Dj28\DownloadWare\Temp\casino1.exe not found.
File/Folder H:\RECYCLER\S-1-5-21-2947827476-2713188391-3190703810-1004\Dj28\KFH\cl\casino1.exe not found.
File/Folder H:\RECYCLER\S-1-5-21-2947827476-2713188391-3190703810-1004\Dj34\TEMP\A0445912.CPY not found.
File/Folder I:\40 GIG D drive\MP3\KaZaATemp\Programs\Battlefield 1942 Full Version Cracked.exe not found.
File/Folder I:\40 GIG D drive\MP3\KaZaATemp\Programs\kmd161_en.exe not found.
File/Folder I:\40 GIG D drive\MP3\NewrKazaaTemp\kmd161_en.exe not found.
File/Folder I:\40 GIG D drive\MP3\Programs\Battlefield 1942 Full Version Cracked.exe not found.
File/Folder I:\40 GIG D drive\MP3\Programs\kmd161_en.exe not found.
File/Folder I:\40 GIG D drive\NewDownloads\dss\10-28HU\sui30.zip not found.
File/Folder I:\Bittorrent\COREL DRAW 12 Multilanguage + KeyGen .iso not found.
File/Folder I:\Bittorrent\Crackpack 1.5 (Code Fusion-Hackers Util-HackMan-Hex Workshop-MemSpy-Nifty-Resource Hacker-ShoWin-SoftIce-w32dasm).zip not found.
File/Folder I:\Bittorrent\Programs\kmd161_en.exe not found.
File/Folder I:\NewDownloads\dss\10-28HU\sui30.zip not found.
File/Folder I:\RECYCLER\S-1-5-21-1292428093-1123561945-839522115-1003\Di3.exe not found.
File/Folder J:\Bittorrent2007\YouTube.FLV.to.AVI.Suite.Enterprise.v2.0.7.Cracked\f4cg.rar not found.
File/Folder J:\MP3\Incoming\Eighties classic.wma not found.
File/Folder J:\MP3\Limewire\TOTALLY HIP TRACK.wma not found.
File/Folder J:\PCGames\Battlefield 1942 Full Version Cracked.exe not found.

OTMoveIt2 by OldTimer - Version 1.0.21 log created on 03242008_194927


Deckard's System Scanner v20071014.68
Run by Henderson Holman on 2008-04-09 19:24:45
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Henderson Holman.exe) ------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:24:51 PM, on 4/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System3