|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
Thread Tools |
02-04-2007, 07:00 PM
|
#1 (permalink) |
|
Registered User
Join Date: Oct 2006
Posts: 27
OS: winxp
|
Infected by Antivermin ... Help
My system is infected with antivermin. Theres an icon in the system tray popups keep coming saying "System ALert" which is very similiar to windows alerts. When i open IE it sometimes goes to this website
Code:
www.antivermin.com/aff=344 Logfile of HijackThis v1.99.1 Scan saved at 12:50:22 PM, on 2/5/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe E:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\vsnpstd.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe E:\Program Files\iTunes\iTunesHelper.exe E:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\ctfmon.exe C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe C:\Documents and Settings\Administrator\Desktop\hijack\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - e:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll O3 - Toolbar: Protection Bar - {84938242-5C5B-4A55-B6B9-A1507543B418} - C:\Program Files\Video ActiveX Object\iesplugin.dll (file missing) O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [AVP] "E:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe" O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - E:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www.uwininstaller.tk O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1169026947109 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1169027672609 O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab O16 - DPF: {E8CCCDDF-CA28-496B-B050-6C07C962476B} - O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...86/mcfscan.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{0D51DF6E-B92B-464A-AA27-D4278CA10F8C}: NameServer = 192.168.1.1 O17 - HKLM\System\CS1\Services\Tcpip\..\{0D51DF6E-B92B-464A-AA27-D4278CA10F8C}: NameServer = 192.168.1.1 O17 - HKLM\System\CS2\Services\Tcpip\..\{0D51DF6E-B92B-464A-AA27-D4278CA10F8C}: NameServer = 192.168.1.1 O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\ O21 - SSODL: System - {E5FF6819-B133-4628-8183-8C9E0D98EDFD} - dgflib.dll (file missing) O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O21 - SSODL: exemplars - {2acf3add-34a1-4f2f-99cf-cc69785d1e90} - C:\WINDOWS\system32\cwgppb.dll O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - E:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing) O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - e:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing) Last edited by whoami : 02-04-2007 at 07:01 PM. |
|
     |
|
02-04-2007, 11:00 PM
|
#2 (permalink) |
|
Analyst, Security Team ; TSF Supporter
Join Date: May 2006
Location: Phila,Pa
Posts: 2,335
OS: XP
|
Hello whoami, and welcome to TSF
Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe. Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding. Please ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix. IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER. ---------------------------------------- The fixes we will use are specific to your problems and should only be used for this issue on this machine. Please only use this topic to reply to. Do not start another thread. If any other issues arise let me know. The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear. So lets do this to the end! Please make every effort to reply to my posts in a timely manner. Malware breeds malware and the longer an infection remains on a system, the more likely additional infections will result. ---------------------------------------- DOWNLOADS CLEANUP! version 4.52 – TEMP FILE CLEANING Please download Cleanup! and install it. You will use this later. Alternative link Cleanup Alt *NOTE* Cleanup deletes EVERYTHING out of temporary folders and does not make backups. AVG Anti-Spyware 7.5 Please download AVG Anti Spyware Use the link at the bottom of the page under "AVG Anti-Spyware Free for Windows" 
SMITFRAUD FIX Please download SmitfraudFix (by S!Ri) Extract the content (a folder named SmitfraudFix) to your Desktop. ---------------------------------------- SAFE MODE RE-BOOT Please reboot your computer in Safe Mode by doing the following: 1) Restart your computer 2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8. 3) Instead of Windows loading as normal, a menu should appear 4) Use the up arrow key to highlight Safe Mode and press Enter. 5) Login with your usual account. Make sure to close any open browsers. ---------------------------------------- FIXES AND DELETIONS Open HijackThis and click on 'Do a System Scan Only'. Check the following entries (If they still exist, make sure you do not miss any) O3 - Toolbar: Protection Bar - {84938242-5C5B-4A55-B6B9-A1507543B418} - C:\Program Files\Video ActiveX Object\iesplugin.dll (file missing) O16 - DPF: {E8CCCDDF-CA28-496B-B050-6C07C962476B} - O21 - SSODL: System - {E5FF6819-B133-4628-8183-8C9E0D98EDFD} - dgflib.dll (file missing) O21 - SSODL: exemplars - {2acf3add-34a1-4f2f-99cf-cc69785d1e90} - C:\WINDOWS\system32\cwgppb.dll Please remember to close all other windows, including browsers then click Fix checked. ---------------------------------------- SmitFraud - OPTION 2 Double-click on SmitfraudFix.exe to start the tool. Select option #2 - Clean by typing 2 and press Enter. Wait for the tool to complete and disk cleanup to finish. You will be prompted : " Registry cleaning - Do you want to clean the registry?" answer Yes by typing Y and hit Enter. The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question " Replace infected file?" by typing Y and hit Enter. The tool will create a log named c:\rapport.txt in the root of your drive, eg: Local Disk C: (C:rapport.txt) or partition where your operating system is installed. Please post that log along with all others requested in your next reply. ---------------------------------------- RUNNING SCANNERS Cleanup Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows: Click "Options..." Move the arrow down to "Custom CleanUp!" Put a check next to the following (Make sure nothing else is checked!):
Press the CleanUp! button to start the program and DO NOT reboot when prompted. AVG Anti-Spyware 7.5
When done, click the Save Scan Report button. (4) then click Save Report As and save it to your desktop. IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button. Note: DO NOT USE the computer while AVG A/S is scanning. If Explorer or the Control Panel are opened some malware types will reinfect your system or will not be cleaned properly. ---------------------------------------- SECURE DESKTOP Next go to Control Panel click Display>Desktop>Customize Desktop>Web> Now, Uncheck Everything and delete if present:
Also make sure the 'Lock desktop items' box is unticked. Click OK, and then Click Apply, then OK. ---------------------------------------- SYSTEM RE-BOOT Reboot into Normal Mode. ---------------------------------------- SmitFraud - OPTION 3 Double-click on SmitfraudFix.exe to start the tool. Select option #3 - Delete Trusted zone by typing 3 and press Enter Answer Yes to the question "Restore Trusted Zone ?" by typing Y and hit Enter. Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection. ---------------------------------------- ON-LINE SCANS Perform an online scan with Internet Explorer with Panda ActiveScan
Begin the scan by selecting 
* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report. * Turn off the real time scanner of any existing antivirus program while performing the online scan ---------------------------------------- FOLLOW-UP Please return and post these items in the order listed: c:\rapport.txt from SmitFraud AVG A/S Panda scan A new HJT log run in Normal Mode Please note: In order to properly see what is on your system, all HJT logs must be run in the normal mode Please let me know how your system is behaving.
__________________
|
|
|
|
|
02-05-2007, 05:58 AM
|
#3 (permalink) |
|
Registered User
Join Date: Oct 2006
Posts: 27
OS: winxp
|
First let me thank you for the "detailed" reply which was well explained.
Panda AV had detected 2 viruses and some spywares. I didnt do anything as you had requested. But the system is not showing any signs of infection after the boot to normal mode... atleast till now. Here are the reports in order.. SmitFraudFix v2.138 Scan done at 20:03:14.78, Mon 02/05/2007 Run from C:\Documents and Settings\Administrator\Desktop\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT The filesystem type is NTFS Fix run in safe mode »»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] "{2acf3add-34a1-4f2f-99cf-cc69785d1e90}"="exemplars" »»»»»»»»»»»»»»»»»»»»»»»» Killing process »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix GenericRenosFix by S!Ri »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "System"="" »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning Registry Cleaning done. »»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] "{2acf3add-34a1-4f2f-99cf-cc69785d1e90}"="exemplars" »»»»»»»»»»»»»»»»»»»»»»»» End --------------------------------------------------------- AVG Anti-Spyware - Scan Report--------------------------------------------------------- + Created at: 9:49:17 PM 2/5/2007 + Scan result: HKU\S-1-5-21-1123561945-1004336348-839522115-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{67982BB7-0F95-44C5-92DC-E3AF3DC19D6D} -> Adware.Generic : Cleaned with backup (quarantined). C:\WINDOWS\system32\Sys\winlogin.exe -> Not-A-Virus.Monitor.Win32.Ardamax : Cleaned with backup (quarantined). C:\Program Files\BPK\syshk.dll -> Not-A-Virus.Monitor.Win32.Perflogger.163 : Cleaned with backup (quarantined). E:\Program Files\BPK\syshk.dll -> Not-A-Virus.Monitor.Win32.Perflogger.163 : Cleaned with backup (quarantined). C:\Program Files\BPK\sys.exe -> Not-A-Virus.Monitor.Win32.Perflogger.ad : Cleaned with backup (quarantined). E:\Program Files\BPK\sys.exe -> Not-A-Virus.Monitor.Win32.Perflogger.ad : Cleaned with backup (quarantined). C:\Program Files\BPK\sysun.exe -> Not-A-Virus.Monitor.Win32.Perflogger.an : Cleaned with backup (quarantined). E:\Program Files\BPK\sysun.exe -> Not-A-Virus.Monitor.Win32.Perflogger.an : Cleaned with backup (quarantined). C:\Program Files\BPK\sysr.exe -> Not-A-Virus.Monitor.Win32.Perflogger.bx : Cleaned with backup (quarantined). C:\Program Files\BPK\sysvw.exe -> Not-A-Virus.Monitor.Win32.Perflogger.bx : Cleaned with backup (quarantined). E:\Program Files\BPK\sysr.exe -> Not-A-Virus.Monitor.Win32.Perflogger.bx : Cleaned with backup (quarantined). E:\Program Files\BPK\sysvw.exe -> Not-A-Virus.Monitor.Win32.Perflogger.bx : Cleaned with backup (quarantined). C:\Documents and Settings\Administrator\Cookies\administrator@aavalue[2].txt -> TrackingCookie.Aavalue : Cleaned. C:\Documents and Settings\Administrator\Cookies\administrator@eztracks.aavalue[1].txt -> TrackingCookie.Aavalue : Cleaned. C:\Documents and Settings\Administrator\Cookies\administrator@www.abcsearch[1].txt -> TrackingCookie.Abcsearch : Cleaned. C:\Documents and Settings\Administrator\Cookies\administrator@adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned. C:\Documents and Settings\Administrator\Cookies\administrator@www.adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned. C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned. C:\Documents and Settings\Administrator\Cookies\administrator@admarketplace[1].txt -> TrackingCookie.Admarketplace : Cleaned. C:\Documents and Settings\Administrator\Cookies\administrator@ads36.bpath[1].txt -> TrackingCookie.Bpath : Cleaned. C:\Documents and Settings\Administrator\Cookies\administrator@ads39.bpath[1].txt -> TrackingCookie.Bpath : Cleaned. C:\Documents and Settings\Administrator\Cookies\administrator@ads48.bpath[2].txt -> TrackingCookie.Bpath : Cleaned. C:\Documents and Settings\Administrator\Cookies\administrator@www.burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned. C:\Documents and Settings\Administrator\Cookies\administrator@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned. C:\Documents and Settings\Administrator\Cookies\administrator@ad1.clickhype[1].txt -> TrackingCookie.Clickhype : Cleaned. C:\Documents and Settings\Administrator\Cookies\administrator@software.techrepublic.com[1].txt -> TrackingCookie.Com : Cleaned. C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@com[1].txt -> TrackingCookie.Com : Cleaned. C:\Documents and Settings\Administrator\Cookies\administrator@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned. C:\Documents and Settings\Administrator\Cookies\administrator@enhance[2].txt -> TrackingCookie.Enhance : Cleaned. C:\Documents and Settings\Administrator\Cookies\administrator@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned. C:\Documents and Settings\Administrator\Cookies\administrator@media.fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned. C:\Documents and Settings\Administrator\Cookies\administrator@ads.gamershell[2].txt -> TrackingCookie.Gamershell : Cleaned. C:\Documents and Settings\Administrator\Cookies\administrator@overture[1].txt -> TrackingCookie.Overture : Cleaned. C:\Documents and Settings\Administrator\Cookies\administrator@creative.paypopup[2].txt -> TrackingCookie.Paypopup : Cleaned. C:\Documents and Settings\Administrator\Cookies\administrator@login.tracking101[2].txt -> TrackingCookie.Tracking101 : Cleaned. C:\Documents and Settings\Administrator\Cookies\administrator@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned. C:\Documents and Settings\Administrator\Cookies\administrator@yadro[1].txt -> TrackingCookie.Yadro : Cleaned. C:\Documents and Settings\Administrator\Cookies\administrator@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned. C:\Documents and Settings\Administrator\Cookies\administrator@yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned. C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned. C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned. E:\Program Files\BPK\order.url -> Trojan.Keylog.153 : Cleaned with backup (quarantined). E:\Program Files\BPK\downloads.url -> Trojan.Keylog.154 : Cleaned with backup (quarantined). ::Report end ========================================================= Incident Status Location Potentially unwanted tool:application/perfectkeylog.a Not disinfected c:\program files\BPK Spyware:Cookie/NewMedia Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@anm.co[1].txt Spyware:Cookie/Clixgalore Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@clixgalore[2].txt Spyware:Cookie/Tucows Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@tucows[2].txt Spyware:Cookie/Clixgalore Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@www.is1.clixgalore[1].txt Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Administrator\Desktop\SmitfraudFix\Process.exe Adware:Adware/SystemDoctor Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\''WGA Notification v1.5.708.0'' Update\Data\Windows XP CD Key and Product ID Changer.exe Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@drivecleaner[2].txt Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@errorsafe[2].txt Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@stats.drivecleaner[2].txt Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@winantivirus[1].txt Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@www.drivecleaner[2].txt Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@www.errorsafe[1].txt Potentially unwanted tool:Application/Ardamax Not disinfected C:\WINDOWS\system32\Sys\winlogin.006 Potentially unwanted tool:Application/Ardamax Not disinfected C:\WINDOWS\system32\Sys\winlogin.007 Potentially unwanted tool:Application/PerfectKeyLog.A Not disinfected E:\Program Files\BitComet\Downloads\Blazingtools Perfect Keylogger 1.6.5.0\pk1650.zip[i_bpk2003.exe][bpkun.exe] Virus:Trj/Agent.DIL Not disinfected E:\Program Files\BitComet\Downloads\Blazingtools Perfect Keylogger 1.6.5.0\pk1650.zip[i_bpk2003.exe][bpkhk.dll] Potentially unwanted tool:Application/PerfectKeylog.AI Not disinfected E:\Program Files\BitComet\Downloads\Blazingtools Perfect Keylogger 1.6.5.0\pk1650.zip[i_bpk2003.exe][bpkr.exe] Potentially unwanted tool:Application/PerfectKeyLog.A Not disinfected E:\Program Files\BitComet\Downloads\Blazingtools Perfect Keylogger 1.6.5.0\pk1650.zip[i_bpk2003.exe][bpkwb.dll] Potentially unwanted tool:Application/PerfectKeyLog.A Not disinfected E:\Program Files\BPK\i_bpk2003.exe[bpkun.exe] Virus:Trj/Agent.DIL Not disinfected E:\Program Files\BPK\i_bpk2003.exe[bpkhk.dll] Potentially unwanted tool:Application/PerfectKeylog.AI Not disinfected E:\Program Files\BPK\i_bpk2003.exe[bpkr.exe] Potentially unwanted tool:Application/PerfectKeyLog.A Not disinfected E:\Program Files\BPK\i_bpk2003.exe[bpkwb.dll] ========================================================== Logfile of HijackThis v1.99.1 Scan saved at 11:20:38 PM, on 2/5/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe e:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe E:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\vsnpstd.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe E:\Program Files\iTunes\iTunesHelper.exe E:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe E:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe C:\Documents and Settings\Administrator\Desktop\clean\hijack\HijackThis.exe R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [AVP] "E:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe" O4 - HKLM\..\Run: [!AVG Anti-Spyware] "e:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - E:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www.uwininstaller.tk O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1169026947109 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1169027672609 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...86/mcfscan.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{0D51DF6E-B92B-464A-AA27-D4278CA10F8C}: NameServer = 192.168.1.1 O17 - HKLM\System\CS1\Services\Tcpip\..\{0D51DF6E-B92B-464A-AA27-D4278CA10F8C}: NameServer = 192.168.1.1 O17 - HKLM\System\CS2\Services\Tcpip\..\{0D51DF6E-B92B-464A-AA27-D4278CA10F8C}: NameServer = 192.168.1.1 O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\ O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - e:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - E:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing) O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - e:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing) ========================================================== |
|
|
|
|
02-05-2007, 10:53 AM
|
#4 (permalink) |
|
Analyst, Security Team ; TSF Supporter
Join Date: May 2006
Location: Phila,Pa
Posts: 2,335
OS: XP
|
You have a keylogger on your system. Did you knowlingly install this?
Potentially unwanted tool:application/perfectkeylog.a Not disinfected c:\program files\BPK
__________________
|
|
|
|
|
02-05-2007, 03:39 PM
|
#5 (permalink) |
|
Registered User
Join Date: Oct 2006
Posts: 27
OS: winxp
|
Yes fred. I installed it myself. It had stealth installation , and to view the log file you had to press 3 keys together, but it never worked and there was no way i could uninstall that prog as it wasnt "visible". I would like to uninstall that to, together with any other spyware infections..
|
|
|
|
|
02-06-2007, 12:44 AM
|
#6 (permalink) |
|
Registered User
Join Date: Oct 2006
Posts: 27
OS: winxp
|
Fred, just today this file pmsrr.exe had popped up and caught by kaspersky..
2/6/2007 4  03 PM Quarantine: File C:\Program Files\Video ActiveX Object\pmsnrr.exe: deleted.So I believe there are still traces of infections on my pc.... Need help fred.... |
|
|
|
|
02-06-2007, 01:15 PM
|
#7 (permalink) |
|
Analyst, Security Team ; TSF Supporter
Join Date: May 2006
Location: Phila,Pa
Posts: 2,335
OS: XP
|
Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding.
Please ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix. IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER. ---------------------------------------- Now we get rid of the Keylogger and see what may be hiding in your system. ---------------------------------------- CLEAR AVG A/S QUARANTINE
---------------------------------------- DOWNLOADS ComboFix 1. Download this file - You MUST save it to your desktop COMBOFIX 2. Double click combofix.exe & follow the prompts. 3. When finished, it shall produce a log for you. Post that log in your next reply Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall SYSTEM REPAIR ENGINEER Please download this tool >http://www.kztechs.com/sreng/sreng2.zip]System Repair Engineer 
Note: You may have to rename SREngLog.log to SREngLog.txt before attaching ---------------------------------------- DISABLE ANTI-SPYWARE APPLICATIONS Please disable these Anti-Spyware programs as they may interfere with this fix. You may re-enable them after we clean your system. ---------------------------------------- SAFE MODE RE-BOOT Please reboot your computer in Safe Mode by doing the following: 1) Restart your computer 2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8. 3) Instead of Windows loading as normal, a menu should appear 4) Use the up arrow key to highlight Safe Mode and press Enter. 5) Login with your usual account. Make sure to close any open browsers. ---------------------------------------- FIXES AND DELETIONS Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist: BPK ---------------------------------------- UNHIDE HIDDEN FILES Go to My Computer->Tools->Folder Options->View tab: * Under the Hidden files and folders heading, select Show hidden files and folders. * Uncheck the Hide protected operating system files (recommended) option. * Also make sure there is no checkmark beside Hide file extensions for known file types * Click Yes to confirm and then click OK. ---------------------------------------- Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist. c:\program files\BPK C:\WINDOWS\system32\Sys\winlogin.006>>>Delete any files of similar format C:\WINDOWS\system32\Sys\winlogin.007 C:\Documents and Settings\Administrator\Cookies\administrator>>>Delete the CONTENTS of folder. Leave folder intact E:\Program Files\BitComet\Downloads\Blazingtools Perfect Keylogger 1.6.5.0 E:\Program Files\BPK ---------------------------------------- SYSTEM RE-BOOT Reboot into Normal Mode. ---------------------------------------- ON-LINE SCANS Kaspersky - Extended If you have the log from Kaspersky-Extended, please post that. Otherwise, please run the program Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner Answer Yes, when prompted to install an ActiveX component.
* Turn off the real time scanner of any existing antivirus program while performing the online scan ---------------------------------------- FOLLOW-UP Please return and post these items in the order listed: c:\combofix.txt SREng log (attached) Kaspersky scan
__________________
Last edited by fredmh : 02-06-2007 at 01:21 PM. |
|
|
|
|
02-08-2007, 03:15 PM
|
#8 (permalink) |
|
Registered User
Join Date: Oct 2006
Posts: 27
OS: winxp
|
Fred, kaspersky has detected around 9 viruses and 28 infected objects, this is freaking me out... REPORTS ======= Combo Fix "Administrator" - 07-02-08 21:14:28 Service Pack 2 ComboFix 07-02-07 - Running from: "C:\Documents and Settings\Administrator\Desktop" ((((((((((((((((((((((((((((((( Files Created from 2007-01-08 to 2007-02-08 )))))))))))))))))))))))))))))))))) 2007-02-05 22:02 <DIR> d-------- C:\WINDOWS\system32\ActiveScan 2007-02-05 20:02 1,660 --a------ C:\WINDOWS\system32\tmp.reg 2007-02-05 19:19 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys 2007-02-05 03:16 <DIR> d-------- C:\Program Files\Enigma Software Group 2007-02-05 00:44 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Spybot - Search & Destroy 2007-02-04 23:36 <DIR> d-------- C:\Program Files\NoAdware5.0 2007-02-04 15:36 20,992 --a------ C:\WINDOWS\system32\cwgppb.dll 2007-02-01 00:27 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Application Data\ppstream 2007-01-29 14:00 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Application Data\muvee Technologies 2007-01-29 13:49 <DIR> d-------- C:\Program Files\DivX 2007-01-29 13:48 151,552 --a------ C:\WINDOWS\system32\pxwma.dll 2007-01-29 13:46 <DIR> d-------- C:\Program Files\muvee Technologies 2007-01-28 12:08 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\muvee Technologies 2007-01-28 00:46 <DIR> d-------- C:\Program Files\Common Files\NSV 2007-01-28 00:45 2,560 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys 2007-01-28 00:45 2,432 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys 2007-01-28 00:44 <DIR> d-------- C:\Program Files\Winamp 2007-01-24 20:18 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Application Data\SopCast 2007-01-23 17:40 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Incomplete 2007-01-23 17:36 <DIR> d-------- C:\Program Files\Java 2007-01-23 17:36 <DIR> d-------- C:\Program Files\Common Files\Java 2007-01-23 17:32 <DIR> d-------- C:\DOCUME~1\ADMINI~1\.limewire 2007-01-22 15:27 <DIR> d-------- C:\Program Files\BPK 2007-01-22 11:55 <DIR> d-------- C:\WINDOWS\vbSkinner 2007-01-21 18:00 <DIR> d-------- C:\Program Files\QK SMTP Server 3 2007-01-21 17:53 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy 2007-01-19 17:40 23,600 --a------ C:\WINDOWS\system32\drivers\TVICHW32.SYS 2007-01-19 16:49 6,531,872 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat 2007-01-19 16:49 193,056 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat 2007-01-19 16:49 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Kaspersky Lab 2007-01-19 11:57 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\NVIDIA 2007-01-19 00:29 <DIR> d-------- C:\Screenshots 2007-01-18 01:45 127,208 --a------ C:\WINDOWS\system32\mucltui.dll 2007-01-17 22:09 262,144 --a------ C:\DOCUME~1\ALLUSE~1\ntuser.dat 2007-01-17 21:49 <DIR> d-------- C:\WINDOWS\system32\PreInstall 2007-01-17 21:11 <DIR> d--h----- C:\WINDOWS\$hf_mig$ 2007-01-17 21:06 <DIR> d-------- C:\Program Files\Windows Media Connect 2 2007-01-17 21:03 23,856 --a------ C:\WINDOWS\system32\spupdsvc.exe 2007-01-17 21:03 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF 2007-01-17 20:43 18,200 --a------ C:\WINDOWS\system32\wups2.dll 2007-01-17 20:42 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution 2007-01-17 20:40 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Windows Genuine Advantage 2007-01-17 20:40 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Office Genuine Advantage 2007-01-15 18:26 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Trymedia 2007-01-15 17:43 <DIR> d-------- C:\Program Files\BFG 2007-01-09 21:36 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\TEMP (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-02-07 17:31 -------- d-------- C:\DOCUME~1\ADMINI~1\Application Data\dvdcss 2007-02-02 16:09 -------- d---s---- C:\DOCUME~1\ADMINI~1\Application Data\microsoft 2007-01-29 17:45 -------- d--h----- C:\Program Files\installshield installation information 2007-01-29 13:57 50 --a------ C:\AUTOEXEC.BAT 2007-01-06 20:20 -------- d-------- C:\DOCUME~1\ADMINI~1\Application Data\moyeaflv2video 2007-01-02 16:28 -------- d-------- C:\DOCUME~1\ADMINI~1\Application Data\apple computer 2007-01-02 02:12 -------- d-------- C:\Program Files\ipod 2007-01-02 02:10 -------- d-------- C:\Program Files\quicktime 2007-01-02 01:41 -------- d-------- C:\Program Files\avisynth 2.5 2006-12-24 11:35 575 --a------ C:\WINDOWS\ereg.dat 2006-12-24 11:32 -------- d-------- C:\Program Files\eacom 2006-12-24 11:28 -------- d-------- C:\Program Files\Common Files\installshield 2006-12-22 13:16 -------- d-------- C:\Program Files\microsoft works 2006-12-16 00:58 -------- d-------- C:\Program Files\yahoo! 2006-12-12 23:17 49152 --a------ C:\WINDOWS\system32\registrationlib193.dll 2006-12-11 20:36 -------- d-------- C:\Program Files\Common Files\directx 2006-12-08 11:50 -------- d-------- C:\DOCUME~1\ADMINI~1\Application Data\real 2006-12-08 11:47 -------- d-------- C:\Program Files\Common Files\xing shared 2006-12-08 11:47 -------- d-------- C:\Program Files\Common Files\real 2006-11-27 19:45 60416 --------- C:\WINDOWS\system32\tzchange.exe 2006-11-27 00:38 13792 --ah----- C:\WINDOWS\system32\mlfcache.dat 2006-11-23 12:07 98304 --a------ C:\WINDOWS\system32\cmdlineext.dll 2006-11-23 11:26 148 --a------ C:\WINDOWS\system32\tsstop.exe 2006-11-23 11:26 148 --a------ C:\WINDOWS\system32\tskscd.exe 2006-11-19 09:47 287 --a------ C:\WINDOWS\ereg072.dat 2006-11-14 01:29 861 --a------ C:\DOCUME~1\ADMINI~1\Application Data\adobedlm.log 2006-11-14 01:29 0 --a------ C:\DOCUME~1\ADMINI~1\Application Data\dm.ini 2006-11-08 16:06 679424 --a------ C:\WINDOWS\system32\inetcomm.dll 2006-11-03 01:38 62 --ahs---- C:\DOCUME~1\ADMINI~1\Application Data\desktop.ini (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] "Yahoo! Pager"="\"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE\" -quiet" "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="\"C:\\Program Files\\Common Files\\Ahead\\Lib\\NMBgMonitor.exe\"" "ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup" "nwiz"="nwiz.exe /install" "NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit" "snpstd"="C:\\WINDOWS\\vsnpstd.exe" "TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot" "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" "iTunesHelper"="\"E:\\Program Files\\iTunes\\iTunesHelper.exe\"" "AVP"="\"E:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus 6.0\\avp.exe\"" @="" "SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_08\\bin\\jusched.exe\"" "!AVG Anti-Spyware"="\"e:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="NMBgMonitor" "hkey"="HKCU" "command"="\"C:\\Program Files\\Common Files\\Ahead\\Lib\\NMBgMonitor.exe\"" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="NeroCheck" "hkey"="HKLM" "command"="C:\\Program Files\\Common Files\\Ahead\\Lib\\NeroCheck.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler] "{2acf3add-34a1-4f2f-99cf-cc69785d1e90}"="exemplars" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{93994DE8-8239-4655-B1D1-5F4E91300429}"="" "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload] "WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run] "user32.dll"="C:\\Program Files\\Video ActiveX Object\\isamntr.exe" [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] "SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] HTTPFilter REG_MULTI_SZ HTTPFilter\0\0 LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService REG_MULTI_SZ DnsCache\0\0 DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0 rpcss REG_MULTI_SZ RpcSs\0\0 imgsvc REG_MULTI_SZ StiSvc\0\0 termsvcs REG_MULTI_SZ TermService\0\0 WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0 [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1e221c15-6a57-11db-bd41-00080208e963}] Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL copy.exe ******************************************************************** catchme 0.1 W2K/XP - userland rootkit detector by Gmer, 17 October 2006 http://www.gmer.net scanning hidden processes ... scanning hidden services ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 ******************************************************************** Completion time: 07-02-08 21:17:25 C:\ComboFix2.txt ... 07-02-07 16:32 Kaspersky Scan ============ ------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER REPORT Friday, February 09, 2007 9:00:20 AM Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600) Kaspersky Online Scanner version: 5.0.83.0 Kaspersky Anti-Virus database last update: 8/02/2007 Kaspersky Anti-Virus database records: 266127 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: extended Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: A:\ C:\ D:\ E:\ F:\ Scan Statistics: Total number of scanned objects: 48494 Number of viruses found: 9 Number of infected objects: 28 / 0 Number of suspicious objects: 0 Duration of the scan process: 01:26:48 Infected Object Name / Virus Name / Last Action C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped C:\Documents and Settings\Administrator\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped C:\Documents and Settings\Administrator\Desktop\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped C:\Documents and Settings\Administrator\Desktop\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped C:\Documents and Settings\Administrator\Desktop\SmitfraudFix.exe RarSFX: infected - 2 skipped C:\Documents and Settings\Administrator\Desktop\SmitfraudFix.exe PE_Patch.UPX: infected - 2 skipped C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\Administrator\NTUSER.DAT Object is locked skipped C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP6\Report\detected.idx Object is locked skipped C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP6\Report\detected.rpt Object is locked skipped C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP6\Report\eventlog.rpt Object is locked skipped C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP6\Report\report.rpt Object is locked skipped C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped C:\System Volume Information\_restore{35BC5477-6A5E-418B-8493-9D4306335D31}\RP122\A0063907.exe Infected: not-a-virus:Monitor.Win32.Perflogger.ad skipped C:\System Volume Information\_restore{35BC5477-6A5E-418B-8493-9D4306335D31}\RP122\A0063909.dll Infected: not-a-virus:Monitor.Win32.Perflogger.163 skipped C:\System Volume Information\_restore{35BC5477-6A5E-418B-8493-9D4306335D31}\RP122\A0063911.exe Infected: not-a-virus:Monitor.Win32.Perflogger.bx skipped C:\System Volume Information\_restore{35BC5477-6A5E-418B-8493-9D4306335D31}\RP122\A0063912.exe Infected: not-a-virus:Monitor.Win32.Perflogger.bx skipped C:\System Volume Information\_restore{35BC5477-6A5E-418B-8493-9D4306335D31}\RP122\A0063915.exe Infected: not-a-virus:Monitor.Win32.Perflogger.an skipped C:\System Volume Information\_restore{35BC5477-6A5E-418B-8493-9D4306335D31}\RP122\A0063917.exe Infected: not-a-virus:Monitor.Win32.Ardamax.25 skipped C:\System Volume Information\_restore{35BC5477-6A5E-418B-8493-9D4306335D31}\RP125\change.log Object is locked skipped C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped C:\WINDOWS\SchedLgU.Txt Object is locked skipped C:\ |
located at the bottom of the page.
then click 