Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 




Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > HijackThis Log Help > Resolved HJT Threads
credit card theft, trojan? credit card theft, trojan?
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read

Resolved HJT Threads Resolved spyware and popup issues.

 
 
Thread Tools
Old 05-06-2007, 04:35 PM   #1 (permalink)
Registered User
 
Join Date: Oct 2006
Posts: 79
OS: Windows ME


credit card theft, trojan?
Deckard's System Scanner v20070426.43
Run by Owner on 2007-05-06 at 03:31:36
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
47: 2007-05-06 11:31:41 UTC - RP312 - Deckard's System Scanner Restore Point
46: 2007-05-05 22:11:23 UTC - RP311 - System Checkpoint
45: 2007-05-04 19:10:06 UTC - RP310 - System Checkpoint
44: 2007-05-03 12:47:19 UTC - RP309 - System Checkpoint
43: 2007-05-02 03:20:09 UTC - RP308 - System Checkpoint


-- First Restore Point --
1: 2007-03-17 03:29:03 UTC - RP266 - System Checkpoint


Backed up registry hives.

Performed disk cleanup.


-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of HijackThis v1.99.1
Scan saved at 2007-05-06 03:33:09
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.0.2900.2180)

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\Program Files\Softex\OmniPass\omniServ.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\cthelper.exe
C:\WINDOWS\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\HpqCmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\hp\KBD\kbd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Documents and Settings\Owner\Desktop\dss(2).exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us8.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us8.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us8.hpwis.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\hp\EXPLOREBAR\HPTOOLKT.DLL
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [AIM Logger] C:\PROGRA~1\Nalsoft\AIMLOG~1\AIMLogger.exe /start /minimize
O4 - HKCU\..\Run: [Hide IP Platinum] C:\Program Files\Hide IP Platinum\hideippla.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra 'Tools' menuitem: (no name) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} () - http://www.fileplanet.com/fpdlmgr/ca...C_2.3.1.99.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard.com/support/includes/cabs/si.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/game...Plugin9USA.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://mvnet.xlontech.net/qm/fox/061...ie06101001.cab
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O20 - Winlogon Notify: AtiExtEvent - C:\WINDOWS\system32\Ati2evxx.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\system32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\OPXPGina.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSVCCDA.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Microsoft Corp., Veritas Software - C:\WINDOWS\System32\dmadmin.exe /com
O23 - Service: iPod Service - Apple Computer, Inc. - "C:\Program Files\iPod\bin\iPodService.exe"
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\omniServ.exe


-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 drvmcdb - c:\windows\system32\drivers\drvmcdb.sys <Not Verified; VERITAS Software, Inc.; >
R0 fasttx2k - c:\windows\system32\drivers\fasttx2k.sys <Not Verified; Promise Technology, Inc.; Promise FastTrak Series Driver>

S3 nsysaudm - c:\docume~1\owner\locals~1\temp\nsysaudm.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Scheduled Tasks -------------------------------------------------------------

2006-12-06 21:41:00 272 --a------ C:\WINDOWS\Tasks\easy Internet sign-up.job


-- Files created between 2007-04-06 and 2007-05-06 -----------------------------

2007-05-04 22:33:48 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-05-04 22:33:45 0 d-------- C:\WINDOWS\LastGood
2007-04-26 17:09:24 0 d-------- C:\Program Files\Tales of Pirates Online
2007-04-26 15:39:46 0 d-------- C:\Documents and Settings\Owner\Application Data\uTorrent
2007-04-26 15:39:20 0 d-------- C:\Program Files\uTorrent
2007-04-23 23:18:48 4682 --a------ C:\WINDOWS\system32\npptNT2.sys <Not Verified; INCA Internet Co., Ltd.; nProtect NPSC Kernel Mode Driver for NT>
2007-04-23 23:13:13 0 d-------- C:\ijji
2007-04-19 23:00:22 0 d-------- C:\Documents and Settings\Owner\Desktop'bump
2007-04-19 16:05:11 294912 --a------ C:\WINDOWS\system32\Bump J Multi-Trainer.exe <Not Verified; Bump Bump J; Trainers>
2007-04-16 00:46:45 0 d-------- C:\Documents and Settings\Owner\Desktoptrainer2
2007-04-13 01:55:58 70656 --a------ C:\WINDOWS\system32\yv12vfw.dll <Not Verified; www.helixcommunity.org; Helix YV12 YUV Codec>
2007-04-13 01:55:58 471552 --a------ C:\WINDOWS\system32\Smab.dll
2007-04-13 01:55:58 70656 --a------ C:\WINDOWS\system32\i420vfw.dll <Not Verified; www.helixcommunity.org; Helix I420 YUV Codec>
2007-04-13 01:55:58 719872 --a------ C:\WINDOWS\system32\devil.dll <Not Verified; Abysmal Software; Developer's Image Library (DevIL)>
2007-04-13 01:55:58 27648 --a------ C:\WINDOWS\system32\AVSredirect.dll
2007-04-13 01:55:58 306688 --a------ C:\WINDOWS\system32\avisynth.dll <Not Verified; The Public; Avisynth 2.5>
2007-04-13 01:55:58 66560 --a------ C:\WINDOWS\MOTA113.exe
2007-04-13 01:55:58 217073 --a------ C:\WINDOWS\meta4.exe
2007-04-13 01:55:57 0 d-------- C:\Program Files\AviSynth 2.5
2007-04-13 01:55:52 31232 -r-hs---- C:\WINDOWS\system32\msfDX.dll <Not Verified; Hans Mayerl; msfDX.dll>
2007-04-13 01:55:52 163328 -r-hs---- C:\WINDOWS\system32\flvDX.dll <Not Verified; Gabest; FLV Splitter>
2007-04-13 01:55:47 0 d-------- C:\Program Files\eRightSoft
2007-04-13 01:17:13 0 d-------- C:\Documents and Settings\Owner\.Nokia
2007-04-13 01:17:11 0 d-------- C:\Nokia
2007-04-13 01:16:41 0 d--h----- C:\Program Files\Zero G Registry
2007-04-13 01:16:41 0 d--h----- C:\Documents and Settings\Owner\InstallAnywhere


-- Find3M Report ---------------------------------------------------------------

2007-05-04 23:04:05 0 d-------- C:\Program Files\iTunes
2007-05-04 23:00:06 0 d-------- C:\Program Files\AIM
2007-05-04 21:47:34 288 --a------ C:\WINDOWS\system32\DVCStateBkp-{00000002-00000000-0000000B-00001102-00000004-005B1102}.dat
2007-05-04 21:47:34 288 --a------ C:\WINDOWS\system32\DVCState-{00000002-00000000-0000000B-00001102-00000004-005B1102}.dat
2007-05-03 19:36:12 0 d-------- C:\Program Files\Viewpoint
2007-03-28 17:51:45 4014 --a------ C:\WINDOWS\mozver.dat
2007-03-14 01:28:21 0 d-------- C:\Program Files\Disc2Phone
2007-02-26 20:24:48 32 --a------ C:\WINDOWS\go
2007-02-11 13:43:24 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2007-02-10 13:19:16 723 --a------ C:\WINDOWS\system32\events


-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"CTHelper"="CTHELPER.EXE"
"hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"CamMonitor"="c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\Unload\\hpqcmon.exe"
"Share-to-Web Namespace Daemon"="c:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnd.exe"
"KBD"="C:\\HP\\KBD\\KBD.EXE"
"Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
"PS2"="C:\\WINDOWS\\system32\\ps2.exe"
"UpdReg"="C:\\WINDOWS\\UpdReg.EXE"
"Jet Detection"="\"C:\\Program Files\\Creative\\SBAudigy\\PROGRAM\\ADGJDet.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime -Delay"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"AIM"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"Skype"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"
"AIM Logger"="C:\\PROGRA~1\\Nalsoft\\AIMLOG~1\\AIMLogger.exe /start /minimize"
"Hide IP Platinum"="C:\\Program Files\\Hide IP Platinum\\hideippla.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"SetDefaultMidi"="MIDIDEF.EXE"
"PlayCenter2"="\"C:\\Program Files\\Creative\\SBAudigy\\PlayCenter2\\MDEntry.EXE\" \"C:\\Program Files\\Creative\\SBAudigy\\PlayCenter2\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=""

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0



-- End of Deckard's System Scanner: finished at 2007-05-06 at 03:33:28 ---------
Attached Files
File Type: txt extra.txt (12.1 KB, 1 views)
Frankh1188 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 05-15-2007, 02:19 PM   #2 (permalink)
Moderator, Analyst, Security Team ; Rangemaster, TSF Academy
 
amateur's Avatar
 
Join Date: Jun 2006
Location: Rhode Island, USA
Posts: 3,628
OS: XP Home SP3, XP MCE SP3, XP Pro SP3


Re: credit card theft, trojan?
Hello and welcome to TSF.

Welcome to the TSF. Sorry for the delayed response. If you have not received help elsewhere and still need help please run Deckard's System Scanner again and post the main.txt, as it has been a while since you posted.
__________________
My services are free. However, you can donate to TSF to help keep it running and prospering.
ASAP

amateur is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 05-22-2007, 05:59 PM   #3 (permalink)
Registered User
 
Join Date: Oct 2006
Posts: 79
OS: Windows ME


Re: credit card theft, trojan?
eckard's System Scanner v20070426.43
Run by Owner on 2007-05-22 at 16:56:02
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of HijackThis v1.99.1
Scan saved at 2007-05-22 16:56:07
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.0.2900.2180)

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\Program Files\Softex\OmniPass\omniServ.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\cthelper.exe
C:\WINDOWS\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\HpqCmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\hp\KBD\kbd.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Documents and Settings\Owner\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us8.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us8.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us8.hpwis.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\hp\EXPLOREBAR\HPTOOLKT.DLL
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [AIM Logger] C:\PROGRA~1\Nalsoft\AIMLOG~1\AIMLogger.exe /start /minimize
O4 - HKCU\..\Run: [Hide IP Platinum] C:\Program Files\Hide IP Platinum\hideippla.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra 'Tools' menuitem: (no name) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} () - http://www.fileplanet.com/fpdlmgr/ca...C_2.3.1.99.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard.com/support/includes/cabs/si.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/game...Plugin9USA.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://mvnet.xlontech.net/qm/fox/061...ie06101001.cab
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O20 - Winlogon Notify: AtiExtEvent - C:\WINDOWS\system32\Ati2evxx.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\system32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\OPXPGina.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSVCCDA.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Microsoft Corp., Veritas Software - C:\WINDOWS\System32\dmadmin.exe /com
O23 - Service: iPod Service - Apple Computer, Inc. - "C:\Program Files\iPod\bin\iPodService.exe"
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\omniServ.exe


-- Files created between 2007-04-22 and 2007-05-22 -----------------------------

2007-05-19 16:18:37 0 d-------- C:\Program Files\LimeWire
2007-05-08 18:41:03 0 d-------- C:\Documents and Settings\Owner\Application Data\DivX
2007-05-07 00:43:18 4096 --a------ C:\WINDOWS\system32\crash
2007-05-04 22:33:48 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-05-02 10:04:23 524288 --a------ C:\WINDOWS\system32\DivXsm.exe <Not Verified; DivX Inc.; DivX Inc. divxsm>
2007-05-02 10:04:19 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-05-02 10:04:06 1044480 --a------ C:\WINDOWS\system32\libdivx.dll <Not Verified; The OpenSSL Project, http://www.openssl.org/; The OpenSSL Toolkit>
2007-05-02 10:04:05 200704 --a------ C:\WINDOWS\system32\ssldivx.dll <Not Verified; The OpenSSL Project, http://www.openssl.org/; The OpenSSL Toolkit>
2007-05-02 10:02:06 196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2007-05-02 10:02:06 73728 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2007-05-02 10:02:04 53248 --a------ C:\WINDOWS\system32\dpuGUI10.dll <Not Verified; DivXNetworks; DivXNetworks dpuGUI10>
2007-05-02 10:02:02 57344 --a------ C:\WINDOWS\system32\dpv11.dll <Not Verified; DivXNetworks; DivXNetworks dpv11>
2007-05-02 10:02:02 344064 --a------ C:\WINDOWS\system32\dpus11.dll <Not Verified; DivXNetworks; DivXNetworks dpus11>
2007-05-02 10:02:02 593920 --a------ C:\WINDOWS\system32\dpuGUI11.dll <Not Verified; DivXNetworks; DivXNetworks dpuGUI11>
2007-05-02 10:02:02 294912 --a------ C:\WINDOWS\system32\dpu11.dll <Not Verified; DivXNetworks; DivXNetworks dpu11>
2007-05-02 10:02:02 294912 --a------ C:\WINDOWS\system32\dpu10.dll <Not Verified; DivXNetworks; DivXNetworks dpu11>
2007-05-02 10:01:56 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2007-05-02 10:01:56 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2007-05-02 10:01:56 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2007-05-02 10:01:56 740442 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2007-05-01 18:33:57 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2007-04-26 17:09:24 0 d-------- C:\Program Files\Tales of Pirates Online
2007-04-26 15:39:46 0 d-------- C:\Documents and Settings\Owner\Application Data\uTorrent
2007-04-26 15:39:20 0 d-------- C:\Program Files\uTorrent
2007-04-23 23:18:48 4682 --a------ C:\WINDOWS\system32\npptNT2.sys <Not Verified; INCA Internet Co., Ltd.; nProtect NPSC Kernel Mode Driver for NT>
2007-04-23 23:13:13 0 d-------- C:\ijji


-- Find3M Report ---------------------------------------------------------------

2007-05-21 18:04:10 4132 --a------ C:\WINDOWS\mozver.dat
2007-05-19 15:45:55 288 --a------ C:\WINDOWS\system32\DVCStateBkp-{00000002-00000000-0000000B-00001102-00000004-005B1102}.dat
2007-05-19 15:45:55 288 --a------ C:\WINDOWS\system32\DVCState-{00000002-00000000-0000000B-00001102-00000004-005B1102}.dat
2007-05-08 18:40:47 0 d-------- C:\Program Files\DivX
2007-05-04 23:04:05 0 d-------- C:\Program Files\iTunes
2007-05-04 23:00:06 0 d-------- C:\Program Files\AIM
2007-05-03 19:36:12 0 d-------- C:\Program Files\Viewpoint
2007-04-19 10:57:10 294912 --a------ C:\WINDOWS\system32\Bump J Multi-Trainer.exe <Not Verified; Bump Bump J; Trainers>
2007-04-13 01:55:57 0 d-------- C:\Program Files\AviSynth 2.5
2007-04-13 01:55:47 0 d-------- C:\Program Files\eRightSoft
2007-04-13 01:17:13 0 d--h----- C:\Program Files\Zero G Registry
2007-02-26 20:24:48 32 --a------ C:\WINDOWS\go


-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"CTHelper"="CTHELPER.EXE"
"hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"CamMonitor"="c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\Unload\\hpqcmon.exe"
"Share-to-Web Namespace Daemon"="c:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnd.exe"
"KBD"="C:\\HP\\KBD\\KBD.EXE"
"Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
"PS2"="C:\\WINDOWS\\system32\\ps2.exe"
"UpdReg"="C:\\WINDOWS\\UpdReg.EXE"
"Jet Detection"="\"C:\\Program Files\\Creative\\SBAudigy\\PROGRAM\\ADGJDet.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime -Delay"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"AIM"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"Skype"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"
"AIM Logger"="C:\\PROGRA~1\\Nalsoft\\AIMLOG~1\\AIMLogger.exe /start /minimize"
"Hide IP Platinum"="C:\\Program Files\\Hide IP Platinum\\hideippla.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"SetDefaultMidi"="MIDIDEF.EXE"
"PlayCenter2"="\"C:\\Program Files\\Creative\\SBAudigy\\PlayCenter2\\MDEntry.EXE\" \"C:\\Program Files\\Creative\\SBAudigy\\PlayCenter2\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=""

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0

*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_HTTPFILTER


-- End of Deckard's System Scanner: finished at 2007-05-22 at 16:56:29 ---------
Frankh1188 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 05-22-2007, 06:51 PM   #4 (permalink)
Registered User
 
Join Date: Oct 2006
Posts: 79
OS: Windows ME


Re: credit card theft, trojan?
please help out! there are so many bills coming to my house.. i am pretty sure im a victim o identity theft i need to clean my computer.
Frankh1188 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 05-22-2007, 07:17 PM   #5 (permalink)
Moderator, Analyst, Security Team ; Rangemaster, TSF Academy
 
amateur's Avatar
 
Join Date: Jun 2006
Location: Rhode Island, USA
Posts: 3,628
OS: XP Home SP3, XP MCE SP3, XP Pro SP3


Re: credit card theft, trojan?
Hi,

Unless I am missing something, I see no evidence of an AntiVirus program on your system. Please download and install this FREE-for-home-use anti-virus program:
Active Virus Shield (powered by Kaspersky) and save it to your desktop.
  • Please remember to register for your Activation Code using a legitimate email address.
  • Double-click avs.msi to run the installer, but please uncheck "Install Security Toolbar" during the installation process:
  • Then please update the program and run a systemwide scan by selecting My Computer. Allow it to neutralize all that it finds.
  • When done, launch Active Virus Shield's main window.
  • Click the Scan button on the left, and then click Detected.
  • In the ensuing window, click the Save As button to save a copy of the log.
  • Copy and paste that log in your next reply.
Note: You must only use 1 (one) AV at a time because if you have 2 or more AVs running at the same time, they will conflict with each other and make your security less reliable.

==================================

Scan with HijackThis and put a checkmark against the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us8.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us8.hpwis.com/
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://mvnet.xlontech.net/qm/fox/061...ie06101001.cab

Close all browsers, including this one, and click on "fix checked".

===================================

Please download ComboFix

Note: It is important that it is saved directly to your desktop.

Close all browsers.
  • Double click combofix.exe & follow the prompts.
  • When finished, it will produce a log for you. Post that log in your next reply
  • Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.

===================================

Reboot your computer and post a fresh HijackThis log along with the Combofix.txt.
__________________
My services are free. However, you can donate to TSF to help keep it running and prospering.
ASAP

amateur is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 05-22-2007, 09:15 PM   #6 (permalink)
Registered User
 
Join Date: Oct 2006
Posts: 79
OS: Windows ME


Re: credit card theft, trojan?
Hello thanks for your quick respond.

I accidently hit delete all on the active virus shield, but it detected one trojan which i deleted. Here is the link to the trojan name.
http://www.viruslist.com/en/search?V...co&referer=aol

HIJACKTHIS LOG (beore fixing)

Logfile of HijackThis v1.99.1
Scan saved at 7:03:08 PM, on 5/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AOL\Active Virus Shield\avp.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\HP\KBD\KBD.EXE
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\AOL\Active Virus Shield\avp.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us8.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us8.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us8.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 216.165.236.187:
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [aol] "C:\Program Files\AOL\Active Virus Shield\avp.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [AIM Logger] C:\PROGRA~1\Nalsoft\AIMLOG~1\AIMLogger.exe /start /minimize
O4 - HKCU\..\Run: [Hide IP Platinum] C:\Program Files\Hide IP Platinum\hideippla.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/ca...C_2.3.1.99.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard.com/support/includes/cabs/si.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/game...Plugin9USA.cab
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://mvnet.xlontech.net/qm/fox/061...ie06101001.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Active Virus Shield (AVP) - Unknown owner - C:\Program Files\AOL\Active Virus Shield\avp.exe" -r (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe

HIJACKTHIS LOG (ater fixing)

Logfile of HijackThis v1.99.1
Scan saved at 7:14:41 PM, on 5/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AOL\Active Virus Shield\avp.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\HP\KBD\KBD.EXE
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\AOL\Active Virus Shield\avp.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Owner\Desktop\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [aol] "C:\Program Files\AOL\Active Virus Shield\avp.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [AIM Logger] C:\PROGRA~1\Nalsoft\AIMLOG~1\AIMLogger.exe /start /minimize
O4 - HKCU\..\Run: [Hide IP Platinum] C:\Program Files\Hide IP Platinum\hideippla.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/ca...C_2.3.1.99.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard.com/support/includes/cabs/si.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Active Virus Shield (AVP) - Unknown owner - C:\Program Files\AOL\Active Virus Shield\avp.exe" -r (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe

COMBOFIX LOG

"Owner" - 2007-05-22 19:09:03 Service Pack 2
ComboFix 07-05.23.V - Running from: "C:\Documents and Settings\Owner\Desktop\"


((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-22 ))))))))))))))))))))))))))))))))))


2007-05-22 18:30 3,360 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-05-22 18:30 3,085,856 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-05-22 18:30 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL
2007-05-19 16:18 <DIR> d-------- C:\Program Files\LimeWire
2007-05-08 18:41 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\DivX
2007-05-08 18:40 36,624 --------- C:\WINDOWS\system32\drivers\PxHelp20.sys
2007-05-08 18:40 2,560 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-05-08 18:40 2,432 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-05-08 18:40 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2007-05-08 18:40 118,520 --------- C:\WINDOWS\system32\pxinsi64.exe
2007-05-08 18:40 116,472 --------- C:\WINDOWS\system32\pxcpyi64.exe
2007-05-06 03:30 <DIR> d-------- C:\Deckard
2007-05-04 22:33 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-05-02 10:04 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-05-02 10:04 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-05-02 10:04 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-05-02 10:04 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-05-02 10:02 73,728 --a------ C:\WINDOWS\system32\dpl100.dll
2007-05-02 10:02 593,920 --a------ C:\WINDOWS\system32\dpuGUI11.dll
2007-05-02 10:02 57,344 --a------ C:\WINDOWS\system32\dpv11.dll
2007-05-02 10:02 53,248 --a------ C:\WINDOWS\system32\dpuGUI10.dll
2007-05-02 10:02 344,064 --a------ C:\WINDOWS\system32\dpus11.dll
2007-05-02 10:02 294,912 --a------ C:\WINDOWS\system32\dpu11.dll
2007-05-02 10:02 294,912 --a------ C:\WINDOWS\system32\dpu10.dll
2007-05-02 10:02 196,608 --a------ C:\WINDOWS\system32\dtu100.dll
2007-05-02 10:01 823,296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-05-02 10:01 823,296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-05-02 10:01 802,816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-05-02 10:01 740,442 --a------ C:\WINDOWS\system32\DivX.dll
2007-05-01 18:33 124,472 --a------ C:\WINDOWS\system32\DivXCodecUpdateChecker.exe
2007-05-01 18:33 12,288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2007-04-26 17:09 <DIR> d-------- C:\Program Files\Tales of Pirates Online
2007-04-26 15:39 <DIR> d-------- C:\Program Files\uTorrent
2007-04-26 15:39 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\uTorrent
2007-04-23 23:18 4,682 --a------ C:\WINDOWS\system32\npptNT2.sys
2007-04-23 23:13 <DIR> d-------- C:\ijji


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-23 02:32:28 288 ----a-w C:\WINDOWS\system32\DVCStateBkp-{00000002-00000000-0000000B-00001102-00000004-005B1102}.dat
2007-05-23 02:32:28 288 ----a-w C:\WINDOWS\system32\DVCState-{00000002-00000000-0000000B-00001102-00000004-005B1102}.dat
2007-05-22 02:04:10 4,132 ----a-w C:\WINDOWS\mozver.dat
2007-05-09 02:40:47 -------- d-----w C:\Program Files\DivX
2007-05-05 07:04:05 -------- d-----w C:\Program Files\iTunes
2007-05-05 07:00:06 -------- d-----w C:\Program Files\AIM
2007-05-04 03:36:12 -------- d-----w C:\Program Files\Viewpoint
2007-04-19 18:57:10 294,912 ----a-w C:\WINDOWS\system32\Bump J Multi-Trainer.exe
2007-04-13 09:55:57 -------- d-----w C:\Program Files\AviSynth 2.5
2007-04-13 09:55:47 -------- d-----w C:\Program Files\eRightSoft
2007-04-13 09:17:13 -------- d--h--w C:\Program Files\Zero G Registry
2007-03-14 09:28:21 -------- d-----w C:\Program Files\Disc2Phone
2007-03-06 02:57:35 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\Real
2007-02-21 10:47:16 31,232 --sh--r C:\WINDOWS\system32\msfDX.dll
2007-02-11 21:43:24 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx [2001-03-03 01:02]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTHelper"="CTHELPER.EXE" [2003-01-09 06:39 C:\WINDOWS\system32\cthelper.exe]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 22:04]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-03-11 23:11]
"CamMonitor"="c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe" [2002-06-22 13:27]
"Share-to-Web Namespace Daemon"="c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 23:42]
"KBD"="C:\HP\KBD\KBD.EXE" [2003-02-12 01:02]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-14 03:42]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2002-10-16 21:57]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 00:00]
"Jet Detection"="C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 18:58]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 09:36]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-01-22 18:51]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 14:43]
"aol"="C:\Program Files\AOL\Active Virus Shield\avp.exe" [2006-05-30 11:13]
"@"="" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\Program Files\AIM\aim.exe" [2007-02-10 13:06]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" []
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" []
"AIM Logger"="C:\PROGRA~1\Nalsoft\AIMLOG~1\AIMLogger.exe" []
"Hide IP Platinum"="C:\Program Files\Hide IP Platinum\hideippla.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"SetDefaultMidi"=MIDIDEF.EXE
"PlayCenter2"="C:\Program Files\Creative\SBAudigy\PlayCenter2\MDEntry.EXE" "C:\Program Files\Creative\SBAudigy\PlayCenter2"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"<NO NAME>"=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina]
C:\Program Files\Softex\OmniPass\opxpgina.dll

*Newly Created Service* -KL1
*Newly Created Service* -PROCEXP90


~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20070522-190642-893
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://mvnet.xlontech.net/qm/fox/061...ie06101001.cab

????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????=????'?4??????`??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

backup-20070522-190642-745
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/game...Plugin9USA.cab

???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????=????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

backup-20070522-190642-397
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us8.hpwis.com/

backup-20070522-190642-813
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us8.hpwis.com/

backup-20070522-190642-550
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us8.hpwis.com/

backup-20070522-190642-503
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 216.165.236.187:

backup-20070522-190642-639
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/

backup-20070522-190642-729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us8.hpwis.com/

backup-20070522-190642-430
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us8.hpwis.com/

backup-20070522-190642-181
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us8.hpwis.com/

backup-20070522-190642-825
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us8.hpwis.com/

backup-20070522-190642-462
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us8.hpwis.com/

backup-20070522-190642-264
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us8.hpwis.com/
Contents of the 'Scheduled Tasks' folder
2006-12-07 05:41:00 C:\WINDOWS\tasks\easy Internet sign-up.job

********************************************************************

catchme 0.3.681 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-22 19:10:46
Windows 5.1.2600 Service Pack 2 NTFS NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0


********************************************************************

Completion time: 2007-05-22 19:11:26

--- E O F ---




thank you.
Frankh1188 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 05-23-2007, 09:59 AM   #7 (permalink)
Moderator, Analyst, Security Team ; Rangemaster, TSF Academy
 
amateur's Avatar
 
Join Date: Jun 2006
Location: Rhode Island, USA
Posts: 3,628
OS: XP Home SP3, XP MCE SP3, XP Pro SP3


Re: credit card theft, trojan?
Hi,

The logs are looking good. Let's carry out a couple more scans to make sure that nothing else is hiding around.

Please download Ccleaner and save it to your desktop.
Tutorial for CCleaner
During the installation be sure to UN-check the box for "Ccleaner Yahoo Toolbar" unless you want it. Do not scan with it yet.

=====================================

Download AVG Anti Spyware

Use the link at the bottom of the page under "AVG Anti-Spyware Free for Windows"


  • Install AVG Anti Spyware
  • Double-click the icon on Desktop to launch AVG
  • On the top of the main screen click Shield
  • Click the word active to change it to inactive
  • On the top of the main screen click Update.
  • Then click on Start Update. The update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"

When you have finished updating, EXIT AVG Anti Spyware. Do Not run a scan just yet, we will shortly.

========================================

Reboot your computer in Safe Mode using the F8 method below.
a. If the computer is running, shut down Windows, and then turn off the power.
b. Wait 30 seconds, and then turn the computer on.
c. Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
d. Ensure that the Safe Mode option is selected.
e. Press Enter. The computer then begins to start in Safe mode.

=======================================

From Safe Mode run Ccleaner
  • Click on Options,
  • Select Advanced
  • Now UNCHECK "Only delete files in Windows Temp folders older than 48 hours"
  • Make sure the Cleaner block on the left is selected.
  • Do not use the "Issues" block . It's meant for professionals.
  • Choose the Windows tab.
  • Check everything EXCEPT Advanced part of the Menu.
  • Click on "Analyze". This process could take a while.
  • If you don't want to loose your login passwords to certain sites, click on Options
  • Select cookies and move the ones you want to keep to the "cookies to keep" section, by highlighting and using the arrows in the middle.
  • Choose Run Cleaner.
When CCleaner shows how much has been removed, cleaning is finished. Click Exit.
If you have more than one users, run Ccle