Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 




Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > HijackThis Log Help > Resolved HJT Threads
help with trojan horse help with trojan horse
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read

Resolved HJT Threads Resolved spyware and popup issues.

 
 
Thread Tools
Old 09-25-2007, 07:04 AM   #1 (permalink)
Registered User
 
Join Date: Jun 2007
Posts: 9
OS: win xp


help with trojan horse
Hi,

I'm getting a reminder from AVG resident shield whenever I open up a particular medical bookshop website that there is a threat detected while opening C:\1.exe, Trojan horse PSW. Generic5.MQE. The AVG program gives me the option to ignore, heal or move to vault, none of which works permanently.

I have tried scanning my computer with AVG and also ADaware with no success. Could you give me some advice on how to get rid of this virus please? I'm pretty confident that I do not have any other spyware on my computer.

Many thanks

Kind regards

Kelvin
kelvsy is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 09-25-2007, 08:43 AM   #2 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 26,752
OS: 2000 Pro; XP Pro; XP Home


Re: help with trojan horse
To effectively assist you we would need more information. Toward that end, do this....

Please follow MicroBell's 5 Step process outlined here:

http://www.techsupportforum.com/secu...tml#post342651

After running through all the steps, please post the requested logs in the HijackThis Log Help forum.

If you have trouble with one of the steps, simply move on to the next one, and make note of it in your new thread.
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006


Please do not ask for help via Private Message.
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 09-25-2007, 08:44 PM   #3 (permalink)
Registered User
 
Join Date: Jun 2007
Posts: 9
OS: win xp


Re: help with trojan horse
Hi Tetonbob,

I have gone through the 5 step process and the files are as follows:

Panda activescan report

Incident Status Location
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Kelv\Cookies\kelv@ad.yieldmanager[1].txt
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\Kelv\Cookies\kelv@adtech[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Kelv\Cookies\kelv@atdmt[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Kelv\Cookies\kelv@atdmt[3].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Kelv\Cookies\kelv@com[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Kelv\Cookies\kelv@doubleclick[1].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Kelv\Desktop\Applications\SmitfraudFix\SmitfraudFix\Process.exe
Potentially unwanted tool:Application/SuperFast Not disinfected C:\Documents and Settings\Kelv\Desktop\Applications\SmitfraudFix\SmitfraudFix\restart.exe
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Kelv\Local Settings\Temp\Cookies\kelv@doubleclick[1].txt
Virus:W32/ZLFake.A.drp Disinfected C:\WINDOWS\Temp\svcipa.exe

Hijack this log

Deckard's System Scanner v20070905.67
Run by Kelv on 2007-09-26 10:30:48
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 1 Restore Point(s) --
1: 2007-09-26 02:30:50 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of HijackThis v1.99.1
Scan saved at 2007-09-26 10:33:03
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\taskmar.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\CyberLink DVD Solution\Power2Go\Power2GoExpress.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposts08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\dwwin.exe
C:\downloads\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com.au/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/search?q=%s
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,,taskmar.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O4 - HKEY_LOCAL_MACHINE\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKEY_LOCAL_MACHINE\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKEY_LOCAL_MACHINE\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKEY_LOCAL_MACHINE\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKEY_LOCAL_MACHINE\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKEY_LOCAL_MACHINE\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKEY_LOCAL_MACHINE\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKEY_LOCAL_MACHINE\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKEY_LOCAL_MACHINE\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKEY_LOCAL_MACHINE\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKEY_LOCAL_MACHINE\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Power2GoExpress] "C:\Program Files\CyberLink DVD Solution\Power2Go\Power2GoExpress.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: LUMIX Simple Viewer.lnk = C:\Program Files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe
O4 - Global Startup: officejet 6100.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra 'Tools' menuitem: (no name) - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: C:\Program Files\Aventail\Connect\asnsp.dll
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.6.0_02) - http://java.sun.com/update/1.6.0/jin...ws-i586-jc.cab
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.macromedia.com/get.../ultrashim.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgupsvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe


-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 sisidex - c:\windows\system32\drivers\sisidex.sys <Not Verified; Windows (R) 2000 DDK provider; Windows (R) 2000 DDK driver>
R0 sisperf (Add Performance Filter Driver) - c:\windows\system32\drivers\sisperf.sys <Not Verified; Silicon Integrated Systems Corp.; SiS Filer Driver>
R1 AFS2K - c:\windows\system32\drivers\afs2k.sys <Not Verified; Oak Technology Inc.; AFS>
R1 cdrbsvsd - c:\windows\system32\drivers\cdrbsvsd.sys <Not Verified; B.H.A Corporation; B's Recorder GOLD7>
R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus(R) ASPI Shell>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Multimedia Controller
Device ID: PCI\VEN_1131&DEV_7134&SUBSYS_01385168&REV_01\3&61AAA01&0&50
Manufacturer:
Name: Multimedia Controller
PNP Device ID: PCI\VEN_1131&DEV_7134&SUBSYS_01385168&REV_01\3&61AAA01&0&50
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: PCI Simple Communications Controller
Device ID: PCI\VEN_11C1&DEV_048C&SUBSYS_044C11C1&REV_03\3&61AAA01&0&58
Manufacturer:
Name: PCI Simple Communications Controller
PNP Device ID: PCI\VEN_11C1&DEV_048C&SUBSYS_044C11C1&REV_03\3&61AAA01&0&58
Service:


-- Scheduled Tasks -------------------------------------------------------------

2007-09-24 10:57:04 388 --a------ C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2200 series#1187145296.job


-- Files created between 2007-08-26 and 2007-09-26 -----------------------------

2007-09-26 10:15:34 0 d-------- C:\ie-spyad_zo
2007-09-26 09:28:55 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-09-26 09:28:53 0 d-------- C:\WINDOWS\LastGood
2007-09-25 17:59:21 0 d-------- C:\Program Files\Lavasoft
2007-09-25 17:59:20 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-09-25 17:58:55 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-25 08:33:39 27466 ---hs---- C:\WINDOWS\system32\taskmar.exe <Not Verified; NOD; MStaskmgr>
2007-09-15 11:36:26 0 d-------- C:\Program Files\PokerStars
2007-09-12 10:45:17 0 d-------- C:\WINDOWS\pss
2007-09-12 10:43:52 0 d--h----- C:\Documents and Settings\Administrator\Templates
2007-09-12 10:43:52 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2007-09-12 10:43:52 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2007-09-12 10:43:52 0 d--h----- C:\Documents and Settings\Administrator\Recent
2007-09-12 10:43:52 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2007-09-12 10:43:52 524288 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2007-09-12 10:43:52 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2007-09-12 10:43:52 0 d-------- C:\Documents and Settings\Administrator\My Documents
2007-09-12 10:43:52 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2007-09-12 10:43:52 0 d-------- C:\Documents and Settings\Administrator\Favorites
2007-09-12 10:43:52 0 d-------- C:\Documents and Settings\Administrator\Desktop
2007-09-12 10:43:52 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2007-09-12 10:43:52 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2007-09-12 10:43:52 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2007-09-11 12:31:53 0 d-------- C:\Program Files\Integard
2007-09-11 10:24:23 0 d-------- C:\Incomplete
2007-09-11 10:24:10 0 d-------- C:\Documents and Settings\Kelv\Incomplete
2007-09-11 10:23:53 0 d-------- C:\Documents and Settings\Kelv\Application Data\LimeWire
2007-09-11 10:23:36 0 d-------- C:\Program Files\LimeWire
2007-09-05 11:39:13 0 d-------- C:\Documents and Settings\Kelv\Application Data\.Torrent Swapper
2007-09-05 11:39:05 0 d-------- C:\Program Files\Swapper
2007-09-05 09:50:33 0 d-------- C:\Documents and Settings\Kelv\Application Data\Apple Computer
2007-09-05 09:50:18 0 d-------- C:\Program Files\iPod
2007-09-05 09:50:13 0 d-------- C:\Program Files\iTunes
2007-09-05 09:49:32 0 d-------- C:\Program Files\QuickTime
2007-09-05 09:49:28 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-09-05 09:48:46 0 d-------- C:\Program Files\Apple Software Update
2007-09-05 09:48:40 0 d------c- C:\WINDOWS\system32\DRVSTORE
2007-09-05 09:47:56 0 d-------- C:\Program Files\Common Files\Apple
2007-09-05 09:47:56 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-09-03 09:10:02 0 d-------- C:\Program Files\uTorrent
2007-09-03 09:09:53 0 d-------- C:\Documents and Settings\Kelv\Application Data\uTorrent
2007-09-03 08:55:47 0 d-------- C:\Program Files\BitComet
2007-08-29 20:14:28 982 --a------ C:\WINDOWS\eReg.dat
2007-08-29 20:08:42 0 d-------- C:\Program Files\EA Games
2007-08-28 20:26:41 0 d-------- C:\WINDOWS\Sun
2007-08-28 20:26:41 0 d-------- C:\Documents and Settings\Kelv\Application Data\Sun
2007-08-28 20:25:34 0 d-------- C:\Program Files\Java
2007-08-28 20:25:04 0 d-------- C:\Program Files\Common Files\Java


-- Find3M Report ---------------------------------------------------------------

2007-09-26 09:59:48 0 d-------- C:\Program Files\SpywareGuard
2007-09-26 09:58:01 0 d-------- C:\Program Files\Messenger
2007-09-25 19:54:35 0 d-------- C:\Documents and Settings\Kelv\Application Data\AVG7
2007-09-25 17:58:55 0 d-------- C:\Program Files\Common Files
2007-09-25 14:01:04 0 d-------- C:\Documents and Settings\Kelv\Application Data\AdobeUM
2007-09-09 23:08:13 0 d-------- C:\Program Files\Google
2007-08-29 20:23:52 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-08-29 20:05:45 0 d-------- C:\Program Files\Common Files\InstallShield
2007-08-29 08:43:41 0 d-------- C:\Documents and Settings\Kelv\Application Data\Google
2007-08-24 12:57:34 0 d-------- C:\Program Files\Xilisoft
2007-08-23 11:58:41 0 d-------- C:\Program Files\SourceTec
2007-08-23 11:36:49 0 d-------- C:\Program Files\CyberLink DVD Solution
2007-08-23 11:32:20 0 d-------- C:\Documents and Settings\Kelv\Application Data\CyberLink
2007-08-23 11:15:07 34 --ah----- C:\WINDOWS\system32\RMRMVB to AVI WMV DVD Converter&Burner_sysquict.dat
2007-08-23 11:08:34 0 d-------- C:\Documents and Settings\Kelv\Application Data\Panasonic
2007-08-21 09:57:28 0 d-------- C:\Program Files\RM Converter
2007-08-21 09:29:40 0 d-------- C:\Documents and Settings\Kelv\Application Data\Real
2007-08-21 09:29:39 0 d-------- C:\Documents and Settings\Kelv\Application Data\Media Player Classic
2007-08-21 09:28:37 0 d-------- C:\Program Files\Real Alternative
2007-08-21 09:28:35 0 d-------- C:\Program Files\Media Player Classic
2007-08-18 10:34:12 0 d-------- C:\Program Files\SDI
2007-08-18 09:46:36 0 d-------- C:\Program Files\Aventail
2007-08-16 16:09:23 0 d-------- C:\Program Files\FLV Player
2007-08-16 07:25:40 0 d-------- C:\Program Files\Common Files\Adobe
2007-08-16 07:25:39 0 d-------- C:\Documents and Settings\Kelv\Application Data\Adobe
2007-08-15 21:13:04 0 d-------- C:\Program Files\AVS4YOU
2007-08-15 21:12:57 0 d-------- C:\Program Files\Common Files\AVSMedia
2007-08-15 21:11:46 0 d-------- C:\Program Files\DivX
2007-08-15 19:37:22 0 d-------- C:\Documents and Settings\Kelv\Application Data\AVS4YOU
2007-08-15 18:18:15 0 d-------- C:\Program Files\Common Files\Real
2007-08-15 17:56:47 0 d-------- C:\Documents and Settings\Kelv\Application Data\DivX
2007-08-15 17:29:06 0 d-------- C:\Program Files\Real
2007-08-15 11:17:45 0 d-------- C:\Program Files\SiSLan
2007-08-15 11:15:38 0 d-------- C:\Program Files\Analog Devices
2007-08-15 11:15:35 44 --a------ C:\WINDOWS\system32\msssc.dll
2007-08-15 11:02:38 0 d-------- C:\Program Files\CyberLink
2007-08-15 10:34:50 0 d-------- C:\Program Files\ReadIris
2007-08-15 10:30:58 0 d-------- C:\Program Files\Common Files\Hewlett-Packard
2007-08-15 10:30:31 0 d-------- C:\Documents and Settings\Kelv\Application Data\Share-to-Web Upload Folder
2007-08-15 10:29:34 0 d-------- C:\Program Files\Hewlett-Packard
2007-08-15 10:22:55 0 d-------- C:\Documents and Settings\Kelv\Application Data\Macromedia
2007-08-15 09:58:00 0 d-------- C:\Program Files\Panasonic
2007-08-15 09:47:59 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-08-15 09:39:38 0 d-------- C:\Program Files\Microsoft ActiveSync
2007-08-15 07:00:29 0 d-------- C:\Program Files\Common Files\ODBC
2007-08-15 07:00:26 0 d-------- C:\Program Files\Common Files\SpeechEngines
2007-08-15 06:59:53 62 --ahs---- C:\Documents and Settings\Kelv\Application Data\desktop.ini
2007-08-14 23:20:39 0 d-------- C:\Documents and Settings\Kelv\Application Data\Identities
2007-08-14 23:14:39 0 d-------- C:\Program Files\microsoft frontpage
2007-08-14 23:14:22 0 -rahs---- C:\MSDOS.SYS
2007-08-14 23:14:22 0 -rahs---- C:\IO.SYS
2007-08-14 23:14:22 0 --a------ C:\CONFIG.SYS
2007-08-14 23:14:22 0 --a------ C:\AUTOEXEC.BAT
2007-08-14 23:13:03 0 d--h----- C:\Program Files\WindowsUpdate
2007-08-14 23:12:03 0 d-------- C:\Program Files\Common Files\MSSoap
2007-08-14 23:11:53 0 d-------- C:\Program Files\Movie Maker
2007-08-14 23:11:01 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2007-08-14 23:10:40 0 d-------- C:\Program Files\Online Services
2007-08-14 23:10:29 0 d-------- C:\Program Files\MSN Gaming Zone
2007-08-14 23:10:18 0 d-------- C:\Program Files\Windows NT
2007-07-26 10:53:34 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-07-26 10:50:34 196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2007-07-26 10:50:34 81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2007-07-26 10:49:28 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [21/06/2007 09:54 PM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [29/06/2007 06:24 AM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [14/09/2007 10:14 PM]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [11/04/2002 04:19 AM]
"RemoteControl"="C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [31/10/2003 07:42 PM]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [04/08/2004 08:00 PM]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [04/08/2004 08:00 PM]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [04/08/2004 08:00 PM]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [04/08/2004 08:00 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [12/07/2007 04:00 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [15/08/2007 08:15 PM]
"AAWTray"="C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe" [08/08/2007 03:53 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [04/08/2004 01:06 AM]
"Power2GoExpress"="C:\Program Files\CyberLink DVD Solution\Power2Go\Power2GoExpress.exe" [04/05/2004 10:22 AM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 08:00 PM]

C:\Documents and Settings\Kelv\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [17/08/2007 6:00:00 AM]
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [29/08/2003 7:05:35 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
hp psc 2000 Series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [27/06/2002 1:20:58 AM]
LUMIX Simple Viewer.lnk - C:\Program Files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe [15/08/2007 9:56:17 AM]
officejet 6100.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe [27/06/2002 1:21:30 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\WINDOWS\system32\userinit.exe,,taskmar.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"




-- Hosts -----------------------------------------------------------------------

127.0.0.2 integard


-- End of Deckard's System Scanner: finished at 2007-09-26 10:34:04 ------------


thanks for your help. Please let me know what else I need to do now to get rid of the trojan horse.

Kind regards

Kelvin
Attached Files
File Type: txt extra.txt (12.4 KB, 3 views)
kelvsy is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 09-25-2007, 09:14 PM   #4 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 26,752
OS: 2000 Pro; XP Pro; XP Home


Re: help with trojan horse
Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------
  1. Download this file - http://download.bleepingcomputer.com...a/ComboFix.exe

    * IMPORTANT !!! Place combofix.exe on your Desktop


  2. Disconnect from the internet....pull the plug!
  3. Go to -> Run -> paste in the following single line command & click OK

    "%userprofile%\desktop\combofix.exe" /killall



  4. Follow the prompts. Type "1" and press Enter to begin the scan.
  5. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  6. When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

    ---------------------------------------------------------------------------------------------
  7. Re-establish an internet connection.
  8. Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

    ---------------------------------------------------------------------------------------------
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006


Please do not ask for help via Private Message.
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 09-26-2007, 02:31 AM   #5 (permalink)
Registered User
 
Join Date: Jun 2007
Posts: 9
OS: win xp


Re: help with trojan horse
Hi Tetonbob,

these are the logs you requested:

ComboFix 07-09-26 - Kelv 2007-09-26 16:21:30.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.670 [GMT 8:00]
Running from: C:\Documents and Settings\Kelv\desktop\combofix.exe
Command switches used :: /killall
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-08-26 to 2007-09-26 )))))))))))))))))))))))))))))))
.

2007-09-26 16:20 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-26 10:30 <DIR> d-------- C:\Deckard
2007-09-26 10:15 <DIR> d-------- C:\ie-spyad_zo
2007-09-26 09:28 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-09-25 17:59 <DIR> d-------- C:\Program Files\Lavasoft
2007-09-25 17:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-09-25 17:58 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-25 08:33 27,466 ---hs---- C:\WINDOWS\system32\taskmar.exe
2007-09-15 11:36 <DIR> d-------- C:\Program Files\PokerStars
2007-09-12 10:45 <DIR> d-------- C:\WINDOWS\pss
2007-09-11 12:31 <DIR> d-------- C:\Program Files\Integard
2007-09-11 10:24 <DIR> d-------- C:\Incomplete
2007-09-11 10:24 <DIR> d-------- C:\Documents and Settings\Kelv\Incomplete
2007-09-11 10:23 <DIR> d-------- C:\Program Files\LimeWire
2007-09-11 10:23 <DIR> d-------- C:\Documents and Settings\Kelv\Application Data\LimeWire
2007-09-05 11:39 <DIR> d-------- C:\Program Files\Swapper
2007-09-05 11:39 <DIR> d-------- C:\Documents and Settings\Kelv\Application Data\.Torrent Swapper
2007-09-05 09:50 <DIR> d-------- C:\Program Files\iTunes
2007-09-05 09:50 <DIR> d-------- C:\Program Files\iPod
2007-09-05 09:50 <DIR> d-------- C:\Documents and Settings\Kelv\Application Data\Apple Computer
2007-09-05 09:49 <DIR> d-------- C:\Program Files\QuickTime
2007-09-05 09:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-09-05 09:48 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-09-05 09:48 <DIR> d-------- C:\Program Files\Apple Software Update
2007-09-05 09:47 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-09-05 09:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-09-03 09:10 <DIR> d-------- C:\Program Files\uTorrent
2007-09-03 09:09 <DIR> d-------- C:\Documents and Settings\Kelv\Application Data\uTorrent
2007-09-03 08:55 <DIR> d-------- C:\Program Files\BitComet
2007-08-29 20:14 982 --a------ C:\WINDOWS\eReg.dat
2007-08-29 20:08 <DIR> d-------- C:\Program Files\EA Games

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-26 16:22 9674784 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-09-26 10:49 114188 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-09-26 09:59 --------- d-------- C:\Program Files\SpywareGuard
2007-09-25 14:01 --------- d-------- C:\Documents and Settings\Kelv\Application Data\AdobeUM
2007-09-09 23:08 --------- d-------- C:\Program Files\Google
2007-09-08 23:33 --------- d-------- C:\Documents and Settings\All Users\Application Data\Google
2007-09-06 08:33 --------- d-------- C:\Documents and Settings\Kelv\Application Data\.Torrent Swapper
2007-09-04 17:02 12400 --a------ C:\WINDOWS\system32\drivers\secdrv.sys
2007-09-03 08:57 359040 --a------ C:\WINDOWS\system32\drivers\tcpip.sys
2007-08-29 20:23 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-29 20:05 --------- d-------- C:\Program Files\Common Files\InstallShield
2007-08-29 08:43 --------- d-------- C:\Documents and Settings\Kelv\Application Data\Google
2007-08-24 12:57 --------- d-------- C:\Program Files\Xilisoft
2007-08-23 11:58 --------- d-------- C:\Program Files\SourceTec
2007-08-23 11:36 --------- d-------- C:\Program Files\CyberLink DVD Solution
2007-08-23 11:32 --------- d-------- C:\Documents and Settings\Kelv\Application Data\CyberLink
2007-08-23 11:08 --------- d-------- C:\Documents and Settings\Kelv\Application Data\Panasonic
2007-08-21 09:57 --------- d-------- C:\Program Files\RM Converter
2007-08-21 09:29 --------- d-------- C:\Documents and Settings\Kelv\Application Data\Real
2007-08-21 09:29 --------- d-------- C:\Documents and Settings\Kelv\Application Data\Media Player Classic
2007-08-21 09:28 --------- d-------- C:\Program Files\Real Alternative
2007-08-21 09:28 --------- d-------- C:\Program Files\Media Player Classic
2007-08-21 09:28 --------- d-------- C:\Documents and Settings\All Users\Application Data\Real
2007-08-18 10:34 --------- d-------- C:\Program Files\SDI
2007-08-18 10:15 --------- d-------- C:\Documents and Settings\All Users\Application Data\WinZip
2007-08-18 09:46 --------- d-------- C:\Program Files\Aventail
2007-08-16 16:09 --------- d-------- C:\Program Files\FLV Player
2007-08-15 21:13 --------- d-------- C:\Program Files\AVS4YOU
2007-08-15 21:12 --------- d-------- C:\Program Files\Common Files\AVSMedia
2007-08-15 21:11 --------- d-------- C:\Program Files\DivX
2007-08-15 19:37 --------- d-------- C:\Documents and Settings\Kelv\Application Data\AVS4YOU
2007-08-15 19:37 --------- d-------- C:\Documents and Settings\All Users\Application Data\AVS4YOU
2007-08-15 18:18 --------- d-------- C:\Program Files\Common Files\Real
2007-08-15 17:56 --------- d-------- C:\Documents and Settings\Kelv\Application Data\DivX
2007-08-15 17:29 --------- d-------- C:\Program Files\Real
2007-08-15 11:17 --------- d-------- C:\Program Files\SiSLan
2007-08-15 11:15 --------- d-------- C:\Program Files\Analog Devices
2007-08-15 11:02 --------- d-------- C:\Program Files\CyberLink
2007-08-15 11:02 --------- d-------- C:\Documents and Settings\All Users\Application Data\CyberLink
2007-08-15 10:34 --------- d-------- C:\Program Files\ReadIris
2007-08-15 10:30 --------- d-------- C:\Program Files\Common Files\Hewlett-Packard
2007-08-15 10:30 --------- d-------- C:\Documents and Settings\Kelv\Application Data\Share-to-Web Upload Folder
2007-08-15 10:29 82380 --a------ C:\WINDOWS\system32\drivers\AFS2K.SYS
2007-08-15 10:29 --------- d-------- C:\Program Files\Hewlett-Packard
2007-08-15 10:12 499712 --a------ C:\WINDOWS\system32\msvcp71.dll
2007-08-15 10:12 348160 --a------ C:\WINDOWS\system32\msvcr71.dll
2007-08-15 10:02 --------- d-------- C:\Documents and Settings\All Users\Application Data\QuickTime
2007-08-15 09:58 --------- d-------- C:\Program Files\Panasonic
2007-08-15 09:46 75932 --a------ C:\WINDOWS\system32\drivers\klick.dat
2007-08-15 09:46 74396 --a------ C:\WINDOWS\system32\drivers\klin.dat
2007-08-15 09:46 --------- d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-08-15 09:39 --------- d-------- C:\Program Files\Microsoft ActiveSync
2007-08-14 23:14 --------- d-------- C:\Program Files\microsoft frontpage
2007-08-07 13:58 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-08-07 13:56 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-26 11:06 144704 --a------ C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-07-26 10:53 524288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-07-26 10:53 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-07-26 10:53 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-07-26 10:53 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-07-26 10:50 81920 --a------ C:\WINDOWS\system32\dpl100.dll
2007-07-26 10:50 593920 --a------ C:\WINDOWS\system32\dpuGUI11.dll
2007-07-26 10:50 57344 --a------ C:\WINDOWS\system32\dpv11.dll
2007-07-26 10:50 344064 --a------ C:\WINDOWS\system32\dpus11.dll
2007-07-26 10:50 294912 --a------ C:\WINDOWS\system32\dpu11.dll
2007-07-26 10:50 196608 --a------ C:\WINDOWS\system32\dtu100.dll
2007-07-26 10:49 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2004-03-11 13:27 40960 --a------ C:\Program Files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-06-21 21:54]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-09-14 22:14]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-11 04:19]
"RemoteControl"="C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2003-10-31 19:42]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 20:00]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 20:00]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 20:00]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 20:00]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-08-15 20:15]
"AAWTray"="C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe" [2007-08-08 15:53]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 01:06]
"Power2GoExpress"="C:\Program Files\CyberLink DVD Solution\Power2Go\Power2GoExpress.exe" [2004-05-04 10:22]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 20:00]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
hp psc 2000 Series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2002-06-27 01:20:58]
LUMIX Simple Viewer.lnk - C:\Program Files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe [2007-08-15 09:56:17]
officejet 6100.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe [2002-06-27 01:21:30]

C:\Documents and Settings\Kelv\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2007-08-17 06:00:00]
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 19:05:35]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
hp psc 2000 Series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2002-06-27 01:20:58]
LUMIX Simple Viewer.lnk - C:\Program Files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe [2007-08-15 09:56:17]
officejet 6100.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe [2002-06-27 01:21:30]

R1 cdrbsvsd;cdrbsvsd;C:\WINDOWS\system32\drivers\cdrbsvsd.sys
S3 Slnt7554;USB Soft Modem Driver;C:\WINDOWS\system32\DRIVERS\slnt7554.sys

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2007-09-24 02:57:04 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2200 series#1187145296.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-26 16:23:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-26 16:23:57
.
--- E O F ---


Hijack this log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:30:13 PM, on 26/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\downloads\HiJackThis.exe

O1 - Hosts: 127.0.0.2 integard
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Power2GoExpress] "C:\Program Files\CyberLink DVD Solution\Power2Go\Power2GoExpress.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: LUMIX Simple Viewer.lnk = ?
O4 - Global Startup: officejet 6100.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 5717 bytes


thanks

Kelvin
kelvsy is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 09-26-2007, 08:02 AM   #6 (permalink)
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 26,752
OS: 2000 Pro; XP Pro; XP Home


Re: help with trojan horse
Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Open notepad and copy/paste the text in the quotebox below into it:

Quote:
http://www.techsupportforum.com/security-center/hijackthis-log-help/183849-help-trojan-horse.html

Killall::

Collect::
C:\WINDOWS\system32\taskmar.exe
C:\1.exe
Save this as CFScript.txt




Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture a file to submit for analysis.

Ensure you are connected to the internet and click OK. A browser will open. Simply follow the instructions to copy/paste/send the requested file.

---------------------------------------------------------------------------------------------


Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.
  • The program will then begin downloading the latest definition files.
  • Once the files have been downloaded click on NEXT
  • Locate the Scan Settings button & configure to:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK & have it scan My Computer
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply
* Turn off the real time scanner of any existing antivirus program while performing the online scan

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the licence, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

---------------------------------------------------------------------------------------------

Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

---------------------------------------------------------------------------------------------
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006


Please do not ask for help via Private Message.
tetonbob is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 09-26-2007, 10:04 PM   #7 (permalink)
Registered User
 
Join Date: Jun 2007
Posts: 9
OS: win xp


Re: help with trojan horse
Combofix text
ComboFix 07-09-26 - Kelv 2007-09-27 10:41:28.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.668 [GMT 8:00]
Running from: C:\Documents and Settings\Kelv\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Kelv\My Documents\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\taskmar.exe

.
((((((((((((((((((((((((( Files Created from 2007-08-27 to 2007-09-27 )))))))))))))))))))))))))))))))
.

2007-09-26 16:20 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-26 10:30 <DIR> d-------- C:\Deckard
2007-09-26 10:15 <DIR> d-------- C:\ie-spyad_zo
2007-09-26 09:28 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-09-25 17:59 <DIR> d-------- C:\Program Files\Lavasoft
2007-09-25 17:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-09-25 17:58 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-15 11:36 <DIR> d-------- C:\Program Files\PokerStars
2007-09-12 10:45 <DIR> d-------- C:\WINDOWS\pss
2007-09-11 12:31 <DIR> d-------- C:\Program Files\Integard
2007-09-11 10:24 <DIR> d-------- C:\Incomplete
2007-09-11 10:24 <DIR> d-------- C:\Documents and Settings\Kelv\Incomplete
2007-09-11 10:23 <DIR> d-------- C:\Program Files\LimeWire
2007-09-11 10:23 <DIR> d-------- C:\Documents and Settings\Kelv\Application Data\LimeWire
2007-09-05 11:39 <DIR> d-------- C:\Program Files\Swapper
2007-09-05 11:39 <DIR> d-------- C:\Documents and Settings\Kelv\Application Data\.Torrent Swapper
2007-09-05 09:50 <DIR> d-------- C:\Program Files\iTunes
2007-09-05 09:50 <DIR> d-------- C:\Program Files\iPod
2007-09-05 09:50 <DIR> d-------- C:\Documents and Settings\Kelv\Application Data\Apple Computer
2007-09-05 09:49 <DIR> d-------- C:\Program Files\QuickTime
2007-09-05 09:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-09-05 09:48 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-09-05 09:48 <DIR> d-------- C:\Program Files\Apple Software Update
2007-09-05 09:47 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-09-05 09:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-09-03 09:10 <DIR> d-------- C:\Program Files\uTorrent
2007-09-03 09:09 <DIR> d-------- C:\Documents and Settings\Kelv\Application Data\uTorrent
2007-09-03 08:55 <DIR> d-------- C:\Program Files\BitComet
2007-08-29 20:14 982 --a------ C:\WINDOWS\eReg.dat
2007-08-29 20:08 <DIR> d-------- C:\Program Files\EA Games

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-27 10:42 9889824 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-09-26 20:33 116492 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-09-26 09:59 --------- d-------- C:\Program Files\SpywareGuard
2007-09-25 14:01 --------- d-------- C:\Documents and Settings\Kelv\Application Data\AdobeUM
2007-09-09 23:08 --------- d-------- C:\Program Files\Google
2007-09-08 23:33 --------- d-------- C:\Documents and Settings\All Users\Application Data\Google
2007-09-06 08:33 --------- d-------- C:\Documents and Settings\Kelv\Application Data\.Torrent Swapper
2007-09-04 17:02 12400 --a------ C:\WINDOWS\system32\drivers\secdrv.sys
2007-09-03 08:57 359040 --a------ C:\WINDOWS\system32\drivers\tcpip.sys
2007-08-29 20:23 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-29 20:05 --------- d-------- C:\Program Files\Common Files\InstallShield
2007-08-29 08:43 --------- d-------- C:\Documents and Settings\Kelv\Application Data\Google
2007-08-24 12:57 --------- d-------- C:\Program Files\Xilisoft
2007-08-23 11:58 --------- d-------- C:\Program Files\SourceTec
2007-08-23 11:36 --------- d-------- C:\Program Files\CyberLink DVD Solution
2007-08-23 11:32 --------- d-------- C:\Documents and Settings\Kelv\Application Data\CyberLink
2007-08-23 11:08 --------- d-------- C:\Documents and Settings\Kelv\Application Data\Panasonic
2007-08-21 09:57 --------- d-------- C:\Program Files\RM Converter
2007-08-21 09:29 --------- d-------- C:\Documents and Settings\Kelv\Application Data\Real
2007-08-21 09:29 --------- d-------- C:\Documents and Settings\Kelv\Application Data\Media Player Classic
2007-08-21 09:28 --------- d-------- C:\Program Files\Real Alternative
2007-08-21 09:28 --------- d-------- C:\Program Files\Media Player Classic
2007-08-21 09:28 --------- d-------- C:\Documents and Settings\All Users\Application Data\Real
2007-08-18 10:34 --------- d-------- C:\Program Files\SDI
2007-08-18 10:15 --------- d-------- C:\Documents and Settings\All Users\Application Data\WinZip
2007-08-18 09:46 --------- d-------- C:\Program Files\Aventail
2007-08-16 16:09 --------- d-------- C:\Program Files\FLV Player
2007-08-15 21:13 --------- d-------- C:\Program Files\AVS4YOU
2007-08-15 21:12 --------- d-------- C:\Program Files\Common Files\AVSMedia
2007-08-15 21:11 --------- d-------- C:\Program Files\DivX
2007-08-15 19:37 --------- d-------- C:\Documents and Settings\Kelv\Application Data\AVS4YOU
2007-08-15 19:37 --------- d-------- C:\Documents and Settings\All Users\Application Data\AVS4YOU
2007-08-15 18:18 --------- d-------- C:\Program Files\Common Files\Real
2007-08-15 17:56 --------- d-------- C:\Documents and Settings\Kelv\Application Data\DivX
2007-08-15 17:29 --------- d-------- C:\Program Files\Real
2007-08-15 11:17 --------- d-------- C:\Program Files\SiSLan
2007-08-15 11:15 --------- d-------- C:\Program Files\Analog Devices
2007-08-15 11:02 --------- d-------- C:\Program Files\CyberLink
2007-08-15 11:02 --------- d-------- C:\Documents and Settings\All Users\Application Data\CyberLink
2007-08-15 10:34 --------- d-------- C:\Program Files\ReadIris
2007-08-15 10:30 --------- d-------- C:\Program Files\Common Files\Hewlett-Packard
2007-08-15 10:30 --------- d-------- C:\Documents and Settings\Kelv\Application Data\Share-to-Web Upload Folder
2007-08-15 10:29 82380 --a------ C:\WINDOWS\system32\drivers\AFS2K.SYS
2007-08-15 10:29 --------- d-------- C:\Program Files\Hewlett-Packard
2007-08-15 10:12 499712 --a------ C:\WINDOWS\system32\msvcp71.dll
2007-08-15 10:12 348160 --a------ C:\WINDOWS\system32\msvcr71.dll
2007-08-15 10:02 --------- d-------- C:\Documents and Settings\All Users\Application Data\QuickTime
2007-08-15 09:58 --------- d-------- C:\Program Files\Panasonic
2007-08-15 09:46 75932 --a------ C:\WINDOWS\system32\drivers\klick.dat
2007-08-15 09:46 74396 --a------ C:\WINDOWS\system32\drivers\klin.dat
2007-08-15 09:46 --------- d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-08-15 09:39 --------- d-------- C:\Program Files\Microsoft ActiveSync
2007-08-14 23:14 --------- d-------- C:\Program Files\microsoft frontpage
2007-08-07 13:58 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-08-07 13:56 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-26 11:06 144704 --a------ C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-07-26 10:53 524288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-07-26 10:53 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-07-26 10:53 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-07-26 10:53 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-07-26 10:50 81920 --a------ C:\WINDOWS\system32\dpl100.dll
2007-07-26 10:50 593920 --a------ C:\WINDOWS\system32\dpuGUI11.dll
2007-07-26 10:50 57344 --a------ C:\WINDOWS\system32\dpv11.dll
2007-07-26 10:50 344064 --a------ C:\WINDOWS\system32\dpus11.dll
2007-07-26 10:50 294912 --a------ C:\WINDOWS\system32\dpu11.dll
2007-07-26 10:50 196608 --a------ C:\WINDOWS\system32\dtu100.dll
2007-07-26 10:49 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2004-03-11 13:27 40960 --a------ C:\Program Files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-06-21 21:54]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-09-14 22:14]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-11 04:19]
"RemoteControl"="C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2003-10-31 19:42]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 20:00]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 20:00]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 20:00]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 20:00]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-08-15 20:15]
"AAWTray"="C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe" [2007-08-08 15:53]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 01:06]
"Power2GoExpress"="C:\Program Files\CyberLink DVD Solution\Power2Go\Power2GoExpress.exe" [2004-05-04 10:22]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 20:00]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
hp psc 2000 Series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2002-06-27 01:20:58]
LUMIX Simple Viewer.lnk - C:\Program Files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe [2007-08-15 09:56:17]
officejet 6100.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe [2002-06-27 01:21:30]

C:\Documents and Settings\Kelv\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2007-08-17 06:00:00]
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 19:05:35]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
hp psc 2000 Series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2002-06-27 01:20:58]
LUMIX Simple Viewer.lnk - C:\Program Files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe [2007-08-15 09:56:17]
officejet 6100.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe [2002-06-27 01:21:30]

R1 cdrbsvsd;cdrbsvsd;C:\WINDOWS\system32\drivers\cdrbsvsd.sys
S3 Slnt7554;USB Soft Modem Driver;C:\WINDOWS\system32\DRIVERS\slnt7554.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-09-24 02:57:04 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2200 series#1187145296.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-27 10:43:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-27 10:43:51
C:\ComboFix-quarantined-files.txt ... 2007-09-27 10:43
C:\ComboFix2.txt ... 2007-09-26 16:23
.
--- E O F ---

Code:
2007-09-25 08:33      27466    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\taskmar.exe.vir


Folder PATH listing
Volume serial number is BCA6-1CBD
C:\QOOBOX\QUARANTINE
+---C
|   +---ComboFix
|   \---WINDOWS
|       \---system32
|               taskmar.exe.vir
|               
\---Registry_backups





Kaspersky scan report

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, September 27, 2007 12:00:33 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.1
Kaspersky Anti-Virus database last update: 27/09/2007
Kaspersky Anti-Virus database records: 423857
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 33010
Number of viruses found: 2
Number of infected objects: 2
Number of suspicious objects: 0
Duration of the scan process: 00:29:43

Infected Object Name / Virus Name / Last Action
C:\Deckard\System Scanner\backup\DOCUME~1\Kelv\LOCALS~1\Temp\ga.vbs Infected: Trojan.VBS.Runner.w skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\Kelv\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Kelv\Desktop\Applications\SmitfraudFix\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Kelv\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Kelv\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Kelv\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Kelv\Local Settings\History\History.IE5\MSHist012007092720070928\index.dat Object is locked skipped
C:\Documents and Settings\Kelv\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Kelv\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Kelv\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{F1EF07DF-7495-471A-85F4-9CBB9FC2D35F}\RP3\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\KELVIN.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped