|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
Thread Tools |
12-31-2007, 02:55 AM
|
#1 (permalink) |
|
Registered User
Join Date: Jun 2006
Location: Bronx, NY
Posts: 22
OS: Windows XP home SP2
|
Pc tools finds virtumonde but vundo fix doesn't
Hi,
I'm hoping someone can help me with this. For the past few months I've been plagued with something called Real Spy Monitor. Only System MEchanic can find it and delete it but it keeps coming back. And no, my husband isn't spying on me. Heh. Anyhow, I got PC Tools Spyware doctor in a google pack download. Just wanted the search engine for IE but somehow, I got PC Tools too. I figured I'd use it's SCAN feature and it found something called Trojan Virtumonde. I selected "remove" but it wasn't removed cause I did another scan a few minutes later and it showed up again. Then I removed it again and scanned a third time and the scan result was clean. Anyhow, got another trojan at 5:30am Saturday morning (crap) from clicking a link on a website. Avast caught that one and I moved it to the chest and then deleted it. But something of it was left behind. And afterwards, AVast was prevented from updating. Also Spywareguard couldn't update. (is this too much detail?) Anyhow, ddayv.exe and ddayv.dll were in my system32 folder created at 5:30am Saturday morning so I knew it was connected. I downloaded Vundofix.exe and it found about 6 files but couldn't get rid of one of them and froze my PC. (I finally got out of the freeze and got rid of the file in safemode). Still couldn't update Avast though so I finally reformatted the hard drive (destructive restore) to start fresh. After the reformat and reinstall of a bunch of programs, Real spy monitor was back on my PC. Got rid of it with System Mechanic and downloaded Spyware Doctor again and it reported 11 instances of infections due to Virtumunde but wouldn't remove them this time. I downloaded Vundofix.exe again and ran a scan and it didn't find any files this time. Is Spyware Doctor jerking me around to get me to buy the program or am I infected again? Thanks for your help. Hyjackthis log: Logfile of HijackThis v1.99.1 Scan saved at 6:35:55 AM, on 12/31/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS C:\WINDOWS\system32\svchost.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\WINDOWS\system32\hkcmd.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\Program Files\Digital Media Reader\shwiconem.exe C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\Program Files\American Systems\EZ Scheduler\ezscheduler.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\SpywareGuard\sgmain.exe C:\Program Files\SpywareGuard\sgbhp.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Not Programs\hijackthis\HijackThis.exe C:\Program Files\Windows NT\Accessories\WORDPAD.EXE R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.emachines.com/ R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/ O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKLM\..\Run: [EZ Scheduler] C:\Program Files\American Systems\EZ Scheduler\ezscheduler.exe /m O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1199027622015 O18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS Last edited by intanet : 12-31-2007 at 02:58 AM. |
|
     |
|
12-31-2007, 10:14 AM
|
#3 (permalink) |
|
Analyst, Security Team
Join Date: Sep 2006
Location: Ontario, Canada
Posts: 2,584
OS: Windows XP Pro
|
Re: Pc tools finds virtumonde but vundo fix doesn't
Hello intanet,
Have you taken the time to familiarize yourself with the following sticky before posting? Please go through the 5 steps outlined in the link below and post back the requested logs in this thread. (Updated!) IMPORTANT - Read This Before Posting A Log Note: We are extremely busy in this section of the forum, so please be patient while you wait for an analyst to review your thread.
__________________
 Proud Member of ASAP Proud Member of UNITE Keep this forum alive - if you've been helped at this forum, please do consider a donation. Thank you for your support. Donation link for Tech Support Forum |
|
|
|
|
12-31-2007, 11:08 AM
|
#4 (permalink) |
|
Registered User
Join Date: Jun 2006
Location: Bronx, NY
Posts: 22
OS: Windows XP home SP2
|
Re: Pc tools finds virtumonde but vundo fix doesn't
No. Sorry. I did not read the sticky thing. Thank you so much for the link to the 5 steps. I had one of those programs installed called "Viewpoint Media". I uninstalled it and followed the other steps except for the Panda Scan which I'll have to do later. And yes, I will be patient. I am very appreciative that there is a site like this who has people who take the time to help others.
Last edited by intanet : 12-31-2007 at 11:15 AM. |
|
|
|
|
12-31-2007, 11:58 PM
|
#5 (permalink) |
|
Registered User
Join Date: Jun 2006
Location: Bronx, NY
Posts: 22
OS: Windows XP home SP2
|
Re: Pc tools finds virtumonde but vundo fix doesn't
Got a clean bill of health from Panda Scan. Problem though. I couldn't get the report. I had to turn Avast off for the reasons mentioned in the thread you gave me the link to. I also turned off my DSL modem (since I was not protected by AV program during the Panda Scan). But after the scan, which said that "no viruses or other malicious software have been found!" there was no option to get the report. I connected to the internet again but couldn't find a link for the report. I then clicked "refresh" on the browser and lost the page altogether and it starts from scratch again. Anyhow they assured there were no viruses etc. I scanned all my drives, including my external one. (I have the C partitioned into C and D and also an external one).
Again, thank you for your help. P.S. I'm not sure if I am supposed to post the Deckard's Hijackthis log also so I'll post it just in case you need that one too After that, I will post the Deckard main.txt log and attach the extra.txt. HIJACKTHIS LOG: Logfile of HijackThis v1.99.1 Scan saved at 1:38:05 AM, on 1/1/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\Program Files\Digital Media Reader\shwiconem.exe C:\Program Files\American Systems\EZ Scheduler\ezscheduler.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\SpywareGuard\sgmain.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\SpywareGuard\sgbhp.exe C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\wscntfy.exe C:\Documents and Settings\Owner\Desktop\Downloads\Deckard's System Scanner\dss.exe C:\NOTPRO~1\HIJACK~1\Owner.exe C:\WINDOWS\system32\rundll32.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS10 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/ O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe O4 - HKLM\..\Run: [EZ Scheduler] C:\Program Files\American Systems\EZ Scheduler\ezscheduler.exe /m O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1199027622015 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS Here is the main.txt report from DECKARD: Deckard's System Scanner v20071014.68 Run by Owner on 2008-01-01 01:34:46 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- System Restore -------------------------------------------------------------- Successfully created a Deckard's System Scanner Restore Point. -- Last 5 Restore Point(s) -- 9: 2008-01-01 06:34:51 UTC - RP21 - Deckard's System Scanner Restore Point 8: 2007-12-31 18:13:15 UTC - RP20 - Installed Ad-Aware 2007 7: 2007-12-31 16:46:52 UTC - RP19 - Installed Windows Media Player 10 6: 2007-12-31 13:09:04 UTC - RP18 - Installed Windows Media Format 9 Series Runtime Setup 5: 2007-12-31 12:20:16 UTC - RP17 - Installed Java(TM) 6 Update 3 -- First Restore Point -- 1: 2007-12-31 13:18:03 UTC - RP13 - System Checkpoint Backed up registry hives. Performed disk cleanup. -- HijackThis (run as Owner.exe) ----------------------------------------------- Unable to find log (file not found); running clone. -- HijackThis Clone ------------------------------------------------------------ Emulating logfile of Trend Micro HijackThis v2.0.2 Scan saved at 2008-01-01 01:36:16 Platform: Windows XP Service Pack 2 (5.01.2600) MSIE: Internet Explorer (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\system32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\WINDOWS\explorer.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\Program Files\Digital Media Reader\shwiconEM.exe C:\Program Files\American Systems\EZ Scheduler\EZScheduler.exe C:\Program Files\Alwil Software\Avast4\ashDisp.exe C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\SpywareGuard\sgmain.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\SpywareGuard\sgbhp.exe C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\wscntfy.exe C:\Documents and Settings\Owner\Desktop\Downloads\Deckard's System Scanner\dss.exe C:\NOT PROGRAMS\hijackthis\Owner.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS10 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/ O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe O4 - HKLM\..\Run: [EZ Scheduler] C:\Program Files\American Systems\EZ Scheduler\ezscheduler.exe /m O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe O9 - Extra button: (no name) - CmdMapping - (file missing) O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing) O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1199027622015 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll O18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS -- End of file - 5479 bytes -- HijackThis Fixed Entries (C:\NOTPRO~1\HIJACK~1\backups\) -------------------- backup-20050822-040133-463 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01 backup-20050822-040246-774 O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML backup-20070429-060323-710 O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file) -- File Associations ----------------------------------------------------------- .txt - txtfile - DefaultIcon - C:\Not Programs\Metapad 2\metapad 2.exe,0 .txt - txtfile - shell\open\command - "C:\Not Programs\Metapad 2\metapad 2.exe" %1 -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------- R2 CDRPDACC (Quinnware CDDA Driver (by InfinaDyne)) - c:\program files\quintessential player\cdrpdacc.sys <Not Verified; Arrowkey; CD Device Access> R3 SunkFilt (Alcor Micro Corp - 9360) - c:\windows\system32\drivers\sunkfilt.sys <Not Verified; Alcor Micro Corp.; SunkFilt> S3 SunkFilt39 (Alcor Micro Corp - 3239) - c:\windows\system32\drivers\sunkfilt39.sys <Not Verified; Alcor Micro Corp.; SunkFilt39> S3 Sunkfiltp (HP && Alcor Micro Corp for Phison) - c:\windows\system32\drivers\sunkfiltp.sys (file missing) S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing) -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled -------------------- All services whitelisted. -- Device Manager: Disabled ---------------------------------------------------- No disabled devices found. -- Scheduled Tasks ------------------------------------------------------------- 2007-12-30 08:56:14 390 --a------ C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1199022921.job 2007-12-30 08:21:45 258 --a------ C:\WINDOWS\Tasks\ISP signup reminder 3.job 2007-12-30 08:21:45 258 --a------ C:\WINDOWS\Tasks\ISP signup reminder 2.job -- Files created between 2007-12-01 and 2008-01-01 ----------------------------- 2007-12-31 22:16:56 0 d-------- C:\WINDOWS\system32\ActiveScan 2007-12-31 22:16:54 0 d-------- C:\WINDOWS\LastGood 2007-12-31 13:19:00 0 dr-h----- C:\Documents and Settings\Owner\Recent 2007-12-31 13:13:16 0 d-------- C:\Program Files\Lavasoft 2007-12-31 13:13:16 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft 2007-12-31 13:12:35 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard 2007-12-31 13:07:13 0 d--h----- C:\WINDOWS\PIF 2007-12-31 12:58:04 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2007-12-31 12:37:12 0 d-------- C:\ie-spyad_zo 2007-12-31 11:46:53 0 d-------- C:\WINDOWS\RegisteredPackages 2007-12-31 08:09:11 101888 --a------ C:\WINDOWS\system32\VB6STKIT.DLL <Not Verified; Microsoft Corporation; Microsoft® Visual Basic pour Windows> 2007-12-31 08:09:11 119568 --a------ C:\WINDOWS\system32\VB6FR.DLL <Not Verified; Microsoft Corporation; Environnement Visual Basic> 2007-12-31 08:09:11 21504 --a------ C:\WINDOWS\system32\TABCTFR.DLL <Not Verified; Microsoft Corporation; Bibliothèque d'objets TabCtl32> 2007-12-31 08:09:11 141312 --a------ C:\WINDOWS\system32\MSCMCFR.DLL <Not Verified; Microsoft Corporation; COMCTL> 2007-12-31 08:09:11 59904 --a------ C:\WINDOWS\system32\Mscc2fr.dll <Not Verified; Microsoft Corporation; Bibliothèque d'objets de Microsoft Common Controls 2> 2007-12-31 08:09:11 15360 --a------ C:\WINDOWS\system32\inetfr.DLL <Not Verified; Microsoft Corporation; DLL du contrôle Microsoft Internet Transfer> 2007-12-31 08:09:10 32768 --a------ C:\WINDOWS\system32\CMDLGFR.DLL <Not Verified; Microsoft Corporation; CMDIALOG> 2007-12-31 08:09:10 0 d-------- C:\Program Files\Free Audio Pack 2007-12-31 08:05:27 0 d-------- C:\Program Files\Common Files\xing shared 2007-12-31 08:04:13 0 d-------- C:\Documents and Settings\Owner\Application Data\Real 2007-12-31 07:43:27 0 d-------- C:\Drivers 2007-12-31 07:20:21 0 d-------- C:\Program Files\Java 2007-12-31 07:20:19 0 d-------- C:\Program Files\Common Files\Java 2007-12-31 07:12:54 164352 --a------ C:\WINDOWS\system32\unrar.dll 2007-12-31 07:12:51 217088 --a------ C:\WINDOWS\system32\yv12vfw.dll <Not Verified; www.helixcommunity.org; Helix YV12 YUV Codec> 2007-12-31 07:12:51 564224 --a------ C:\WINDOWS\system32\x264vfw.dll 2007-12-31 07:12:51 630784 --a------ C:\WINDOWS\system32\vp7vfw.dll <Not Verified; On2.com; On2_VP70> 2007-12-31 07:12:51 438272 --a------ C:\WINDOWS\system32\vp6vfw.dll <Not Verified; On2.com; On2_VP6> 2007-12-31 07:12:51 144384 --a------ C:\WINDOWS\system32\Iacenc.dll <Not Verified; Intel Corporation; Indeo® audio software> 2007-12-31 07:12:51 39936 --a------ C:\WINDOWS\system32\huffyuv.dll <Not Verified; Disappearing Inc.; Huffyuv> 2007-12-31 07:12:50 282624 --a------ C:\WINDOWS\system32\xvidvfw.dll 2007-12-31 07:12:50 1559040 --a------ C:\WINDOWS\system32\xvidcore.dll 2007-12-31 07:12:49 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll 2007-12-31 07:12:49 81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100> 2007-12-31 07:12:49 682496 --a------ C:\WINDOWS\system32\divx.dll <Not Verified; DivX, Inc.; DivX®> 2007-12-31 07:12:48 7680 --a------ C:\WINDOWS\system32\ff_vfw.dll 2007-12-31 07:12:46 0 d-------- C:\Program Files\K-Lite Codec Pack 2007-12-31 07:08:06 0 d-------- C:\Documents and Settings\Owner\Application Data\Media Player Classic 2007-12-31 05:25:22 0 d-------- C:\VundoFix Backups 2007-12-31 05:08:19 0 d-------- C:\Documents and Settings\Owner\Application Data\Google 2007-12-31 05:01:14 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP 2007-12-31 04:57:21 0 d-------- C:\Program Files\Google 2007-12-31 02:29:25 0 d-------- C:\Documents and Settings\Owner\Application Data\AdobeUM 2007-12-31 02:29:09 0 d-------- C:\Program Files\Common Files\Adobe 2007-12-31 00:07:57 0 d-------- C:\Documents and Settings\Owner\Application Data\Macromedia 2007-12-31 00:07:56 0 d-------- C:\Documents and Settings\Owner\Application Data\Adobe 2007-12-31 00:07:46 1158 --a------ C:\WINDOWS\mozver.dat 2007-12-30 13:54:52 0 d-------- C:\Documents and Settings\Owner\Application Data\Opera 2007-12-30 13:54:45 0 d-------- C:\Program Files\Opera 2007-12-30 12:48:48 113664 --a------ C:\WINDOWS\system32\ThesDb32.dll <Not Verified; Wintertree Software Inc.; ThesDB Thesaurus Engine> 2007-12-30 12:48:48 115712 --a------ C:\WINDOWS\system32\Ssce4132.dll <Not Verified; Wintertree Software Inc.; Sentry Spelling-Checker Engine> 2007-12-30 12:48:47 0 d-------- C:\Cetus 2007-12-30 12:48:08 299520 --a------ C:\WINDOWS\uninst.exe <Not Verified; InstallShield Corporation, Inc.; InstallShield unInstaller> 2007-12-30 12:42:31 0 d-------- C:\Program Files\SpywareBlaster 2007-12-30 12:41:38 0 d-------- C:\Program Files\SpywareGuard 2007-12-30 11:50:01 0 d-------- C:\Program Files\e-Sword 2007-12-30 11:46:27 0 d-------- C:\BIBLE 2007-12-30 11:42:52 702464 --a------ C:\WINDOWS\system32\Incinerator.dll <Not Verified; iolo technologies, LLC; incinerator> 2007-12-30 11:42:52 17857 --a------ C:\WINDOWS\system32\drivers\SGuard.sys <Not Verified; iolo technologies, LLC; Startup Guard™ Registry Driver> 2007-12-30 11:42:48 25264 --a------ C:\WINDOWS\system32\smrgdf.exe 2007-12-30 11:42:48 30942 --a------ C:\WINDOWS\system32\iolobtdfg.exe 2007-12-30 11:42:47 0 d-------- C:\Program Files\iolo 2007-12-30 11:41:45 0 d-------- C:\SAVED DOWNLOADS 2007-12-30 11:12:10 0 d-------- C:\Program Files\IrfanView 2007-12-30 11:11:31 0 d-------- C:\Documents and Settings\Owner\Application Data\XnView 2007-12-30 11:10:05 0 d-------- C:\Program Files\Quintessential Player 2007-12-30 10:48:07 0 d-------- C:\Program Files\Audacity 2007-12-30 10:42:38 0 d-------- C:\Documents and Settings\Owner\Application Data\Mozilla 2007-12-30 10:36:06 0 d---s---- C:\My Songs 2007-12-30 10:19:52 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller 2007-12-30 10:19:48 0 d-------- C:\Program Files\Windows Live 2007-12-30 10:19:37 0 d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller 2007-12-30 10:14:49 0 d-------- C:\WINDOWS\system32\SoftwareDistribution 2007-12-30 10:05:45 0 d---s---- C:\Documents and Settings\Owner\UserData 2007-12-30 09:50:13 0 d-------- C:\Program Files\Alwil Software 2007-12-30 09:33:51 209920 --a------ C:\WINDOWS\amuninst.exe <Not Verified; American Systems; SETUP Application> 2007-12-30 09:33:51 0 d-------- C:\Program Files\American Systems 2007-12-30 09:31:25 0 d-------- C:\Program Files\WinAVI Video Converter 2007-12-30 09:22:22 0 d-------- C:\Program Files\Online Bible 2007-12-30 09:18:26 0 d-------- C:\Documents and Settings\Owner\Application Data\U3 2007-12-30 09:02:36 0 d-------- C:\Documents and Settings\Owner\Application Data\OpenOffice.org2 2007-12-30 09:01:41 0 d-------- C:\WINDOWS\pss 2007-12-30 09:01:23 0 d-------- C:\Program Files\OpenOffice.org 2.2 2007-12-30 09:00:57 0 d-------- C:\Documents and Settings\Owner\Application Data\Sun 2007-12-30 08:57:25 0 d-------- C:\NOT PROGRAMS 2007-12-30 08:56:10 0 d-------- C:\Documents and Settings\Owner\Application Data\Hewlett-Packard 2007-12-30 08:53:52 0 d-------- C:\Program Files\Common Files\Hewlett-Packard 2007-12-30 08:53:04 0 d-------- C:\Program Files\Hewlett-Packard 2007-12-30 08:52:17 16606 --------- C:\WINDOWS\hpomdl01.dat 2007-12-30 08:52:17 19558 --a------ C:\WINDOWS\hpoins01.dat 2007-12-30 08:21:43 0 d-------- C:\Documents and Settings\Default User\WINDOWS 2007-12-30 08:21:43 0 d-------- C:\Documents and Settings\Default User\Application Data\SampleView 2007-12-30 08:21:43 0 d-------- C:\Documents and Settings\Default User\Application Data\McAfee 2007-12-30 08:21:43 0 d-------- C:\Documents and Settings\Default User\Application Data\Identities 2007-12-30 08:15:56 0 d-------- C:\Documents and Settings\Owner\Application Data\SampleView 2007-12-30 08:15:18 0 d-------- C:\Documents and Settings\All Users\Application Data\McAfee 2007-12-30 08:15:09 0 d-------- C:\Documents and Settings\All Users\Application Data\McAfee.com 2007-12-30 08:14:16 0 d-------- C:\Program Files\Digital Media Reader 2007-12-30 08:14:06 0 d-------- C:\WINDOWS\Downloaded Installations 2007-12-30 08:13:52 67072 --a------ C:\WINDOWS\POWERCFG.EXE <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System> 2007-12-30 08:13:51 20480 --a------ C:\WINDOWS\system32\Marker32.exe <Not Verified; Gateway; Marker32> 2007-12-30 08:12:38 262144 --a------ C:\Documents and Settings\All Users\NTUSER.DAT 2007-12-30 08:12:19 0 d-------- C:\Documents and Settings\All Users\Application Data\CyberLink 2007-12-30 08:12:17 0 d-------- C:\Program Files\CyberLink 2007-12-30 08:11:56 471300 --a------ C:\WINDOWS\wallpe.exe <Not Verified; ; wallpe> 2007-12-30 08:11:39 76288 -ra------ C:\WINDOWS\system32\PUBOLE32.DLL <Not Verified; Microsoft Corporation; Microsoft Publisher for Windows> 2007-12-30 08:11:39 212480 -ra------ C:\WINDOWS\system32\PCDLIB32.DLL <Not Verified; Eastman Kodak; Kodak Photo CD Access Developer Toolkit> 2007-12-30 08:11:39 37888 -ra------ C:\WINDOWS\system32\ochlp30e.dll <Not Verified; Microsoft Corporation; Microsoft Multimedia Controls> 2007-12-30 08:11:39 82432 --a------ C:\WINDOWS\system32\msxml4r.dll <Not Verified; Microsoft Corporation; Microsoft(R) MSXML 4.0 SP1> 2007-12-30 08:11:39 1233920 --a------ C:\WINDOWS\system32\msxml4.dll <Not Verified; Microsoft Corporation; Microsoft(R) MSXML 4.0 SP 2> 2007-12-30 08:11:39 91136 -ra------ C:\WINDOWS\system32\msls2.dll <Not Verified; Microsoft Corporation; Microsoft® Line Services> 2007-12-30 08:11:39 31744 -ra------ C:\WINDOWS\system32\hlp95en.dll <Not Verified; Microsoft Corporation; Microsoft Office> 2007-12-30 08:11:23 0 d-------- C:\Program Files\Microsoft Works 2007-12-30 08:11:19 0 d-------- C:\Program Files\Common Files\New Boundary 2007-12-30 08:11:19 0 d-------- C:\Documents and Settings\All Users\Application Data\Prism Deploy 2007-12-30 08:11:03 18000 --a------ C:\WINDOWS\BigFixClientOverride.dll <Not Verified; BigFix, Inc.; BigFix> 2007-12-30 08:10:53 53248 --a------ C:\WINDOWS\system32\NeroCo.dll <Not Verified; Ahead Software AG im Stoeckmaedle 18 76307 Karlsbad, Germany Fax: ++49-7248-911-888 e-mail: info@nero.com; Nero Burning Rom> 2007-12-30 08:10:37 0 d-------- C:\Documents and Settings\All Users\Application Data\Pure Networks 2007-12-30 08:10:29 368912 --a------ C:\WINDOWS\system32\vbar332.dll <Not Verified; Microsoft Corporation; Microsoft Visual Basic for Applications> 2007-12-30 08:10:29 102400 --a------ C:\WINDOWS\system32\SimpleRegistry.dll <Not Verified; 4Developers LLC; SimpleRegistry Control> 2007-12-30 08:10:29 118784 --a------ C:\WINDOWS\system32\Msstdfmt.dll <Not Verified; Microsoft Corporation; MSSTDFMT Object Library> 2007-12-30 08:10:29 10752 --a------ C:\WINDOWS\system32\aamd532.dll <Not Verified; Almeida & Andrade Ltda; MD5 Maker DLL> 2007-12-30 08:10:25 106496 --a------ C:\WINDOWS\system32\TwnLib20.dll <Not Verified; Pegasus Software; TWNLIB20> 2007-12-30 08:10:25 0 d-------- C:\WINDOWS\occache 2007-12-30 08:10:25 0 d-------- C:\Program Files\Learn2.com 2007-12-30 08:10:23 38912 --a------ C:\WINDOWS\system32\picn20.dll <Not Verified; Pegasus Imaging Corp.; PEGASUS> 2007-12-30 08:10:23 544768 --a------ C:\WINDOWS\system32\imagx5.dll <Not Verified; Pegasus Software, LLC; ImagXpress> 2007-12-30 08:10:23 569344 --a------ C:\WINDOWS\system32\imagr5.dll <Not Verified; Pegasus Software,LLC; ImagXpress> 2007-12-30 08:10:22 155648 --a------ C:\WINDOWS\system32\NeroCheck.exe <Not Verified; Ahead Software Gmbh; Ahead Software Gmbh NeroCheck> 2007-12-30 08:10:22 0 d-------- C:\Program Files\Common Files\Ahead 2007-12-30 08:10:18 0 d-------- C:\Program Files\Ahead 2007-12-30 08:10:15 86016 --a------ C:\WINDOWS\unvise32qt.exe <Not Verified; MindVision; Installer VISE 2.8.3> 2007-12-30 08:10:10 0 d-------- C:\WINDOWS\system32\QuickTime 2007-12-30 08:10:10 0 d-------- C:\Program Files\QuickTime 2007-12-30 08:10:10 0 d-------- C:\Documents and Settings\All Users\Application Data\QuickTime 2007-12-30 08:10:07 0 d-------- C:\Program Files\Common Files\Nullsoft 2007-12-30 08:10:02 8552 --a------ C:\WINDOWS\system32\drivers\asctrm.sys <Not Verified; Windows (R) 2000 DDK provider; Windows (R) 2000 DDK driver> 2007-12-30 08:10:02 0 d---s---- C:\My Music 2007-12-30 08:10:00 0 d-------- C:\Program Files\Real 2007-12-30 08:10:00 0 d-------- C:\Program Files\Common Files\Real 2007-12-30 08:09:42 1044480 --a------ C:\WINDOWS\system32\roboex32.dll <Not Verified; eHelp Corporation.; RoboHELP for WinHelp 9> 2007-12-30 08:09:42 54784 --a------ C:\WINDOWS\system32\Inetwh32.dll <Not Verified; Blue Sky Software Corporation.; Blue Sky Software - INETWH32> 2007-12-30 08:09:27 0 d-------- C:\Documents and Settings\All Users\Application Data\AOL 2007-12-30 08:09:19 0 d-------- C:\Program Files\Common Files\AOL 2007-12-30 08:09:18 335 --a------ C:\WINDOWS\nsreg.dat 2007-12-30 08:08:35 0 d-------- C:\WINDOWS\system32\URTTemp 2007-12-30 08:08:13 0 d-------- C:\Program Files\Microsoft Money 2007-12-30 08:08:01 0 d-------- C:\Program Files\MSN Encarta Plus 2007-12-30 08:05:35 0 d-------- C:\Documents and Settings\All Users\Application Data\Symantec 2007-12-30 08:05:25 0 d-------- C:\Program Files\Intel 2007-12-30 08:04:53 0 d-------- C:\WINDOWS\system32\ReinstallBackups 2007-12-30 08:04:52 0 d--h----- C:\Program Files\InstallShield Installation Information 2007-12-30 08:04:50 0 d-------- C:\Program Files\Common Files\InstallShield 2007-12-30 08:03:22 0 d-------- C:\Program Files\CONEXANT 2007-12-30 08:01:41 0 d--hs---- C:\System Volume Information 2007-12-30 08:00:08 60 --a------ C:\WINDOWS\system32\SYSDRV.DAT 2007-12-30 08:00:07 0 d-------- C:\WINDOWS\creator 2007-12-30 08:00:04 0 d-------- C:\WINDOWS\SMINST 2007-12-30 07:59:45 0 dr------- C:\Program Files 2007-12-30 07:59:38 0 dr------- C:\Documents and Settings\Owner\Start Menu 2007-12-30 07:59:38 0 dr-h----- C:\Documents and Settings\Owner\SendTo 2007-12-30 07:59:38 0 dr------- C:\Documents and Settings\Owner\My Documents 2007-12-30 07:59:37 0 dr------- C:\Documents and Settings\Owner\Favorites 2007-12-30 07:59:37 0 dr-h----- C:\Documents and Settings\Owner\Application Data 2007-12-30 07:59:37 0 dr------- C:\Documents and Settings\Default User\Start Menu 2007-12-30 07:59:37 0 dr-h----- C:\Documents and Settings\Default User\SendTo 2007-12-30 07:59:37 0 d--h----- C:\Documents and Settings\Default User\Local Settings 2007-12-30 07:59:37 0 dr-h----- C:\Documents and Settings\Default User\Application Data 2007-12-30 07:59:36 0 dr------- C:\Documents and Settings\All Users\Start Menu 2007-12-30 07:59:36 0 dr------- C:\Documents and Settings\All Users\Documents 2007-12-30 07:59:36 0 dr-h----- C:\Documents and Settings\All Users\Application Data 2007-12-30 07:59:22 0 dr------- C:\WINDOWS\Offline Web Pages 2007-12-30 07:57:26 0 dr-hs--c- C:\WINDOWS\system32\dllcache -- Find3M Report --------------------------------------------------------------- 2007-12-31 13:12:35 0 d-------- C:\Program Files\Common Files 2007-11-29 16:50:20 4096 --a------ C:\WINDOWS\system32\sysres.dll 2007-11-29 16:50:20 38567 --a------ C:\WINDOWS\system32\pcpbios.exe -- Registry Dump --------------------------------------------------------------- *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{549B5CA7-4A86-11D7-A4DF-000874180BB3}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [09/13/2002 03:42 PM] "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 02:50 PM] "RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [10/31/2003 10:42 PM] "SunKistEM"="C:\Program Files\Digital Media Reader\shwiconem.exe" [10/18/2004 05:05 PM] "@"="" [] "EZ Scheduler"="C:\Program Files\American Systems\EZ Scheduler\ezscheduler.exe" [04/03/2001 03:34 PM] "avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [12/04/2007 08:00 AM] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 01:11 AM] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [12/31/2007 08:05 AM] C:\Documents and Settings\Owner\Start Menu\Programs\Startup\ SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [8/29/2003 7:05:35 PM] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk backup=C:\WINDOWS\pss\hp psc 1000 series.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk backup=C:\WINDOWS\pss\hpoddt01.exe.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray] C:\WINDOWS\system32\igfxtray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background *Newly Created Service* - RKPAVPROC *Newly Created Service* - UMWDF -- End of Deckard's System Scanner: finished at 2008-01-01 01:38:52 ------------ |
|
|
|
|
01-01-2008, 09:38 PM
|
#6 (permalink) |
|
Analyst, Security Team
Join Date: Sep 2006
Location: Ontario, Canada
Posts: 2,584
OS: Windows XP Pro
|
Re: Pc tools finds virtumonde but vundo fix doesn't
Hi intanet,
Panda won't give you a log if your system is clean. I'm only seeing a few things in your logs, which need to be taken care of. Also, is System Mechanic still finding "Real Spy Monitor", and where does it say it is located on your system? -------------------------------------------------------------- Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions. Also be sure to carry out the instructions in the sequence listed below. -------------------------------------------------------------- Open HijackThis and click on 'Do a System Scan Only'. Check the following entries (If they still exist, make sure you do not miss any) R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file) O9 - Extra button: (no name) - CmdMapping - (file missing) Please remember to close all other windows, including browsers then click Fix checked. -------------------------------------------------------------- Download Combofix from Here or Alternate link **Save it directly to your desktop** Double click on combofix.exe & follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply Warning: Do not mouseclick combofix's window whilst it's running. That may cause it to stall A log will be produced that will ultimately be named C:\ComboFix.txt I'll need that in your next reply -------------------------------------------------------------- Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner Answer Yes, when prompted to install an ActiveX component.
-------------------------------------------------------------- Please reply back with the following logs: Answer to question C:\ComboFix.txt Kaspersky Online Scan Results
__________________
Proud Member of ASAP Proud Member of UNITE Keep this forum alive - if you've been helped at this forum, please do consider a donation. Thank you for your support. Donation link for Tech Support Forum |
|
|
|
|
01-02-2008, 03:11 AM
|
#7 (permalink) |
|
Registered User
Join Date: Jun 2006
Location: Bronx, NY
Posts: 22
OS: Windows XP home SP2
|
Re: Pc tools finds virtumonde but vundo fix doesn't
Thank you for your very clear instructions as well as the time you took to post all that information. Ok, here's the lowdown... To answer your question: System Mechanic finds Real Spy Monitor from time to time and lists it as "Miscellenous" although once I think it listed it in the "Keylogger" category. I ran a check on the internet and it is, in fact, a keylogger. System Mechanic doesn't tell you where it is. It just offers to remove it. Sometimes it's there and sometimes it's not. Hasn't been back in the last 4 scans which I did yesterday and today. I have to scan at least 4 times a week to check for it but, because of my recent problems, I have been checking for it more often. System Mech tell you to close all opened programs and then remove it otherwise it can get integrated or something like that. I do my best closing programs but apparently, it gets back on from somewhere. I even close my antivirus and internet connection when having them remove it. Another thing, it's odd to me that Spybot never finds it. Hijackthis: I found only one of the keys you asked me to check for in Hijackthis. It was the key named: O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file) I selected "fix it". RO - HKCU ....about:blank wasn't there in the HyjackThis scan and neither was the CmdMapping Extra button one. Another thing, Spywareguard alerted me about a BHO attempting to change in my search engine choice in IE while Combofix was just beginning it's scan. I didn't know what to do so I made no selection and just closed the Spywareguare window. Anyhow... Following is the Combofix log and after that the Kaspersky results. Thanks again. ComboFix 08-01-02.1 - Owner 2008-01-02 0:46:26.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.688 [GMT -5:00] Running from: C:\Documents and Settings\Owner\Desktop\Tech support Forum\Combofix.exe\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . D:\Autorun.inf . ((((((((((((((((((((((((( Files Created from 2007-12-02 to 2008-01-02 ))))))))))))))))))))))))))))))) . 2008-01-02 00:41 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe 2008-01-01 11:30 . 2008-01-01 11:30 <DIR> d-------- C:\Program Files\WordWeb 2008-01-01 11:30 . 2007-03-02 20:25 1,042,304 --a------ C:\WINDOWS\wweb32.dll 2008-01-01 11:29 . 2008-01-01 11:29 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Jarte 2008-01-01 11:28 . 2008-01-01 11:28 <DIR> d-------- C:\Program Files\Jarte 2008-01-01 11:24 . 2008-01-01 11:24 <DIR> d-------- C:\Program Files\CrossWire 2008-01-01 11:22 . 2008-01-01 11:22 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Arcsoft 2008-01-01 11:16 . 2008-01-01 11:18 <DIR> d-------- C:\Program Files\OpenOffice.org 2.3 2008-01-01 10:49 . 2008-01-01 10:56 522 --a------ C:\hpfr3420.xml 2008-01-01 08:00 . 2008-01-01 08:14 <DIR> d-------- C:\Program Files\KeyScrambler 2008-01-01 08:00 . 2007-03-12 23:24 113,128 --a------ C:\WINDOWS\system32\drivers\keyscrambler.sys 2008-01-01 02:30 . 2007-12-31 07:49 57,151 --a------ C:\WINDOWS\system32\igfx.hlp 2008-01-01 01:34 . 2008-01-01 01:34 <DIR> d-------- C:\Deckard 2007-12-31 22:17 . 2007-12-31 22:23 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico 2007-12-31 22:17 . 2007-12-31 22:23 1,406 --a------ C:\WINDOWS\system32\Help.ico 2007-12-31 22:16 . 2008-01-01 00:04 <DIR> d-------- C:\WINDOWS\system32\ActiveScan 2007-12-31 22:16 . 2007-12-31 22:23 30,590 --a------ C:\WINDOWS\system32\pavas.ico 2007-12-31 13:13 . 2007-12-31 13:13 <DIR> d-------- C:\Program Files\Lavasoft 2007-12-31 13:13 . 2007-12-31 13:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft 2007-12-31 13:12 . 2007-12-31 13:12 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard 2007-12-31 13:07 . 2007-12-31 13:07 <DIR> d--h----- C:\WINDOWS\PIF 2007-12-31 12:58 . 2008-01-01 11:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2007-12-31 12:37 . 2007-12-31 12:37 <DIR> d-------- C:\ie-spyad_zo 2007-12-31 12:19 . 2007-12-31 07:49 159,744 --a------ C:\WINDOWS\system32\igfxres.dll 2007-12-31 08:09 . 2007-12-31 08:09 <DIR> d-------- C:\Program Files\Free Audio Pack 2007-12-31 08:05 . 2007-12-31 08:05 <DIR> d-------- C:\Program Files\Common Files\xing shared 2007-12-31 07:43 . 2007-12-31 07:43 <DIR> d-------- C:\Drivers 2007-12-31 07:20 . 2007-12-31 07:20 <DIR> d-------- C:\Program Files\Java 2007-12-31 07:20 . 2007-12-31 07:20 <DIR> d-------- C:\Program Files\Common Files\Java 2007-12-31 07:20 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl 2007-12-31 07:12 . 2007-12-31 07:12 <DIR> d-------- C:\Program Files\K-Lite Codec Pack 2007-12-31 07:08 . 2007-12-31 07:08 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Media Player Classic 2007-12-31 05:25 . 2007-12-31 05:25 <DIR> d-------- C:\VundoFix Backups 2007-12-31 05:01 . 2007-12-31 05:10 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP 2007-12-31 04:57 . 2007-12-31 05:12 <DIR> d-------- C:\Program Files\Google 2007-12-31 04:44 . 2005-09-23 08:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll 2007-12-31 02:29 . 2007-12-31 02:29 <DIR> d-------- C:\Program Files\Common Files\Adobe 2007-12-31 02:29 . 2007-12-31 02:29 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\AdobeUM 2007-12-31 00:07 . 2007-12-31 00:07 1,158 --a------ C:\WINDOWS\mozver.dat 2007-12-30 13:54 . 2007-12-30 13:54 <DIR> d-------- C:\Program Files\Opera 2007-12-30 12:59 . 2007-12-31 11:48 49 --a------ C:\WINDOWS\NeroDigital.ini 2007-12-30 12:56 . 2004-08-04 00:56 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll 2007-12-30 12:56 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll 2007-12-30 12:42 . 2008-01-01 07:23 <DIR> d-------- C:\Program Files\SpywareBlaster 2007-12-30 12:41 . 2008-01-01 07:13 <DIR> d-------- C:\Program Files\SpywareGuard 2007-12-30 11:50 . 2007-12-30 11:55 <DIR> d-------- C:\Program Files\e-Sword 2007-12-30 11:42 . 2007-12-30 11:42 <DIR> d-------- C:\Program Files\iolo 2007-12-30 11:42 . 2005-02-17 14:10 702,464 --a------ C:\WINDOWS\system32\Incinerator.dll 2007-12-30 11:42 . 2004-10-04 15:45 30,942 --a------ C:\WINDOWS\system32\iolobtdfg.exe 2007-12-30 11:42 . 2004-08-28 14:18 25,264 --a------ C:\WINDOWS\system32\smrgdf.exe 2007-12-30 11:42 . 2005-01-21 08:17 17,857 --a------ C:\WINDOWS\system32\drivers\SGuard.sys 2007-12-30 11:41 . 2007-12-30 11:44 <DIR> d-------- C:\SAVED DOWNLOADS 2007-12-30 11:12 . 2007-12-30 11:12 <DIR> d-------- C:\Program Files\IrfanView 2007-12-30 11:11 . 2007-12-30 11:11 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\XnView 2007-12-30 11:10 . 2007-12-30 11:10 <DIR> d-------- C:\Program Files\Quintessential Player 2007-12-30 10:48 . 2007-12-30 10:48 <DIR> d-------- C:\Program Files\Audacity 2007-12-30 10:36 . 2007-12-30 10:55 <DIR> d---s---- C:\My Songs 2007-12-30 10:19 . 2007-12-30 10:24 <DIR> d-------- C:\Program Files\Windows Live 2007-12-30 10:19 . 2007-12-30 11:07 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller 2007-12-30 10:19 . 2007-12-30 10:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller 2007-12-30 10:18 . 2003-06-25 16:05 266,360 --a------ C:\WINDOWS\system32\TweakUI.exe 2007-12-30 10:18 . 2002-06-21 15:09 160,217 --a------ C:\WINDOWS\system32\PowerToysLicense.rtf 2007-12-30 10:14 . 2007-07-30 19:19 43,352 --a------ C:\WINDOWS\system32\wups2.dll 2007-12-30 10:14 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui 2007-12-30 10:14 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui 2007-12-30 10:14 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui 2007-12-30 10:14 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui 2007-12-30 10:05 . 2007-12-30 10:05 <DIR> d---s---- C:\Documents and Settings\Owner\UserData 2007-12-30 09:54 . 2007-12-30 09:54 2 --a------ C:\WINDOWS\msoffice.ini 2007-12-30 09:50 . 2007-12-30 09:50 <DIR> d-------- C:\Program Files\Alwil Software 2007-12-30 09:50 . 2007-12-04 08:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe 2007-12-30 09:50 . 2004-01-09 05:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx 2007-12-30 09:50 . 2007-12-04 07:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr 2007-12-30 09:50 . 2007-12-04 09:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys 2007-12-30 09:50 . 2007-12-04 09:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys 2007-12-30 09:50 . 2007-12-04 09:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys 2007-12-30 09:50 . 2007-12-04 09:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys 2007-12-30 09:50 . 2007-12-04 09:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys 2007-12-30 09:33 . 2007-12-30 09:33 <DIR> d-------- C:\Program Files\American Systems 2007-12-30 09:33 . 1998-04-06 08:32 209,920 --a------ C:\WINDOWS\amuninst.exe 2007-12-30 09:33 . 2007-12-30 09:33 317 --a------ C:\WINDOWS\unezsched.ini 2007-12-30 09:33 . 2008-01-01 22:44 39 --a------ C:\WINDOWS\ezscheduler.INI 2007-12-30 09:31 . 2007-12-30 09:31 <DIR> d-------- C:\Program Files\WinAVI Video Converter 2007-12-30 09:22 . 2008-01-01 05:32 <DIR> d-------- C:\Program Files\Online Bible 2007-12-30 09:18 . 2007-12-30 09:19 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\U3 2007-12-30 09:02 . 2008-01-01 11:33 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\OpenOffice.org2 2007-12-30 08:57 . 2007-12-30 12:46 <DIR> d-------- C:\NOT PROGRAMS 2007-12-30 08:56 . 2007-12-30 08:56 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Hewlett-Packard 2007-12-30 08:54 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys 2007-12-30 08:54 . 2004-08-03 23:08 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys 2007-12-30 08:54 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys 2007-12-30 08:54 . 2004-08-03 23:01 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys 2007-12-30 08:54 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys 2007-12-30 08:54 . 2004-08-03 22:58 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys 2007-12-30 08:53 . 2007-12-30 08:53 <DIR> d-------- C:\Program Files\Hewlett-Packard 2007-12-30 08:53 . 2007-12-30 08:53 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard 2007-12-30 08:52 . 2007-12-30 08:52 <DIR> d-------- C:\TEMP\HP All-in-One Series Web Release 2007-12-30 08:52 . 2007-12-30 08:55 19,558 --a------ C:\WINDOWS\hpoins01.dat 2007-12-30 08:52 . 2003-04-22 10:24 16,606 --------- C:\WINDOWS\hpomdl01.dat 2007-12-30 08:22 . 2004-08-04 14:00 221,184 --a------ C:\WINDOWS\system32\wmpns.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-12-31 12:49 86,016 ----a-w C:\WINDOWS\system32\igfxdo.dll 2007-12-31 12:49 766,576 ----a-w C:\WINDOWS\system32\ialmdd5.dll 2007-12-31 12:49 737,874 ----a-w C:\WINDOWS\system32\drivers\ialmnt5.sys 2007-12-31 12:49 61,440 ----a-w C:\WINDOWS\system32\iAlmCoIn_v3889.dll 2007-12-31 12:49 495,616 ----a-w C:\WINDOWS\system32\igfxcfg.exe 2007-12-31 12:49 495,616 ----a-w C:\WINDOWS\system32\ialmgdev.dll 2007-12-31 12:49 49,152 ----a-w C:\WINDOWS\system32\ialmrem.dll 2007-12-31 12:49 45,056 ----a-w C:\WINDOWS\system32\igfxdgps.dll 2007-12-31 12:49 37,951 ----a-w C:\WINDOWS\system32\ialmrnt5.dll 2007-12-31 12:49 36,864 ----a-w C:\WINDOWS\system32\igfxexps.dll 2007-12-31 12:49 344,064 ----a-w C:\WINDOWS\system32\igfxsrvc.dll 2007-12-31 12:49 225,280 ----a-w C:\WINDOWS\system32\igfxpph.dll 2007-12-31 12:49 225,280 ----a-w C:\WINDOWS\system32\igfxeud.dll 2007-12-31 12:49 2,289,664 ----a-w C:\WINDOWS\system32\ialmgicd.dll 2007-12-31 12:49 155,648 ----a-w C:\WINDOWS\system32\igfxtray.exe 2007-12-31 12:49 153,008 ----a-w C:\WINDOWS\system32\ialmdev5.dll 2007-12-31 12:49 151,552 ----a-w C:\WINDOWS\system32\igfxdiag.exe 2007-12-31 12:49 139,264 ----a-w C:\WINDOWS\system32\igfxdev.dll 2007-12-31 12:49 126,976 ----a-w C:\WINDOWS\system32\igfxhk.dll 2007-12-31 12:49 118,784 ----a-w C:\WINDOWS\system32\hkcmd.exe 2007-12-31 12:49 118,784 ----a-w C:\WINDOWS\system32\hccutils.dll 2007-12-31 12:49 114,688 ----a-w C:\WINDOWS\system32\igfxzoom.exe 2007-12-31 12:49 110,592 ----a-w C:\WINDOWS\system32\igfxext.exe 2007-12-31 12:49 100,924 ----a-w C:\WINDOWS\system32\ialmdnt5.dll 2007-12-31 12:49 1,245,184 ----a-w C:\WINDOWS\system32\igfxress.dll 2007-12-30 13:10 8,552 ----a-w C:\WINDOWS\system32\drivers\asctrm.sys 2007-12-07 23:28 7,680 ----a-w C:\WINDOWS\system32\ff_vfw.dll 2007-12-04 07:33 682,496 ----a-w C:\WINDOWS\system32\divx.dll 2007-11-30 04:30 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll 2007-11-30 04:28 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll 2007-11-29 21:50 4,096 ----a-w C:\WINDOWS\system32\sysres.dll 2007-11-29 21:50 38,567 ----a-w C:\WINDOWS\system32\pcpbios.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-13 15:42 212992] "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 14:50 155648] "RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 22:42 32768] "SunKistEM"="C:\Program Files\Digital Media Reader\shwiconem.exe" [2004-10-18 17:05 135168] "EZ Scheduler"="C:\Program Files\American Systems\EZ Scheduler\ezscheduler.exe" [2001-04-03 15:34 331776] "avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 08:00 79224] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496] C:\Documents and Settings\Owner\Start Menu\Programs\Startup\ SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 19:05:35] WordWeb.lnk - C:\Program Files\WordWeb\wweb32.exe [2008-01-01 11:30:41] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk backup=C:\WINDOWS\pss\hp psc 1000 series.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk backup=C:\WINDOWS\pss\hpoddt01.exe.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds] 2007-12-31 07:49 118784 --a------ C:\WINDOWS\system32\hkcmd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray] 2007-12-31 07:49 155648 --a------ C:\WINDOWS\system32\igfxtray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] C:\Program Files\Messenger\msmsgs.exe /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot R3 KeyScrambler;KeyScrambler;C:\WINDOWS\system32\drivers\keyscrambler.sys [2007-03-12 23:24] *Newly Created Service* - PROCEXP90 . Contents of the 'Scheduled Tasks' folder "2007-12-30 13:56:14 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1199022921.job" - C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I "2007-12-30 13:21:45 C:\WINDOWS\Tasks\ISP signup reminder 2.job" - C:\WINDOWS\system32\OOBE\oobebaln.exe "2007-12-30 13:21:45 C:\WINDOWS\Tasks\ISP signup reminder 3.job" - C:\WINDOWS\system32\OOBE\oobebaln.exe . ************************************************************************** catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-01-02 00:47:54 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-01-02 0:48:31 ComboFix-quarantined-files.txt 2008-01-02 05:48:16 ------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER REPORT Wednesday, January 02, 2008 4:56:48 AM Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600) Kaspersky Online Scanner version: 5.0.98.0 Kaspersky Anti-Virus database last update: 2/01/2008 Kaspersky Anti-Virus database records: 501328 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: extended Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: C:\ D:\ E:\ F:\ G:\ H:\ I:\ M:\ Scan Statistics: Total number of scanned objects: 183994 Number of viruses found: 1 Number of infected objects: 4 Number of suspicious objects: 0 Duration of the scan process: 03:19:51 Infected Object Name / Virus Name / Last Action C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\7tig9mb7.default\Cache\_CACHE_001_ Object is locked skipped C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\7tig9mb7.default\Cache\_CACHE_002_ Object is locked skipped C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\7tig9mb7.default\Cache\_CACHE_003_ Object is locked skipped C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\7tig9mb7.default\Cache\_CACHE_MAP_ Object is locked skipped C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\7tig9mb7.default\XUL.mfl Object is locked skipped C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\Owner\Local Settings\History\History.IE5\MSHist012008010220080103\index.dat Object is locked skipped C:\Documents and Settings\Owner\Local Settings\Temp\~DFB5BF.tmp Object is locked skipped C:\Documents and Settings\Owner\Local Settings\Temp\~DFDC68.tmp Object is locked skipped C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\Owner\NTUSER.DAT Object is locked skipped C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped C:\SAVED DOWNLOADS\Done\Online Bible installed 3 07\install.exe/rapi.dll Infected: not-a-virus:PSWTool.Win32.OpenPass.b skipped C:\SAVED DOWNLOADS\Done\Online Bible installed 3 07\install.exe ZIP: infected - 1 skipped C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP24\change.log Object is locked skipped C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped C:\WINDOWS\SchedLgU.Txt Object is locked skipped C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped C:\WINDOWS\Sti_Trace.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\default Object is locked skipped C:\WINDOWS\system32\config\default.LOG Object is locked skipped C:\WINDOWS\system32\config\SAM Object is locked skipped C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\SECURITY Object is locked skipped C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped C:\WINDOWS\system32\config\software Object is locked skipped C:\WINDOWS\system32\config\software.LOG Object is locked skipped C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\system Object is locked skipped C:\WINDOWS\system32\config\system.LOG Object is locked skipped C:\WINDOWS\system32\h323log.txt Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is |
