Tech Support Forum banner
Status
Not open for further replies.
1 - 6 of 6 Posts

·
Registered
Joined
·
7 Posts
Discussion Starter · #1 ·
I can start the spyware scans, even the online ones, but they won't finish or will lock up during scan. Parts of some program load pages are missing (looks like holes in the page). I did find 2 trojans on here, but I don't think Adaware got it all. (It's the only scanner that will actually finish). Could someone take a look? Thanks!

Logfile of HijackThis v1.99.1
Scan saved at 9:28:11 PM, on 12/14/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE
C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Ontrack\SYSTEM~1\MXTask.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\ups.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\WINDOWS\system32\cleanmgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onearrow.net/
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {3ABFC94F-214F-418C-49F7-3E137E255CC8} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {A3C48CC5-FDB6-78F7-4E35-5760D5EA1910} - (no file)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\Ontrack\SYSTEM~1\MemCheck.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB002" /M "Stylus Photo R300"
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealOne Player\realplay.exe" /RunUPGToolCommandReBoot
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/US/install.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1141757013609
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1149645206937
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{976068F3-86FC-4970-82C3-DA387F847D59}: NameServer = 192.168.1.1
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SystemSuite Task Manager - Ontrack Data International - C:\PROGRA~1\Ontrack\SYSTEM~1\MXTask.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
 

·
Registered
Joined
·
2,506 Posts
Hello, and welcome to the HijackThis Help Forum.

Apologies for any delay in replying, but we have been rather busy lately.

Since it has been a few days since you first posted, please post a fresh HijackThis Log if you still need assistance.

Thank you.
 

·
Registered
Joined
·
7 Posts
Discussion Starter · #3 ·
New log.same problems

Yes I still do..thank you for checking this...I did run Windows check disk at startup and it caught a couple of problems, but all scanners except Adaware have been disabled by something...Here's the new log

Logfile of HijackThis v1.99.1
Scan saved at 8:04:55 AM, on 12/17/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Ontrack\SYSTEM~1\MXTask.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE
C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\BHODemon 2\BHODemon.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onearrow.net/
O2 - BHO: (no name) - {3ABFC94F-214F-418C-49F7-3E137E255CC8} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {A3C48CC5-FDB6-78F7-4E35-5760D5EA1910} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\Ontrack\SYSTEM~1\MemCheck.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB002" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [sysvx.exe] C:\WINDOWS\System32\sysvx.exe
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Malware\a2guard.exe"
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealOne Player\realplay.exe" /RunUPGToolCommandReBoot
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/US/install.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1141757013609
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1149645206937
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{976068F3-86FC-4970-82C3-DA387F847D59}: NameServer = 192.168.1.1
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SystemSuite Task Manager - Ontrack Data International - C:\PROGRA~1\Ontrack\SYSTEM~1\MXTask.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
 

·
Registered
Joined
·
2,506 Posts
You may wish to Subscribe to this thread so that you are notified when you receive a reply. To do this click Thread Tools (above the first post), then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions. If there is anything you don't understand, please ask BEFORE proceeding with the fixes. Please do these steps in order and do not skip any.

Unhide Files
Go to My Computer > Tools > Folder Options > View tab and select "Show hidden files and folders". Uncheck the "Hide protected operating system files (Recommended)" option. Also make sure there is no checkmark beside "Hide file extensions for known file types". Click OK.


Download CleanUp!
Download and install CleanUp! but do not run it yet. (alternate link if main link isn't working: http://www.greyknight17.com/spy/CleanUp.exe)

WARNING: CleanUp! deletes EVERYTHING out of temporary folders and does not make backups. If you have any documents or programs that are saved in any temporary folders, please make a backup of these before running CleanUp!

WARNING: Do not run cleanup under Windows XP x64 Edition. If you're not sure if you have the 64-bit version of Windows then you probably do not; however, you can check by using IE to download the whichcpu tool and then running it.


Download AVG Anti-Spyware
Please download, install, and update AVG Anti-Spyware.
  1. Load AVG Anti-Spyware and then click the Shield tab at the top
    • Click on the word active to change it to inactive.
  2. Click the Update tab at the top:
    • Under Manual update, click Start update. After the update finishes, the status bar at the bottom will display "Update successful". If you are having trouble updating, you can also download and run the manual updater.
    • Under Automatic update, change the Update interval to something more reasonable like 12 or 24 hours.
  3. Click the Scanner tab at the top and then the Settings sub-tab:
    • Under How to act?, click Recommended actions and select Quarantine.
    • Under Reports, select Automatically generate report after every scan
  4. Close AVG Anti-Spyware. Do not run a scan with it yet.


Uninstall
Click Start > Control Panel > Add / Remove Programs and uninstall the following programs (if they exist):
ViewPoint Manager
Please let me know if any of these were unable to uninstall.


Reboot
Reboot your system to Safe Mode by repeatedly tapping the F8 key until the menu appears and choosing Safe Mode from the list. On some systems, this may be the F5 key so try that if F8 doesn't work. Login on with your usual account. Make sure to close any open windows.


HijackThis Fixes
Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they still exist (make sure you do not miss any):
O2 - BHO: (no name) - {3ABFC94F-214F-418C-49F7-3E137E255CC8} - (no file)
O2 - BHO: (no name) - {A3C48CC5-FDB6-78F7-4E35-5760D5EA1910} - (no file)
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [sysvx.exe] C:\WINDOWS\System32\sysvx.exe
Please remember to close all other windows, including browsers then click Fix checked. Close HijackThis.


Deletions
Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.
C:\Program Files\Viewpoint
C:\WINDOWS\System32\sysvx.exe
C:\WINDOWS\System32\whitevx.lst


Run CleanUp!
Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
  • Click "Options..."
  • Move the arrow down to "Custom CleanUp!"
  • Put a check next to the following:
    • Empty Recycle Bins
    • Delete Cookies
    • Delete Prefetch files
    • Cleanup! All Users
    • Click on the "Temporary Files" and make sure the box for "Scan drives for file matching" is unchecked.
    Click OK.
  • Press the CleanUp! button to start the program.
Once it's finished CleanUp! will ask you to logoff/reboot. Please select NO as we will do this later.


Run AVG Anti-Spyware
  • Run AVG Anti-Spyware and click on the Scanner tab at the top and then click on Complete System Scan. This scan can take quite a while to run, so be prepared.
  • AVG Anti-Spyware will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action.
  • If Set all elements to is not set to Quarantine (1), please click Recommended Action and choose Quarantine from the popup menu (2).
  • At the bottom of the window, click on the Apply all actions button (3).
  • When it has finished, click the Save Scan Report button (4), then click Save Report As and save the report it to your desktop.
  • Close AVG Anti-Spyware.

Reboot
Reboot your system to Normal Mode.


Online Scan
Perform an online scan using Internet Explorer with Kaspersky WebScanner. Click on Launch Kaspersky Anti-Virus Web Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files.
  • Once the files have been downloaded, click on NEXT.
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database: extended
    • Scan Options: Scan Archives and Scan Mail Bases
  • Click OK
  • Turn off the real time scanner of any existing antivirus program before performing the online scan. You can turn it back on after the scan is done.
  • Now under select a target to scan, select My Computer
  • The program will start and scan your system.
  • The scan will take a while so be patient and let it run all the way.
  • Once the scan is complete it will display if your system has been infected.
  • Click on the Save as Text button and save the file to your desktop.
  • Copy and paste that information in your next post.
Take note the names and locations of any file it detects but fails to clean.




Antivirus Required
I notice that you do not appear to have an active antivirus program. Connecting to the Internet without antivirus protection is a "Welcome" doormat for malware. It can take as little as eight seconds to infect an unprotected computer. Here are several very good free antivirus products which are available:
Please install one of these now. Do not install more than one antivirus program because they will conflict with each other. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out.


Unpatched Operating System
IMPORTANT! Before we can proceed any further, please visit the Microsoft's Windows Update Page and install ALL Critical Updates for your system except Service Pack 2 (SP2). SP2 should only be installed on a fully disinfected system. At the minimum install at least Service Pack 1a for both XP and IE6. Without these updates your system is wide open to re-infection and we are both wasting our efforts to clean your system. After we have completed your clean-up, we will have you return to the Windows Update page and install SP2. We will also then advise you on how to better protect yourself online.


Download Autoruns
  • Please download Autoruns and AutoCmd.
  • Extract the contents of Autoruns into a new folder.
  • Now extract the contents of AutoCmd into the same folder as Autoruns. This is important!
  • Double-click on AutoCmd.cmd & select option '1'
  • It will produce a log called autoruns_X_Y.txt (where X and Y are the date and time respectively). Please attach the log in your next reply.

Generate An Uninstall List
  • Open HijackThis.
  • Click on the "Configure" button on the bottom right.
  • Click on the tab "Misc Tools".
  • Click on the Box that says "Open Uninstall Manager".
  • Click on the button "Save list"
Please save a copy and paste the contents with your next reply.


With Your Next Post...
Please paste the following with your next reply (in this order please):
  1. AVG Anti-Spyware scan report,
  2. Kaspersky scan report,
  3. your Autoruns log,
  4. your uninstall list, and
  5. a new HiJackThis log taken after Kaspersky finishes.
 

·
Registered
Joined
·
7 Posts
Discussion Starter · #5 ·
Ok, think I got it all ..=) New logs

I hope cut-n-paste was ok..this is huge.

--------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 11:40:14 PM 12/17/2006

+ Scan result:



C:\WINDOWS\system32\rcxacqqu.exe -> Adware.Searchcolor : No action taken.
C:\Documents and Settings\Owner\Desktop\backups\backup-20061008-161816-732.dll -> Adware.Virtumonde : No action taken.
C:\Documents and Settings\Owner\Desktop\backups\backup-20061008-161834-592.dll -> Adware.Virtumonde : No action taken.
C:\WINDOWS\system32\mljifdb.dll -> Adware.Virtumonde : No action taken.
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP413\A0025642.exe -> Downloader.PurityScan.dc : No action taken.
C:\WINDOWS\system32\aacmeaaa86890.exe -> Downloader.Small.cug : No action taken.
C:\WINDOWS\system32\aacmeaaa91500.exe -> Downloader.Small.cug : No action taken.
C:\WINDOWS\system32\pbjhaaaa.exe -> Downloader.Tiny.bm : No action taken.
C:\WINDOWS\system32\jxgsaaaa.exe -> Logger.Agent.ir : No action taken.
C:\WINDOWS\system32\msvctl32.dll -> Logger.Agent.ir : No action taken.
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP411\A0025540.dll -> Logger.BZub.fh : No action taken.
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP410\A0024541.exe -> Logger.BZub.fz : No action taken.
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP411\A0025548.dll -> Trojan.BHO.g : No action taken.
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP407\A0022520.dll -> Worm.Locksky.aq : No action taken.
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP410\A0023517.dll -> Worm.Locksky.aq : No action taken.
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP410\A0023527.dll -> Worm.Locksky.aq : No action taken.
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP410\A0024527.dll -> Worm.Locksky.aq : No action taken.
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP410\A0025527.dll -> Worm.Locksky.aq : No action taken.
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP412\A0025629.dll -> Worm.Locksky.aq : No action taken.
C:\WINDOWS\comdlg64.dll -> Worm.Locksky.aq : No action taken.


::Report end

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, December 18, 2006 6:15:10 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 18/12/2006
Kaspersky Anti-Virus database records: 251551
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 84974
Number of viruses found: 6
Number of infected objects: 9 / 0
Number of suspicious objects: 0
Duration of the scan process: 01:25:19

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Desktop\backups\backup-20061008-161816-732.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.de skipped
C:\Documents and Settings\Owner\Desktop\backups\backup-20061008-161834-592.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.de skipped
C:\Documents and Settings\Owner\Desktop\backups\backup-20061008-195131-717 Infected: Exploit.HTML.Mht skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\Perflib_Perfdata_6a0.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\hp\bin\KillWind.exe Infected: not-a-virus:RiskTool.Win32.PsKill.p skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP407\A0022520.dll Object is locked skipped
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP410\A0023517.dll Object is locked skipped
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP410\A0023518.exe Object is locked skipped
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP410\A0023527.dll Object is locked skipped
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP410\A0024527.dll Object is locked skipped
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP410\A0024541.exe Object is locked skipped
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP410\A0025527.dll Object is locked skipped
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP411\A0025540.dll Object is locked skipped
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP411\A0025548.dll Object is locked skipped
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP412\A0025629.dll Object is locked skipped
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP413\A0025642.exe Object is locked skipped
C:\System Volume Information\_restore{E0C22EC0-D318-4D95-967D-A5C2B4653ED0}\RP415\change.log Object is locked skipped
C:\WINDOWS\comdlg64.dll Object is locked skipped
C:\WINDOWS\Debug\oakley.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\MINE.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\aacmeaaa86890.exe Object is locked skipped
C:\WINDOWS\system32\aacmeaaa91500.exe Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\WINDOWS\system32\djuqaaaa.exe Object is locked skipped
C:\WINDOWS\system32\glyoiyhl.exe Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\jxgsaaaa.exe Infected: Trojan-Spy.Win32.Agent.ir skipped
C:\WINDOWS\system32\mljgg.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.ek skipped
C:\WINDOWS\system32\mljifdb.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.de skipped
C:\WINDOWS\system32\msvctl32.dll Infected: Trojan-Spy.Win32.Agent.ir skipped
C:\WINDOWS\system32\pbjhaaaa.exe Object is locked skipped
C:\WINDOWS\system32\ur8236qj.ini Infected: not-a-virus:AdWare.Win32.Sahat.ao skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\temp\ZLT075f9.TMP Object is locked skipped
C:\WINDOWS\temp\ZLT07616.TMP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Owner - Tue 12/19/[email protected]:36:19.70
running from C:\Documents and Settings\Owner\My Documents\Autoruns\

Other users of this machine:
* Administrator
* Guest

----------------------------------------------------------------------------------

HKLM\System\CurrentControlSet\Services
AVG Anti-Spyware Guard
AVG Anti-Spyware guard
(Not verified) Anti-Malware Development a.s.
c:\program files\grisoft\avg anti-spyware 7.5\guard.exe
Avg7Alrt
AVG Alert Manager
(Not verified) GRISOFT, s.r.o.
c:\program files\grisoft\avg free\avgamsvr.exe
Avg7UpdSvc
AVG Update Service
(Not verified) GRISOFT, s.r.o.
c:\program files\grisoft\avg free\avgupsvc.exe
AVGEMS
AVG E-Mail Scanner
(Not verified) GRISOFT, s.r.o.
c:\program files\grisoft\avg free\avgemc.exe
Creative Service for CDROM Access
Creative Service for CDROM Access
(Not verified) Creative Technology Ltd
c:\windows\system32\ctsvccda.exe
InCDsrvR
Helper service for the InCD filesystem driver (read only)
(Not verified) Ahead Software AG
c:\program files\ahead\incd\incdsrv.exe
omniserv
c:\program files\softex\omnipass\omniserv.exe
SystemSuite Task Manager
The background task server
(Not verified) Ontrack Data International
c:\program files\ontrack\systemsuite\mxtask.exe
vsmon
Monitors internet traffic and generates alerts for disallowed access.
(Verified) Check Point Software Technologies Inc.
c:\windows\system32\zonelabs\vsmon.exe

HKLM\System\CurrentControlSet\Services
AVG Anti-Spyware Driver
c:\program files\grisoft\avg anti-spyware 7.5\guard.sys
Avg7Core
AVG Scanning Engine
(Not verified) GRISOFT, s.r.o.
c:\windows\system32\drivers\avg7core.sys
Avg7RsW
AVG Resident Shield Unload Helper
(Not verified) GRISOFT, s.r.o.
c:\windows\system32\drivers\avg7rsw.sys
Avg7RsXP
AVG Resident Anti-Virus Shield
(Not verified) GRISOFT, s.r.o.
c:\windows\system32\drivers\avg7rsxp.sys
AvgAsCln
AVG7 Clean Driver
(Not verified) GRISOFT, s.r.o.
c:\windows\system32\drivers\avgascln.sys
AvgClean
AVG7 Clean Driver
(Not verified) GRISOFT, s.r.o.
c:\windows\system32\drivers\avgclean.sys
AvgTdi
AVG Network connection watcher
(Not verified) GRISOFT, s.r.o.
c:\windows\system32\drivers\avgtdi.sys
fasttx2k
Promise FastTrak Series Driver for WindowsXP
(Not verified) Promise Technology, Inc.
c:\windows\system32\drivers\fasttx2k.sys
HTTP
This service implements the hypertext transfer protocol (HTTP). If this service is disabled, any services that explicitly depend on it will fail to start.
File not found: System32\Drivers\HTTP.sys
InCDPass
Ahead RW Filter Driver
(Not verified) Ahead Software AG
c:\windows\system32\drivers\incdpass.sys
intelppm
File not found: System32\DRIVERS\intelppm.sys
ip6fw
Provides intrusion prevention service for a home or small office network.
File not found: system32\drivers\ip6fw.sys
mxInsMon
c:\program files\ontrack\systemsuite\mxinsmon.sys
PalmUSBD
USB Driver for Palm OS Handheld Devices
(Not verified) Palm, Inc.
c:\windows\system32\drivers\palmusbd.sys
pfc
Padus(R) ASPI Shell
(Not verified) Padus, Inc.
c:\windows\system32\drivers\pfc.sys
PfModNT
PCI/ISA Device Info. Service
(Not verified) Creative Technology Ltd.
c:\windows\system32\drivers\pfmodnt.sys
PxHelp20
Px Engine Device Driver for Windows 2000/XP
(Not verified) Sonic Solutions
c:\windows\system32\drivers\pxhelp20.sys
Secdrv
SafeDisc driver
(Not verified) Macrovision Europe Ltd
c:\windows\system32\drivers\secdrv.sys
srescan
srescan
(Verified) Check Point Software Technologies Inc.
c:\windows\system32\zonelabs\srescan.sys
vsdatant
TrueVector Device Driver
(Verified) Check Point Software Technologies Inc.
c:\windows\system32\vsdatant.sys
wanatw
File not found: System32\DRIVERS\wanatw4.sys

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
hpsysdrv
hpsysdrv
(Not verified) Hewlett-Packard Company
c:\windows\system\hpsysdrv.exe
Fix-It AV
SystemSuite Virus Scanner MemCheck
(Not verified) Ontrack Data International
c:\program files\ontrack\systemsuite\memcheck.exe
TkBellExe
RealNetworks Scheduler
(Not verified) RealNetworks, Inc.
c:\program files\common files\real\update_ob\realsched.exe
NeroFilterCheck
NeroCheck
(Not verified) Ahead Software Gmbh
c:\windows\system32\nerocheck.exe
QuickTime Task
(Not verified) Apple Computer, Inc.
c:\program files\quicktime\qttask.exe
Zone Labs Client
Zone Labs Client
(Verified) Check Point Software Technologies Inc.
c:\program files\zone labs\zonealarm\zlclient.exe
AVG7_CC
AVG Control Center
(Not verified) GRISOFT, s.r.o.
c:\program files\grisoft\avg free\avgcc.exe
!AVG Anti-Spyware
AVG Anti-Spyware
(Not verified) Anti-Malware Development a.s.
c:\program files\grisoft\avg anti-spyware 7.5\avgas.exe

HKLM\SOFTWARE\Classes\Protocols\Filter
application/octet-stream
Microsoft .NET Runtime Execution Engine
(Not verified) Microsoft Corporation
c:\windows\system32\mscoree.dll
application/x-complus
Microsoft .NET Runtime Execution Engine
(Not verified) Microsoft Corporation
c:\windows\system32\mscoree.dll
application/x-msdownload
Microsoft .NET Runtime Execution Engine
(Not verified) Microsoft Corporation
c:\windows\system32\mscoree.dll

HKCU\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components
0
File not found: About:Home

HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components
n/a
Microsoft .NET IE SECURITY REGISTRATION
(Not verified) Microsoft Corporation
c:\windows\system32\mscories.dll

C:\Documents and Settings\Owner\Start Menu\Programs\Startup
BHODemon 2.0.lnk
BHODemon - Freeware BHO Detection Utility
(Not verified) Definitive Solutions, Inc.
c:\program files\bhodemon 2\bhodemon.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
PhotoShow Deluxe Media Manager
Nero PhotoShow Media Manager
(Not verified) Ahead Software
c:\program files\ahead\nero photoshow\data\xtras\mssysmgr.exe
NBJ
Nero BackItUp Scheduler Application
(Not verified) Ahead Software AG
c:\program files\ahead\nero backitup\nbj.exe
Creative Detector
Creative MediaSource Detector
(Not verified) Creative Technology Ltd
c:\program files\creative\mediasource\detector\ctdetect.exe
RealPlayer
RealPlayer
(Not verified) RealNetworks, Inc.
c:\program files\real\realone player\realplay.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
AVG Anti-Spyware 7.5
AVG Anti-Spyware shellexecutehook
(Not verified) Anti-Malware Development a.s.
c:\program files\grisoft\avg anti-spyware 7.5\shellexecutehook.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
Shell Extensions for RealOne Player
RealOne Player Shell Extensions
(Not verified) RealNetworks
c:\program files\real\realone player\rpshellext.dll
SampleView
ShellvRTF
(Not verified) XSS
c:\windows\system32\shellvrtf.dll
Fusion Cache
Microsoft .NET Runtime Execution Engine
(Not verified) Microsoft Corporation
c:\windows\system32\mscoree.dll
OmniPass Shell Extension
OPShellE Module
(Not verified) Softex Incorporated
c:\program files\softex\omnipass\opshelle.dll
My Digital Camera
CAMVIEW DLL
(Not verified) FotoNation Inc.
c:\program files\common files\fotonation\camview.dll
Shell Extension for CDRW
UDF Shell Extension DLL
(Not verified) Ahead Software AG
c:\program files\ahead\incd\incdshx.dll
WinZip
WinZip Shell Extension DLL
(Not verified) WinZip Computing LP
c:\program files\winzip\wzshlstb.dll
WinZip
WinZip Shell Extension DLL
(Not verified) WinZip Computing LP
c:\program files\winzip\wzshlstb.dll
WinZip
WinZip Shell Extension DLL
(Not verified) WinZip Computing LP
c:\program files\winzip\wzshlstb.dll
WinZip
WinZip Shell Extension DLL
(Not verified) WinZip Computing LP
c:\program files\winzip\wzshlstb.dll
AVG7 Shell Extension
AVG Shell Extension
(Not verified) GRISOFT, s.r.o.
c:\program files\grisoft\avg free\avgse.dll
AVG7 Find Extension
AVG Shell Extension
(Not verified) GRISOFT, s.r.o.
c:\program files\grisoft\avg free\avgse.dll

HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
Web Folders
c:\program files\common files\microsoft shared\web folders\msonsext.dll

3D Home Architect(r) Deluxe 3.0
Ad-Aware SE Personal
Adobe Acrobat 4.0
Adobe Acrobat 5.0
Adobe ActiveShare 1.2
Adobe PhotoDeluxe Home Edition 4.0
Adobe Shockwave Player
APC PowerChute Personal Edition
AVG Anti-Spyware 7.5
AVG Free Edition
BHODemon 2.0.0.23
CleanUp!
Debugging Tools for Windows
DiamondCS TDS-3
DiMAGE Viewer
DMVlite
DVD Decrypter (Remove Only)
DVD Shrink 3.2
eGames GameButler
Epocrates Essentials
EPSON CardMonitor
EPSON PhotoStarter3.0
EPSON Print CD
EPSON Printer Software
EPSON SPR300 Reference Guide
exPressit S.E. 2.1
Family Tree Maker
Google Toolbar for Internet Explorer
HijackThis 1.99.1
Hoyle Solitaire
hp deskjet 3420 series (Remove only)
HP Deskjet printer preloaded drivers
HP Photo and Imaging 1.0 - Scanjet 3500c Series
Infinite Crosswords Version 1.10a
Instant Support
Intel(R) Extreme Graphics Driver
IntelliMover Data Transfer Demo
InterActual Player
InterVideo WinDVD Player
ItsDeductible Express
Java 2 Runtime Environment, SE v1.4.2_06
Kaspersky Online Scanner
Kazoo Player
LiveReg (Symantec Corporation)
Macromedia Flash Player 8
Microsoft .NET Framework (English) v1.0.3705
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft Money 2003
Microsoft Money 2003 System Pack
Microsoft Web Publishing Wizard 1.52
Microsoft Windows XP Video Decoder Checkup Utility
Microsoft Works 7.0
Mozilla Thunderbird (1.0)
MSN Music Assistant
MuVo Driver
Nero PhotoShow Elite
Nero Suite
NVIDIA Windows 2000/XP Display Drivers
OmniPass
Ontrack® SystemSuite 4.0
Palm Desktop
PC-Doctor for Windows
Photo Organizer
PS2
Python 2.2 combined Win32 extensions
Python 2.2.1
Quick StartUp 1.2
QuickTime
RealOne Player
RecordNow
Registry Cleaner Optimizer
Registry Mechanic
Registry Repair 1.44
S3Display
S3Gamma2
S3Info2
S3Overlay
Secure Delivery
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905495)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924496)
Simple Installer - Multilanguage Version
Sonic Update Manager
TaxCut 2003
TaxCut Standard 2005
Turbo Lister
TurboTax Basic 2004
Update for Windows XP (KB835409)
Update for Windows XP (KB898461)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Viewpoint Media Player (Remove Only)
Weblink
WexTech AnswerWorks
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Live Safety scanner
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player 9 Hotfix [See KB885492 for more information]
Windows XP Hotfix - KB823980
Windows XP Hotfix - KB828741
Windows XP Hotfix - KB833987
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB841356
Windows XP Hotfix - KB842773
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB871250
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891711
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB911567
Windows XP Hotfix - KB918439
Windows XP Hotfix - KB918899
Windows XP Hotfix - KB925486
Windows XP Hotfix (SP2) [See q329256 for more information]
Windows XP Hotfix (SP2) Q327979
Windows XP Hotfix (SP2) Q329909
Windows XP Hotfix (SP2) Q331958
Windows XP Hotfix (SP2) Q811789
WinZip
ZoneAlarm
ZyXEL P623-41 usb_1_01_02

Logfile of HijackThis v1.99.1
Scan saved at 2:45:29 PM, on 12/19/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Ontrack\SYSTEM~1\MXTask.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\BHODemon 2\BHODemon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe
C:\WINDOWS\System32\ZoneLabs\vsmon.exe
C:\WINDOWS\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onearrow.net/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\Ontrack\SYSTEM~1\MemCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB002" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealOne Player\realplay.exe" /RunUPGToolCommandReBoot
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/US/install.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1141757013609
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1149645206937
O17 - HKLM\System\CCS\Services\Tcpip\..\{976068F3-86FC-4970-82C3-DA387F847D59}: NameServer = 192.168.1.1
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SystemSuite Task Manager - Ontrack Data International - C:\PROGRA~1\Ontrack\SYSTEM~1\MXTask.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
 

·
Registered
Joined
·
2,506 Posts
Reboot
Reboot your system to Safe Mode by repeatedly tapping the F8 key until the menu appears and choosing Safe Mode from the list. On some systems, this may be the F5 key so try that if F8 doesn't work. Login on with your usual account. Make sure to close any open windows.


Deletions
Delete the following Files indicated in RED if they still exist:
C:\WINDOWS\system32\aacmeaaa86890.exe
C:\WINDOWS\system32\aacmeaaa91500.exe
C:\WINDOWS\system32\djuqaaaa.exe
C:\WINDOWS\system32\glyoiyhl.exe
C:\WINDOWS\system32\h323log.txt
C:\WINDOWS\system32\jxgsaaaa.exe
C:\WINDOWS\system32\mljgg.dll.vir
C:\WINDOWS\system32\mljifdb.dll
C:\WINDOWS\system32\msvctl32.dll
C:\WINDOWS\system32\pbjhaaaa.exe
C:\WINDOWS\system32\rcxacqqu.exe
C:\WINDOWS\system32\ur8236qj.ini
C:\WINDOWS\comdlg64.dll

Reboot
Reboot your system to Normal Mode.


Online Scan
Perform an online scan with Internet Explorer with Panda ActiveScan.
  1. Click on the "Scan your PC" button located at the bottom of the page. A popup window should appear -- make sure you allow it if you have a popup blocker.
  2. Enter your e-mail address, country, and state and click Scan Now.
  3. Your computer will download Panda's 8 megabyte ActiveX control at this point. Follow the on-screen directions if it asks you to install the ActiveX control.
  4. Begin the scan by selecting My Computer. Note:
    • Please turn off the real time scanner of any existing antivirus program while performing the online scan.
    • Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
    • Click on See report then click Save report.
    • It is not necessary to remain online while it's doing the scan, but you will have to re-connect after it has finished to see the report.

Download SilentRunners
Please download SilentRunners.vbs - Right click & choose Save As... SilentRunners.vbs

Before proceeding, disable any anti-virus or anti-spyware programs that may block/disable scripts.

Launch SilentRunners by double-clicking the downloaded file. In the ensuing Window, select 'No' to avoid skipping supplementary searches. Please be patient as the script requires a few minutes to complete.

When it's done, you'll receive the prompt "All Done!". It will create a file called "Startup Programs". Post ALL its contents here in your next reply.


Download ComboFix
Please download ComboFix and save it to your Desktop. Double click combofix.exe & follow the prompts. While ComboFix is running, please do not click or move the window, as this may cause the tool to stall. When the tool has finished, it will produce a log for you and save it as C:\ComboFix.txt. Post that log in your next reply.


With Your Next Post...
Please paste the following with your next reply (in this order please):
  1. Panda scan report,
  2. your SilentRunners log,
  3. the contents of C:\ComboFix.txt, and
  4. a new HiJackThis log taken after ComboFix finishes.
Also let me know how your machine is behaving now.
 
1 - 6 of 6 Posts
Status
Not open for further replies.
Top