Results 1 to 4 of 4

Thread: Hiloti & Daurso

  1. #1
    Junior Member
    Join Date
    Sep 2009
    Posts
    18

    Default Hiloti & Daurso

    Avast and Spybot can't find anything.

    MS Defender finds:
    Trojan:Win32/Hiloti.gen!A
    PWS:Win32/Daurso.A

    It removes them, but they come back upon reboot.


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:53:46 AM, on 9/18/2009
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\spoolsv.exe
    D:\Apache\Apache\Apache.exe
    C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
    C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
    D:\Apache\Apache\Apache.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Analog Devices\Core\smax4pnp.exe
    C:\Program Files\Microsoft IntelliType Pro\type32.exe
    C:\Program Files\MozyHome\mozybackup.exe
    C:\Program Files\UltraMon\UltraMon.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\recycler\MSRecycler.exe
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\Program Files2\MySQL\MySQL Server 4.1\bin\mysqld-nt.exe
    C:\Program Files\CrossHair\CrossHair.exe
    C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
    C:\Program Files\Logitech\SetPoint\SetPoint.exe
    C:\Program Files\Macro Express3\MacExp.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
    C:\Program Files\MozyHome\mozystat.exe
    C:\Program Files\FileBX\FileBX.exe
    C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
    C:\Program Files\xkeys\MacroWorks II\MacroWorks.exe
    C:\WINDOWS\Temp\wpv961253178221.exe
    C:\Program Files\PowerDesk\NTTool.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\Program Files\PowerDesk\PDesk.exe
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\Program Files\EditPlus 2\editplus.exe
    C:\Program Files\PowerDesk2\PDExplo.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\UltraMon\UltraMonTaskbar.exe
    E:\!\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www1.ca.dell.com/content/defa...=ca&l=en&s=gen
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.ca.dell.com/content/defa...=ca&l=en&s=gen
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://www-secure.symantec.com/cust..._consumer.html
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
    O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
    O3 - Toolbar: (no name) - {95188727-288F-4581-A48D-EAB3BD027314} - (no file)
    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
    O4 - HKLM\..\Run: [UltraMon] "C:\Program Files\UltraMon\UltraMon.exe" /auto
    O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [MSRSvC] C:\recycler\MSRecycler.exe -d -p42000
    O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
    O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
    O4 - HKLM\..\Run: [Regedit32] C:\WINDOWS\system32\regedit.exe
    O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [sysgif32] C:\WINDOWS\Temp\wpv961253178221.exe
    O4 - HKCU\..\Run: [CrossHair] C:\Program Files\CrossHair\CrossHair.exe
    O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Jack\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
    O4 - HKCU\..\Run: [Jack] C:\Documents and Settings\Jack\Jack.exe /i
    O4 - Startup: 2.lnk = ?
    O4 - Startup: FileBox eXtender.lnk = C:\Program Files\FileBX\FileBX.exe
    O4 - Startup: ikowin32.exe
    O4 - Startup: MacroWorks II.lnk = C:\Program Files\xkeys\MacroWorks II\MacroWorks.exe
    O4 - Startup: Shortcut to Pdesk.exe.lnk = C:\Program Files\PowerDesk\Pdesk.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: APC UPS Status.lnk = ?
    O4 - Global Startup: Logitech SetPoint.lnk = ?
    O4 - Global Startup: Macro Express 3.lnk = C:\Program Files\Macro Express3\MacExp.exe
    O4 - Global Startup: MozyHome Status.lnk = C:\Program Files\MozyHome\mozystat.exe
    O8 - Extra context menu item: Add to Vbuzzer RSS list - C:\Program Files\vbuzzer\addurl.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O8 - Extra context menu item: Zend Studio - Debug current page - res://C:\Program Files2\Zend\ZendStudioClient-5.1.0\bin\ZendIEToolbar.dll/DebugCurrent.html
    O8 - Extra context menu item: Zend Studio - Debug next page - res://C:\Program Files2\Zend\ZendStudioClient-5.1.0\bin\ZendIEToolbar.dll/DebugNext.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
    O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
    O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: Zend Studio Toolbar - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\WINDOWS\system32\shdocvw.dll
    O9 - Extra 'Tools' menuitem: Zend Studio - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\WINDOWS\system32\shdocvw.dll
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {22D4879A-92DB-470D-8A83-E158797D8176} (Liquid.LiquidHelper) - file://W:\components\Liquid.ocx
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1251316917078
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1251316889562
    O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll
    O18 - Protocol: intu-qt2008 - {05E53CE9-66C8-4A9E-A99F-FDB7A8E7B596} - C:\Program Files\QuickTax 2008\ic2008pp.dll
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O23 - Service: Apache - Unknown owner - D:\Apache\Apache\Apache.exe
    O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: MozyHome Backup Service (mozybackup) - Mozy, Inc. - C:\Program Files\MozyHome\mozybackup.exe
    O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
    O23 - Service: RoxMediaDB - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
    O23 - Service: RoxUpnpRenderer (RoxUPnPRenderer) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCom\RoxUpnpRenderer.exe
    O23 - Service: RoxUpnpServer - Sonic Solutions - C:\Program Files\Roxio\Easy Media Creator 8\Digital Home\RoxUpnpServer.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

    --
    End of file - 11703 bytes

  2. #2
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Hi,

    Download DDS and save it to your desktop from here or here or here.
    Disable any script blocker, and then double click dds.scr to run the tool.
    • When done, DDS will open two (2) logs:
      1. DDS.txt
      2. Attach.txt
    • Save both reports to your desktop. Post them back to your topic.
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  3. #3
    Junior Member
    Join Date
    Sep 2009
    Posts
    18

    Default

    DDS (Ver_09-07-30.01) - NTFSx86
    Run by Jack at 21:55:52.31 on Tue 09/22/2009
    Internet Explorer: 6.0.2900.2180
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2046.1170 [GMT -4:00]

    AV: avast! antivirus 4.8.1351 [VPS 090922-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
    FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

    ============== Running Processes ===============

    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    D:\Apache\Apache\Apache.exe
    C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
    D:\Apache\Apache\Apache.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\MozyHome\mozybackup.exe
    C:\Program Files2\MySQL\MySQL Server 4.1\bin\mysqld-nt.exe
    C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
    C:\Program Files\Analog Devices\Core\smax4pnp.exe
    C:\Program Files\Microsoft IntelliType Pro\type32.exe
    C:\Program Files\UltraMon\UltraMon.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\Program Files\CrossHair\CrossHair.exe
    C:\Program Files\Logitech\SetPoint\SetPoint.exe
    C:\Program Files\Macro Express3\MacExp.exe
    C:\Program Files\MozyHome\mozystat.exe
    C:\Program Files\FileBX\FileBX.exe
    C:\Program Files\xkeys\MacroWorks II\MacroWorks.exe
    C:\Program Files\UltraMon\UltraMonTaskbar.exe
    C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
    C:\Program Files\PowerDesk\NTTool.exe
    C:\Program Files\PowerDesk\PDesk.exe
    C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\Program Files\Windows Live\Messenger\msnmsgr.exe
    C:\Program Files\Windows Live\Messenger\usnsvc.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\PowerDesk2\PDExplo.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
    C:\Program Files\CuteFTP 7 Professional\cuteftppro.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    E:\!\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = about:blank
    uSearch Page = hxxp://www.google.com
    uSearch Bar = hxxp://www.google.com/ie
    mDefault_Page_URL = hxxp://www1.ca.dell.com/content/default.aspx?c=ca&l=en&s=gen
    mStart Page = hxxp://www1.ca.dell.com/content/default.aspx?c=ca&l=en&s=gen
    uInternet Connection Wizard,ShellNext = https://www-secure.symantec.com/cust..._consumer.html
    uInternet Settings,ProxyOverride = 127.0.0.1;*.local
    mSearchAssistant = hxxp://www.google.com/ie
    BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
    BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
    BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_07\bin\ssv.dll
    BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    TB: {BA52B914-B692-46c4-B683-905236F6F655} - No File
    TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
    TB: {95188727-288F-4581-A48D-EAB3BD027314} - No File
    EB: {F60C63CE-52AF-4915-AAC9-F100FCDE270F}} - No File
    uRun: [CrossHair] c:\program files\crosshair\CrossHair.exe
    mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
    mRun: [type32] "c:\program files\microsoft intellitype pro\type32.exe"
    mRun: [UltraMon] "c:\program files\ultramon\UltraMon.exe" /auto
    mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
    mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
    mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
    mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
    mRun: [Regedit32] c:\windows\system32\regedit.exe
    mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
    mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
    StartupFolder: c:\docume~1\jack\startm~1\programs\startup\2.lnk - c:\documents and settings\jack\application data\realtime soft\ultramon\profiles\2.umprofile
    StartupFolder: c:\docume~1\jack\startm~1\programs\startup\filebo~1.lnk - c:\program files\filebx\FileBX.exe
    StartupFolder: c:\docume~1\jack\startm~1\programs\startup\macrow~1.lnk - c:\program files\xkeys\macroworks ii\MacroWorks.exe
    StartupFolder: c:\docume~1\jack\startm~1\programs\startup\shortc~1.lnk - c:\program files\powerdesk\Pdesk.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\apcups~1.lnk - c:\program files\apc\apc powerchute personal edition\Display.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\macroe~1.lnk - c:\program files\macro express3\MacExp.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mozyho~1.lnk - c:\program files\mozyhome\mozystat.exe
    IE: Add to Vbuzzer RSS list - c:\program files\vbuzzer\addurl.htm
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
    IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
    IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
    IE: Zend Studio - Debug current page - c:\program files2\zend\zendstudioclient-5.1.0\bin\ZendIEToolbar.dll/DebugCurrent.html
    IE: Zend Studio - Debug next page - c:\program files2\zend\zendstudioclient-5.1.0\bin\ZendIEToolbar.dll/DebugNext.html
    IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
    IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
    IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
    IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_07\bin\ssv.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
    IE: {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - {95188727-288F-4581-A48D-EAB3BD027314}
    DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
    DPF: {22D4879A-92DB-470D-8A83-E158797D8176} - file://w:\components\Liquid.ocx
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1251316917078
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1251316889562
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab
    DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab
    Handler: intu-qt2007 - {026BF40D-BA05-467b-9F1F-AD0D7A3F5F11} - c:\program files\quicktax 2007\ic2007pp.dll
    Handler: intu-qt2008 - {05E53CE9-66C8-4a9e-A99F-FDB7A8E7B596} - c:\program files\quicktax 2008\ic2008pp.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    Notify: AtiExtEvent - Ati2evxx.dll
    Notify: igfxcui - igfxdev.dll
    SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\jack\applic~1\mozilla\firefox\profiles\vq1gf3mf.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
    FF - prefs.js: browser.search.selectedEngine - CakePHP Cookbook
    FF - prefs.js: browser.startup.homepage - file:///D:/WEBSITES/LINKS-MYSITES.htm
    FF - component: c:\program files\siber systems\ai roboform\firefox\components\rfproxy_31.dll
    FF - plugin: c:\documents and settings\jack\local settings\application data\google\update\1.2.183.7\npGoogleOneClick8.dll
    FF - plugin: c:\program files\java\jre1.5.0_07\bin\NPJava11.dll
    FF - plugin: c:\program files\java\jre1.5.0_07\bin\NPJava12.dll
    FF - plugin: c:\program files\java\jre1.5.0_07\bin\NPJava13.dll
    FF - plugin: c:\program files\java\jre1.5.0_07\bin\NPJava14.dll
    FF - plugin: c:\program files\java\jre1.5.0_07\bin\NPJava32.dll
    FF - plugin: c:\program files\java\jre1.5.0_07\bin\NPJPI150_07.dll
    FF - plugin: c:\program files\java\jre1.5.0_07\bin\NPOJI610.dll
    FF - HiddenExtension: XUL Cache: {B01BBFCA-95D1-4337-BBC2-5D520B7845E2} - c:\documents and settings\jack\local settings\application data\{B01BBFCA-95D1-4337-BBC2-5D520B7845E2}

    ---- FIREFOX POLICIES ----
    c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
    c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
    c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
    c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
    c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
    c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
    c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

    ============= SERVICES / DRIVERS ===============

    R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-4-1 114768]
    R1 mozyFilter;mozyFilter;c:\windows\system32\drivers\mozy.sys [2009-2-26 53752]
    R1 oreans32;oreans32;c:\windows\system32\drivers\oreans32.sys [2006-8-16 33920]
    R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-9-14 353672]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-4-1 20560]
    R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2007-10-24 138680]
    R2 FLE5WNNT;FLE-5 WindowsNT Driver;c:\windows\system32\drivers\fle5wnnt.sys [2007-1-25 33404]
    R2 FLSIFACE;FLSIface;c:\windows\system32\drivers\flsiface.sys [2007-1-25 13440]
    R2 FLSPAR;FLSPar;c:\windows\system32\drivers\flspar.sys [2007-1-25 16314]
    R2 FLSSER;FLSSer;c:\windows\system32\drivers\flsser.sys [2007-1-25 8344]
    R2 FLSVCOM;FLSVCom;c:\windows\system32\drivers\flsvcom.sys [2007-1-25 32666]
    R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2006-9-20 3712]
    R2 UltraMonUtility;UltraMon Utility Driver;c:\program files\common files\realtime soft\ultramonmirrordrv\x32\UltraMonUtility.sys [2005-6-2 10496]
    R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
    R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2007-10-24 352920]
    R3 PIBus;PIBus Device;c:\windows\system32\drivers\PIBus.sys [2006-6-14 43356]
    R3 PIJoy;PI Virtual Joystick;c:\windows\system32\drivers\PIJoy.sys [2006-6-14 3910]
    R3 PIKbd;PI Virtual Keyboard;c:\windows\system32\drivers\PIKbd.sys [2006-6-14 3878]
    R3 PIMou;PI Virtual Mouse;c:\windows\system32\drivers\PIMou.sys [2006-6-14 3846]
    R3 UltraMonMirror;UltraMonMirror;c:\windows\system32\drivers\UltraMonMirror.sys [2005-5-14 3328]
    S2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
    S3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [2006-10-23 2944]
    S3 BrSerWDM;Brother Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [2006-10-23 60416]
    S3 BrUsbMdm;Brother MFC USB Fax Only Modem;c:\windows\system32\drivers\BrUsbMdm.sys [2006-10-23 11008]
    S3 BrUsbScn;Brother MFC USB Scanner driver;c:\windows\system32\drivers\BrUsbScn.sys [2006-10-23 10368]

    =============== Created Last 30 ================

    2009-09-18 23:22 <DIR> --d----- c:\docume~1\jack\applic~1\Malwarebytes
    2009-09-18 23:22 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
    2009-09-18 23:22 19,160 a------- c:\windows\system32\drivers\mbam.sys
    2009-09-18 23:22 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
    2009-09-18 23:22 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
    2009-09-18 01:48 <DIR> --d----- c:\program files\Spybot - Search & Destroy
    2009-09-18 01:48 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
    2009-09-14 17:21 4,212 a---h--- c:\windows\system32\zllictbl.dat
    2009-09-14 17:21 1,221,512 a------- c:\windows\system32\zpeng25.dll
    2009-09-14 17:21 <DIR> --d----- c:\windows\system32\ZoneLabs
    2009-09-14 17:21 <DIR> --d----- c:\program files\Zone Labs
    2009-09-14 17:21 350,192 a------- c:\windows\system32\vsconfig.xml
    2009-09-14 17:20 <DIR> --d----- c:\windows\Internet Logs
    2009-09-10 20:09 <DIR> --d--r-- c:\program files\Skype
    2009-09-03 21:07 120 a------- c:\windows\Tcorinubesid.dat
    2009-09-03 02:05 54,156 a---h--- c:\windows\QTFont.qfn
    2009-09-03 02:05 1,409 a------- c:\windows\QTFont.for
    2009-08-27 15:13 <DIR> --d----- c:\windows\ServicePackFiles
    2009-08-27 15:02 <DIR> --d----- c:\program files\Microsoft CAPICOM 2.1.0.2
    2009-08-27 15:00 655,872 -------- c:\windows\system32\dllcache\mstscax.dll
    2009-08-27 15:00 128,512 -------- c:\windows\system32\dllcache\dhtmled.ocx
    2009-08-27 14:54 1,193,414 -------- c:\windows\system32\dllcache\sysmain.sdb
    2009-08-27 14:54 215,552 -------- c:\windows\system32\dllcache\wordpad.exe
    2009-08-27 14:53 331,776 -------- c:\windows\system32\dllcache\msadce.dll
    2009-08-27 14:51 272,128 -------- c:\windows\system32\drivers\bthport.sys
    2009-08-27 14:51 272,128 -------- c:\windows\system32\dllcache\bthport.sys
    2009-08-26 16:02 23,576 a------- c:\windows\system32\wuapi.dll.mui

    ==================== Find3M ====================

    2009-08-05 05:11 204,800 a------- c:\windows\system32\mswebdvd.dll
    2009-08-05 05:11 204,800 -------- c:\windows\system32\dllcache\mswebdvd.dll
    2009-07-29 00:53 119,808 a------- c:\windows\system32\t2embed.dll
    2009-07-29 00:53 82,432 a------- c:\windows\system32\fontsub.dll
    2009-07-29 00:53 119,808 -------- c:\windows\system32\dllcache\t2embed.dll
    2009-07-29 00:53 82,432 -------- c:\windows\system32\dllcache\fontsub.dll
    2009-07-18 12:20 3,062,272 -------- c:\windows\system32\dllcache\mshtml.dll
    2009-07-18 12:20 1,506,304 -------- c:\windows\system32\dllcache\shdocvw.dll
    2009-07-17 14:55 58,880 a------- c:\windows\system32\atl.dll
    2009-07-17 14:55 58,880 -------- c:\windows\system32\dllcache\atl.dll
    2009-07-13 10:08 286,720 a------- c:\windows\system32\wmpdxm.dll
    2009-07-13 10:08 286,720 -------- c:\windows\system32\dllcache\wmpdxm.dll
    2009-07-13 10:08 5,537,792 -------- c:\windows\system32\dllcache\wmp.dll
    2009-07-10 09:42 1,315,328 -------- c:\windows\system32\dllcache\msoe.dll
    2009-06-25 04:44 724,480 a------- c:\windows\system32\lsasrv.dll
    2009-06-25 04:44 298,496 a------- c:\windows\system32\kerberos.dll
    2009-06-25 04:44 168,448 a------- c:\windows\system32\schannel.dll
    2009-06-25 04:44 133,632 a------- c:\windows\system32\msv1_0.dll
    2009-06-25 04:44 59,392 a------- c:\windows\system32\wdigest.dll
    2009-06-25 04:44 56,320 a------- c:\windows\system32\secur32.dll
    2009-06-25 04:44 724,480 -------- c:\windows\system32\dllcache\lsasrv.dll
    2009-06-25 04:44 298,496 -------- c:\windows\system32\dllcache\kerberos.dll
    2009-06-25 04:44 168,448 -------- c:\windows\system32\dllcache\schannel.dll
    2009-06-25 04:44 133,632 -------- c:\windows\system32\dllcache\msv1_0.dll
    2009-06-25 04:44 59,392 -------- c:\windows\system32\dllcache\wdigest.dll
    2009-06-25 04:44 56,320 -------- c:\windows\system32\dllcache\secur32.dll
    2006-06-22 15:14 149 a------- c:\program files\INSTALL.LOG
    2003-01-03 21:36 77,824 a------- c:\program files\Startup.exe

    ============= FINISH: 21:56:25.46 ===============

  4. #4
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

    Azureus


    I'd like you to read this thread.

    Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).


    After that:

    Please visit this webpage for download links, and instructions for running ComboFix tool:

    http://www.bleepingcomputer.com/comb...o-use-combofix

    Please ensure you read this guide carefully and install the Recovery Console first.

    The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

    Once installed, you should see a blue screen prompt that says:

    The Recovery Console was successfully installed.

    Please continue as follows:

    1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
      Remember to re-enable them afterwards.

    2. Click Yes to allow ComboFix to continue scanning for malware.


    When the tool is finished, it will produce a report for you.

    Please include the following reports for further review, and so we may continue cleansing the system:

    C:\ComboFix.txt.

    A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •