View Full Version : Virtumonde I think is killing me.
Hello. I have been a longtime user of Spybot SnD and recently came across a problem with maleware. I used Spybot SnD in conjunction with a lavasoft program to attempt to remove any and all problem. This did not work out entirely so I used Kaspersky. I have gotten rid of everything except this Tojan.win32.Agent.bck file that when I have Kaspersky try to delete it my comp reboots and it is there again everytime. I have tried to run these things in Safe mode but the same thing didnt turn up. Here is a HJT log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:49:00 PM, on 9/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cmtdivwp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=1070302
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=1070302
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\system32\ujgiyreq.dll",forkonce
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\cmtdivwp.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
--
End of file - 5109 bytes
This is the Kaspersky log
9/12/2007 1:37:49 PM File: c:\windows\system32\mljjh.dll ok iSwift
9/12/2007 1:37:49 PM File: c:\program files\flashget\getflash.dll ok iSwift
9/12/2007 1:37:49 PM File: c:\program files\adobe\acrobat 7.0\reader\acrord32.exe ok iSwift
9/12/2007 1:37:49 PM File: c:\program files\msn gaming zone\windows\bckgzm.exe ok iSwift
9/12/2007 1:37:49 PM File: c:\program files\msn gaming zone\windows\chkrzm.exe ok iSwift
9/12/2007 1:37:49 PM File: c:\windows\system32\cmcfg32.dll ok iSwift
9/12/2007 1:37:49 PM File: c:\program files\netmeeting\conf.exe ok iSwift
9/12/2007 1:37:49 PM File: c:\program files\windows nt\dialer.exe ok iSwift
9/12/2007 1:37:49 PM File: c:\program files\digital line detect\dlg.exe ok iSwift
9/12/2007 1:37:49 PM File: c:\program files\mozilla firefox\firefox.exe ok iSwift
9/12/2007 1:37:49 PM File: c:\windows\pchealth\helpctr\binaries\helpctr.exe ok iSwift
9/12/2007 1:37:50 PM File: c:\program files\msn gaming zone\windows\hrtzzm.exe ok iSwift
9/12/2007 1:37:50 PM File: c:\program files\internet explorer\connection wizard\icwconn1.exe ok iSwift
9/12/2007 1:37:50 PM File: c:\program files\internet explorer\connection wizard\icwconn2.exe ok iSwift
9/12/2007 1:37:50 PM File: c:\program files\internet explorer\connection wizard\inetwiz.exe ok iSwift
9/12/2007 1:37:50 PM File: c:\program files\internet explorer\connection wizard\isignup.exe ok iSwift
9/12/2007 1:37:50 PM File: c:\program files\dell\mediadirect\mdirect.exe ok iSwift
9/12/2007 1:37:50 PM File: C:\WINDOWS\system32\usmt\migwiz.exe ok iSwift
9/12/2007 1:37:50 PM File: c:\program files\movie maker\moviemk.exe ok iSwift
9/12/2007 1:37:50 PM File: c:\windows\pchealth\helpctr\binaries\msconfig.exe ok iSwift
9/12/2007 1:37:50 PM File: C:\Program Files\outlook express\msimn.exe ok iSwift
9/12/2007 1:37:50 PM File: c:\program files\common files\microsoft shared\msinfo\msinfo32.exe ok iSwift
9/12/2007 1:37:50 PM File: c:\program files\messenger\msmsgs.exe ok iSwift
9/12/2007 1:37:50 PM File: c:\progra~1\mi1933~1\office11\mspub.exe ok iSwift
9/12/2007 1:37:50 PM File: c:\progra~1\common~1\micros~1\modi\11.0\mspview.exe ok iSwift
9/12/2007 1:37:50 PM File: c:\progra~1\mi1933~1\office11\ois.exe ok iSwift
9/12/2007 1:37:50 PM File: C:\WINDOWS\system32\mspaint.exe ok iSwift
9/12/2007 1:37:50 PM File: c:\program files\windows nt\pinball\pinball.exe ok iSwift
9/12/2007 1:37:50 PM File: c:\progra~1\mi1933~1\office11\powerpnt.exe ok iSwift
9/12/2007 1:37:50 PM File: c:\progra~1\quickt~1\quicktimeplayer.exe ok iSwift
9/12/2007 1:37:50 PM File: c:\progra~1\quickt~1\quicktimeupdater.exe ok iSwift
9/12/2007 1:37:50 PM File: c:\program files\msn gaming zone\windows\rvsezm.exe ok iSwift
9/12/2007 1:37:50 PM File: c:\progra~1\mi1933~1\office11\1033\schdpl32.exe ok iSwift
9/12/2007 1:37:50 PM File: c:\program files\msn gaming zone\windows\shvlzm.exe ok iSwift
9/12/2007 1:37:52 PM File: C:\Program Files\outlook express\wab.exe ok iSwift
9/12/2007 1:37:52 PM File: C:\Program Files\outlook express\wabmig.exe ok iSwift
9/12/2007 1:37:52 PM File: c:\program files\winrar\winrar.exe ok iSwift
9/12/2007 1:37:52 PM File: c:\progra~1\mi1933~1\office11\winword.exe ok iSwift
9/12/2007 1:37:52 PM File: c:\program files\microsoft works\wkplmstp.exe ok iSwift
9/12/2007 1:37:52 PM File: c:\program files\microsoft works\wksab.exe ok iSwift
9/12/2007 1:37:52 PM File: c:\program files\common files\microsoft shared\works shared\wkscal.exe ok iSwift
9/12/2007 1:37:52 PM File: c:\program files\microsoft works\wksdb.exe ok iSwift
9/12/2007 1:37:52 PM File: c:\program files\microsoft works\wkssb.exe ok iSwift
9/12/2007 1:37:52 PM File: c:\program files\microsoft works\wksss.exe ok iSwift
9/12/2007 1:37:52 PM File: c:\program files\microsoft works\wkswp.exe ok iSwift
9/12/2007 1:37:52 PM File: c:\program files\microsoft works\wkwcestp.exe ok iSwift
9/12/2007 1:37:52 PM File: C:\Program Files\windows nt\accessories\wordpad.exe ok iSwift
9/12/2007 1:37:52 PM File: c:\windows\system32\ntsd.exe ok iSwift
9/12/2007 1:37:52 PM File: c:\windows\system32\java.exe ok iSwift
9/12/2007 1:37:52 PM File: c:\windows\system32\console.dll ok iSwift
9/12/2007 1:37:53 PM File: c:\program files\java\jre1.5.0_06\bin\npjpi150_06.dll ok iSwift
9/12/2007 1:37:53 PM File: c:\progra~1\mi1933~1\office11\refiebar.dll ok iSwift
9/12/2007 1:37:53 PM File: c:\progra~1\mi1933~1\office11\refbar.ico ok iSwift
9/12/2007 1:37:53 PM File: c:\progra~1\mi1933~1\office11\refbarh.ico ok iSwift
9/12/2007 1:37:53 PM File: c:\program files\flashget\flashget.exe ok iSwift
9/12/2007 1:37:53 PM File: c:\program files\uniblue\spyeraser\spyeraser.exe ok iSwift
9/12/2007 1:37:53 PM File: C:\WINDOWS\system32\rsvpsp.dll ok iSwift
9/12/2007 1:37:53 PM File: C:\WINDOWS\system32\winrnr.dll ok iSwift
9/12/2007 1:37:53 PM File: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini ok iSwift
9/12/2007 1:37:53 PM File: C:\Documents and Settings\user\Start Menu\Programs\Startup\desktop.ini ok iSwift
9/12/2007 1:37:53 PM File: C:\WINDOWS\ehome\ehSched.exe ok iSwift
9/12/2007 1:37:53 PM File: C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe ok iSwift
9/12/2007 1:37:53 PM File: C:\WINDOWS\ehome\ehrecvr.exe ok iSwift
9/12/2007 1:37:53 PM File: C:\WINDOWS\system32\smss.exe ok iSwift
9/12/2007 1:37:53 PM File: C:\WINDOWS\system32\WLTRYSVC.EXE ok iSwift
9/12/2007 1:37:53 PM File: C:\WINDOWS\system32\BCMWLTRY.EXE ok iSwift
9/12/2007 1:37:54 PM Logical disk sector: C ok scanned
9/12/2007 1:37:54 PM Logical disk sector: D ok scanned
9/12/2007 1:37:55 PM Physical disk sector: \Device\HarddiskVolume4 ok scanned
9/12/2007 1:37:55 PM Physical disk sector: \Device\HarddiskVolume3 ok scanned
9/12/2007 1:37:56 PM Physical disk sector: \Device\HarddiskVolume1 ok scanned
9/12/2007 1:37:56 PM Physical disk sector: \Device\Harddisk0\DR0 ok scanned
9/12/2007 1:37:56 PM File: c:\windows\system32\cmtdivwp.exe detected Trojan program 'Trojan.Win32.Agent.bck'
Any help at all would be appreciated.
This is a renamed version of HJT. I renamed EXE to Whatever as per someone elses post. Hopefully this helps.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:03:57 PM, on 9/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cmtdivwp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=1070302
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=1070302
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\system32\ujgiyreq.dll",forkonce
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\cmtdivwp.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
--
End of file - 5155 bytes
I just realised you wanted the onlinescan report of Kaspersky. here it is.
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, September 12, 2007 4:35:14 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.1
Kaspersky Anti-Virus database last update: 12/09/2007
Kaspersky Anti-Virus database records: 412737
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
Scan Statistics:
Total number of scanned objects: 89159
Number of viruses found: 2
Number of infected objects: 11
Number of suspicious objects: 0
Duration of the scan process: 01:14:48
Infected Object Name / Virus Name / Last Action
C:\check_LSA7.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\00bd_File_Monitoring_eventcritlog.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\00bd_File_Monitoring_eventlog.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\00bf_Web_Monitoring_eventlog.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\00c0_pdm_eventcritlog.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\00c0_pdm_eventlog.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\00c0_pdm_eventlog_reg.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\detected.idx Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\detected.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\eventlog.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\report.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3ad391678a806ec4d691e83aaa393b6f_24adf822-76f7-4481-b30b-ff1b40f8687f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\yj5z1qoy.default\cert8.db Object is locked skipped
C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\yj5z1qoy.default\flashgot.log Object is locked skipped
C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\yj5z1qoy.default\history.dat Object is locked skipped
C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\yj5z1qoy.default\key3.db Object is locked skipped
C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\yj5z1qoy.default\parent.lock Object is locked skipped
C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\yj5z1qoy.default\search.sqlite Object is locked skipped
C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\yj5z1qoy.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\user\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\user\Desktop\Random Shit\Applications\mirc617.exe/data0001.bin Infected: not-a-virus:Client-IRC.Win32.mIRC.617 skipped
C:\Documents and Settings\user\Desktop\Random Shit\Applications\mirc617.exe mIRC: infected - 1 skipped
C:\Documents and Settings\user\Desktop\Random Shit\Dane_Cook-Vicious_Circle-(Promo_DVDA)-2006-DNR\00-dane_cook-vicious_circle-(promo_dvda)-2006-dnr.nfo Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\Mozilla\Firefox\Profiles\yj5z1qoy.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\Mozilla\Firefox\Profiles\yj5z1qoy.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\Mozilla\Firefox\Profiles\yj5z1qoy.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\user\Local Settings\Application Data\Mozilla\Firefox\Profiles\yj5z1qoy.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\user\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\user\Local Settings\Temp\Rar$DR00.875\Dane_Cook-Vicious_Circle-(Promo_DVDA)-2006-DNR\00-dane_cook-vicious_circle-(promo_dvda)-2006-dnr.nfo Object is locked skipped
C:\Documents and Settings\user\Local Settings\Temp\~DFDE98.tmp Object is locked skipped
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\W5Q74TU7\valera[1] Infected: Trojan.Win32.Agent.bck skipped
C:\Documents and Settings\user\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\user\ntuser.dat.LOG Object is locked skipped
C:\Program Files\mIRC\logs\DarkMyst\#consortium.log Object is locked skipped
C:\Program Files\mIRC\logs\DarkMyst\#decusian_church.log Object is locked skipped
C:\Program Files\mIRC\logs\DarkMyst\#requiem_shard.log Object is locked skipped
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.617 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP32\A0006206.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP32\A0006213.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP32\A0006225.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP32\A0006227.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP32\A0006236.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP32\A0006261.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP32\change.log Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\NEIL.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{ED730A08-A618-4302-A254-85A7E222B49D}.crmlog Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{9A6F9EBA-93CF-46CB-8C77-39ECAB1FDEA0}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox2.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox2.idx Object is locked skipped
C:\WINDOWS\system32\LogFiles\HTTPERR\httperr1.log Object is locked skipped
C:\WINDOWS\system32\sdiejvax.exe Infected: Trojan.Win32.Agent.bck skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\PR27C9.tmp Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
Hello and welcome to the forums
My name is Katana and I will be helping you to remove any infection(s) that you may have.
Please observe these rules while we work:
1. If you don't know, stop and ask! Don't keep going on.
2. Please reply to this thread. Do not start a new topic.
3. Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)
If you can do those three things, everything should go smoothly :D
I apologize for the delay in responding, but as you can probably see the forums are quite busy
and sometimes a post manages to slip by us.
Unfortunately there are far more people needing help than there are helpers.
Download and Run ComboFix
Download Combofix from one of the two links below :
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
Then double click combofix.exe & follow the prompts.
When finished, it will produce a log for you. Post that log in your next reply
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Rename HJT
Please open your Hijack This folder (C:\Program Files\Trend Micro\HijackThis\)
Right click on Hijackthis.exe
Select Rename
Rename Hijack This to showme.exe
Double click showme
Click on the Do a system scan and save a log file button.
Logs/Information to Post in Reply
Please post the following logs/Information in your reply
ComboFix Log
A fresh HJT (showme) Log
I understand the lack of helpers you guys have and thank you for your assistance. Here are the logs you requested.
ComboFix 07-09-14.2 - "user" 2007-09-16 21:23:49.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1442 [GMT -4:00]
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\bhoffwhl.dll
C:\WINDOWS\system32\clmjxter.ini
C:\WINDOWS\system32\ellwhpav.dll
C:\WINDOWS\system32\hjjlm.bak1
C:\WINDOWS\system32\hjjlm.bak2
C:\WINDOWS\system32\hjjlm.ini
C:\WINDOWS\system32\hjjlm.ini2
C:\WINDOWS\system32\kltnjetw.ini
C:\WINDOWS\system32\lhwffohb.ini
C:\WINDOWS\system32\mljjh.dll
C:\WINDOWS\system32\okickxbl.exe
C:\WINDOWS\system32\retxjmlc.dll
C:\WINDOWS\system32\ujntadca.dll
C:\WINDOWS\system32\wtejntlk.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
-------\LEGACY_DOMAINSERVICE
((((((((((((((((((((((((( Files Created from 2007-08-17 to 2007-09-17 )))))))))))))))))))))))))))))))
.
2007-09-16 21:12 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-15 21:38 <DIR> d-------- C:\DOCUME~1\user\APPLIC~1\Help
2007-09-14 18:02 <DIR> d-------- C:\Program Files\directx
2007-09-14 17:57 <DIR> d-------- C:\Sierra
2007-09-14 03:43 21,840 --a----t- C:\WINDOWS\system32\SIntfNT.dll
2007-09-14 03:43 17,212 --a----t- C:\WINDOWS\system32\SIntf32.dll
2007-09-14 03:43 12,067 --a----t- C:\WINDOWS\system32\SIntf16.dll
2007-09-13 20:40 5,248 --a------ C:\WINDOWS\system32\drivers\d347prt.sys
2007-09-13 20:40 155,136 --a------ C:\WINDOWS\system32\drivers\d347bus.sys
2007-09-13 20:40 <DIR> d-------- C:\Program Files\D-Tools
2007-09-13 06:21 181,248 --------- C:\WINDOWS\system32\dllcache\rasmans.dll
2007-09-13 06:08 359,808 --------- C:\WINDOWS\system32\dllcache\tcpip.sys
2007-09-13 06:08 122,880 --------- C:\WINDOWS\system32\dllcache\oledlg.dll
2007-09-13 06:06 539,136 --------- C:\WINDOWS\system32\dllcache\msftedit.dll
2007-09-13 06:06 433,152 --------- C:\WINDOWS\system32\dllcache\riched20.dll
2007-09-13 05:33 23,040 --------- C:\WINDOWS\system32\dllcache\fltmc.exe
2007-09-13 05:33 16,896 --------- C:\WINDOWS\system32\dllcache\fltlib.dll
2007-09-13 05:33 128,896 --------- C:\WINDOWS\system32\dllcache\fltmgr.sys
2007-09-13 05:19 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-09-13 05:00 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2007-09-12 16:51 <DIR> d-------- C:\DOCUME~1\user\APPLIC~1\MailFrontier
2007-09-12 16:06 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-09-12 16:05 75,512 --a------ C:\WINDOWS\zllsputility.exe
2007-09-12 16:05 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2007-09-12 16:04 1,087,216 --a------ C:\WINDOWS\system32\zpeng24.dll
2007-09-12 16:04 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2007-09-12 16:03 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-09-12 14:22 <DIR> d-------- C:\VundoFix Backups
2007-09-12 14:11 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-09-12 13:48 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-12 12:19 574,464 --------- C:\WINDOWS\system32\dllcache\ntfs.sys
2007-09-12 12:18 2,330,624 --------- C:\WINDOWS\system32\dllcache\wmvcore.dll
2007-09-11 19:10 23,040 --------- C:\WINDOWS\kb913800.exe
2007-09-11 17:57 225,664 --------- C:\WINDOWS\system32\dllcache\tcpip6.sys
2007-09-11 17:57 100,352 --------- C:\WINDOWS\system32\dllcache\6to4svc.dll
2007-09-11 16:55 82,061 --a------ C:\WINDOWS\system32\drivers\klick.dat
2007-09-11 16:55 81,549 --a------ C:\WINDOWS\system32\drivers\klin.dat
2007-09-11 16:49 <DIR> d-------- C:\Program Files\Kaspersky Lab
2007-09-11 16:49 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-09-11 16:48 99,360 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-09-11 16:48 5,589,280 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-09-11 15:06 <DIR> d-------- C:\kav
2007-09-11 14:36 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Uniblue
2007-09-11 13:07 292,864 --------- C:\WINDOWS\system32\dllcache\winsrv.dll
2007-09-11 12:33 <DIR> d-------- C:\Program Files\Uniblue
2007-09-11 12:33 <DIR> d-------- C:\DOCUME~1\user\APPLIC~1\Uniblue
2007-09-11 11:41 134,656 --------- C:\WINDOWS\system32\dllcache\shsvcs.dll
2007-09-10 21:12 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-09-10 20:46 <DIR> d-------- C:\Program Files\Lavasoft
2007-09-10 20:46 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-09-10 20:44 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-09 22:27 <DIR> d-------- C:\Program Files\DivX
2007-09-04 20:11 <DIR> d-------- C:\Program Files\Steam
2007-09-04 18:07 <DIR> d-------- C:\DOCUME~1\user\APPLIC~1\HP
2007-09-04 18:07 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\HP
2007-09-04 18:05 <DIR> d-------- C:\Program Files\Common Files\HP
2007-09-04 18:03 48,640 --a------ C:\WINDOWS\system32\hpzll4pi.dll
2007-09-04 17:58 94,208 --a------ C:\WINDOWS\system32\HPZipt12.dll
2007-09-04 17:58 69,632 --a------ C:\WINDOWS\system32\HPZipm12.exe
2007-09-04 17:58 65,536 --a------ C:\WINDOWS\system32\HPZinw12.exe
2007-09-04 17:58 57,344 --a------ C:\WINDOWS\system32\HPZisn12.dll
2007-09-04 17:58 306,688 --a------ C:\WINDOWS\IsUninst.exe
2007-09-04 17:58 282,680 --a------ C:\WINDOWS\system32\HPZidr12.dll
2007-09-04 17:58 204,800 --a------ C:\WINDOWS\system32\HPZipr12.dll
2007-09-04 17:57 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2007-09-04 17:57 31,616 --a------ C:\WINDOWS\system32\dllcache\usbccgp.sys
2007-09-04 17:57 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2007-09-04 17:57 25,856 --a------ C:\WINDOWS\system32\dllcache\usbprint.sys
2007-09-04 17:56 14,916 --------- C:\WINDOWS\hphmdl12.dat
2007-09-04 17:56 123,996 --a------ C:\WINDOWS\HPHins12.dat
2007-08-25 21:20 <DIR> d-------- C:\Program Files\Magic Workstation
2007-08-25 10:00 765,952 --a------ C:\WINDOWS\system32\xvidcore.dll
2007-08-25 10:00 180,224 --a------ C:\WINDOWS\system32\xvidvfw.dll
2007-08-25 10:00 <DIR> d-------- C:\Program Files\Xvid
2007-08-22 21:04 <DIR> d-------- C:\Program Files\Azureus
2007-08-22 21:04 <DIR> d-------- C:\DOCUME~1\user\APPLIC~1\Azureus
2007-08-16 02:44 <DIR> d---s---- C:\DOCUME~1\user\UserData
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-16 21:34 75884 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-09-16 21:34 10364 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2007-09-16 21:24 --------- d-------- C:\Program Files\mIRC
2007-09-13 14:35 --------- d-------- C:\Program Files\FlashGet
2007-09-04 20:41 --------- d-------- C:\Program Files\Trillian
2007-08-26 12:54 --------- d-------- C:\Program Files\Winamp
2007-08-15 05:14 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\YAHOO
2007-08-15 05:13 --------- d-------- C:\Program Files\Real
2007-08-15 05:13 --------- d-------- C:\Program Files\CyberLink
2007-08-15 05:08 --------- d-------- C:\Program Files\RGB
2007-08-15 04:34 --------- d-------- C:\DOCUME~1\user\APPLIC~1\dvdcss
2007-08-11 20:32 --------- d-------- C:\DOCUME~1\user\APPLIC~1\Real
2007-08-10 15:41 --------- d-------- C:\DOCUME~1\user\APPLIC~1\Template
2007-08-07 21:43 --------- d-------- C:\Program Files\Real Alternative
2007-08-07 21:43 --------- d-------- C:\Program Files\Media Player Classic
2007-08-07 21:43 --------- d-------- C:\Program Files\Common Files\Real
2007-08-07 21:43 --------- d-------- C:\DOCUME~1\user\APPLIC~1\Media Player Classic
2007-08-07 21:43 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Real
2007-08-07 18:05 --------- d-------- C:\DOCUME~1\user\APPLIC~1\AdobeUM
2007-08-07 13:58 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-08-07 13:56 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-08-07 00:06 --------- d-------- C:\DOCUME~1\user\APPLIC~1\vlc
2007-08-07 00:03 --------- d-------- C:\Program Files\VideoLAN
2007-08-05 01:13 --------- d-------- C:\Program Files\Razor
2007-08-04 23:26 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-04 23:26 --------- d-------- C:\Program Files\EA Games
2007-08-04 22:34 614656 --a------ C:\WINDOWS\system32\Windows Vista Screensaver v2.scr
2007-08-04 22:34 --------- d-------- C:\Program Files\Home
2007-08-04 21:57 --------- d-------- C:\DOCUME~1\user\APPLIC~1\Trillian
2007-08-04 20:59 --------- d-------- C:\DOCUME~1\user\APPLIC~1\U3
2007-08-04 20:37 --------- d-------- C:\Program Files\Dell
2007-08-04 20:31 --------- d--h----- C:\DOCUME~1\user\APPLIC~1\Gtek
2007-08-04 20:31 --------- d--h----- C:\DOCUME~1\ADMINI~1\APPLIC~1\GTek
2007-08-04 20:26 --------- d-------- C:\DOCUME~1\user\APPLIC~1\AOL
2007-08-04 20:26 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL
2007-08-04 20:26 --------- d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\AOL
2007-08-04 17:33 21425 --a------ C:\WINDOWS\system32\drivers\AegisP.sys
2007-08-04 17:33 --------- d-------- C:\DOCUME~1\user\APPLIC~1\Intel
2007-08-04 17:33 --------- d-------- C:\DOCUME~1\NETWOR~1\APPLIC~1\Intel
2007-08-04 17:33 --------- d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Intel
2007-08-04 17:33 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Intel
2007-08-04 17:33 --------- d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Intel
2007-08-04 17:32 --------- d-------- C:\Program Files\Intel
2007-08-04 17:32 --------- d-------- C:\DOCUME~1\user\APPLIC~1\WinRAR
2007-08-04 17:24 --------- d-------- C:\DOCUME~1\user\APPLIC~1\ATI
2007-08-04 17:20 --------- d-------- C:\Program Files\ATI Technologies
2007-08-04 12:50 163712 --a------ C:\WINDOWS\system32\drivers\vidstub.sys
2007-08-04 12:32 --------- d-------- C:\Program Files\Stardock
2007-08-04 12:32 --------- d-------- C:\Program Files\Common Files\Stardock
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\dllcache\cdm.dll
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\dllcache\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\dllcache\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\dllcache\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\dllcache\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\dllcache\wups.dll
2007-07-26 19:06 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-07-26 19:06 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-06-28 12:51 206088 --a------ C:\WINDOWS\system32\klogon.dll
2007-06-26 11:13 851968 --------- C:\WINDOWS\system32\dllcache\vgx.dll
2007-06-26 10:35 665600 --------- C:\WINDOWS\system32\dllcache\wininet.dll
2007-06-26 02:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-26 02:08 1104896 --------- C:\WINDOWS\system32\dllcache\msxml3.dll
2007-06-19 09:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-19 09:31 282112 --------- C:\WINDOWS\system32\dllcache\gdi32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{733E9132-53CA-4C97-9AC9-145C4502FA20}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BootSkin Startup Jobs"="C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" [2004-04-26 16:21]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2007-06-28 12:51]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 00:02]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2005-09-26 20:34]
"AAWTray"="C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe" [2007-08-08 15:53]
"DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" [2004-08-22 17:05]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 07:00]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnljge]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\Program Files\Stardock\Object Desktop\Windowblinds\wbsrv.dll 2005-12-06 22:16 176128 C:\Program Files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=wbsys.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\\WINDOWS\\system32\\mljjh
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AAWTray]
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch]
C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
"C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
C:\WINDOWS\system32\WLTRAY.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
C:\Program Files\Dell\QuickSet\quickset.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
"C:\Program Files\Dell Support\DSAgnt.exe" /startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
C:\WINDOWS\system32\dla\tfswctrl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
C:\WINDOWS\ehome\ehtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
C:\WINDOWS\system32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
C:\WINDOWS\system32\igfxpers.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
C:\WINDOWS\system32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless]
"C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelZeroConfig]
"C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IS CfgWiz]
C:\Program Files\Norton Internet Security\cfgwiz.exe /GUID {F073BDC9-0D67-4ff0-879E-27241C843828} /MODE CfgWiz /CMDLINE "REBOOT"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
"C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ModemOnHold]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
"C:\Program Files\Dell\MediaDirect\PCMService.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
stsystra.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSC_UserPrompt]
"C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemOptimizer]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2]
C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue SpyEraser]
"C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" -m
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\URLLSTCK.exe]
C:\Program Files\Norton Internet Security\UrlLstCk.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
C:\Program Files\Winamp\winampa.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WebClient"=2 (0x2)
"TrkWks"=2 (0x2)
"TapiSrv"=3 (0x3)
"Schedule"=2 (0x2)
"navapsvc"=2 (0x2)
"MDM"=2 (0x2)
"McrdSvc"=2 (0x2)
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys
R3 NETw3x32;Intel(R) PRO/Wireless 3945ABG Adapter Driver for Windows XP 32 Bit;C:\WINDOWS\system32\DRIVERS\NETw3x32.sys
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
AutoRun\command- E:\setup.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4dc1a796-42d0-11dc-8cca-00038a000015}]
AutoRun\command- E:\LaunchU3.exe
.
Contents of the 'Scheduled Tasks' folder
"2007-09-11 21:24:07 C:\WINDOWS\Tasks\Uniblue SpyEraser Nag.job"
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
"2007-09-11 19:19:31 C:\WINDOWS\Tasks\Uniblue SpyEraser.job"
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
.
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-16 21:38:43
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-09-16 21:41:20 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-16 21:41
.
--- E O F ---
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:44:22 PM, on 9/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\showme.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=1070302
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {733E9132-53CA-4C97-9AC9-145C4502FA20} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O20 - Winlogon Notify: nnnljge - C:\WINDOWS\
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
--
End of file - 5667 bytes
Hi NY`Neil,
Custom CFScript
Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
File::
C:\WINDOWS\system32\sdiejvax.exe
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\W5Q74TU7\valera[1]
Registry::
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnljge]
Save this as CFScript.txt and place it on your desktop.
http://img.photobucket.com/albums/v666/sUBs/CFScript.gif
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Logs/Information to Post in Reply
Please post the following logs/Information in your reply
ComboFix Log
A fresh HJT (showme) Log
How are things running now ?
Things are running very smoothly now. No poups and system performance is good.
ComboFix 07-09-14.2 - "user" 2007-09-17 18:53:41.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1456 [GMT -4:00]
Command switches used :: C:\Documents and Settings\user\Desktop\CFScript.txt
* Created a new restore point
FILE::
C:\WINDOWS\system32\sdiejvax.exe
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\W5Q74TU7\valera[1]
.
((((((((((((((((((((((((( Files Created from 2007-08-17 to 2007-09-17 )))))))))))))))))))))))))))))))
.
2007-09-16 21:12 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-15 21:38 <DIR> d-------- C:\DOCUME~1\user\APPLIC~1\Help
2007-09-14 18:02 <DIR> d-------- C:\Program Files\directx
2007-09-14 17:57 <DIR> d-------- C:\Sierra
2007-09-14 03:43 21,840 --a----t- C:\WINDOWS\system32\SIntfNT.dll
2007-09-14 03:43 17,212 --a----t- C:\WINDOWS\system32\SIntf32.dll
2007-09-14 03:43 12,067 --a----t- C:\WINDOWS\system32\SIntf16.dll
2007-09-13 20:40 5,248 --a------ C:\WINDOWS\system32\drivers\d347prt.sys
2007-09-13 20:40 155,136 --a------ C:\WINDOWS\system32\drivers\d347bus.sys
2007-09-13 20:40 <DIR> d-------- C:\Program Files\D-Tools
2007-09-13 06:21 181,248 --------- C:\WINDOWS\system32\dllcache\rasmans.dll
2007-09-13 06:08 359,808 --------- C:\WINDOWS\system32\dllcache\tcpip.sys
2007-09-13 06:08 122,880 --------- C:\WINDOWS\system32\dllcache\oledlg.dll
2007-09-13 06:06 539,136 --------- C:\WINDOWS\system32\dllcache\msftedit.dll
2007-09-13 06:06 433,152 --------- C:\WINDOWS\system32\dllcache\riched20.dll
2007-09-13 05:33 23,040 --------- C:\WINDOWS\system32\dllcache\fltmc.exe
2007-09-13 05:33 16,896 --------- C:\WINDOWS\system32\dllcache\fltlib.dll
2007-09-13 05:33 128,896 --------- C:\WINDOWS\system32\dllcache\fltmgr.sys
2007-09-13 05:19 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-09-13 05:00 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2007-09-12 16:51 <DIR> d-------- C:\DOCUME~1\user\APPLIC~1\MailFrontier
2007-09-12 16:06 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-09-12 16:05 75,512 --a------ C:\WINDOWS\zllsputility.exe
2007-09-12 16:05 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2007-09-12 16:04 1,087,216 --a------ C:\WINDOWS\system32\zpeng24.dll
2007-09-12 16:04 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2007-09-12 16:03 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-09-12 14:22 <DIR> d-------- C:\VundoFix Backups
2007-09-12 14:11 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-09-12 13:48 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-12 12:19 574,464 --------- C:\WINDOWS\system32\dllcache\ntfs.sys
2007-09-12 12:18 2,330,624 --------- C:\WINDOWS\system32\dllcache\wmvcore.dll
2007-09-11 19:10 23,040 --------- C:\WINDOWS\kb913800.exe
2007-09-11 17:57 225,664 --------- C:\WINDOWS\system32\dllcache\tcpip6.sys
2007-09-11 17:57 100,352 --------- C:\WINDOWS\system32\dllcache\6to4svc.dll
2007-09-11 16:55 82,061 --a------ C:\WINDOWS\system32\drivers\klick.dat
2007-09-11 16:55 81,549 --a------ C:\WINDOWS\system32\drivers\klin.dat
2007-09-11 16:49 <DIR> d-------- C:\Program Files\Kaspersky Lab
2007-09-11 16:49 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-09-11 16:48 5,641,248 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-09-11 16:48 101,920 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-09-11 15:06 <DIR> d-------- C:\kav
2007-09-11 14:36 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Uniblue
2007-09-11 13:07 292,864 --------- C:\WINDOWS\system32\dllcache\winsrv.dll
2007-09-11 12:33 <DIR> d-------- C:\Program Files\Uniblue
2007-09-11 12:33 <DIR> d-------- C:\DOCUME~1\user\APPLIC~1\Uniblue
2007-09-11 11:41 134,656 --------- C:\WINDOWS\system32\dllcache\shsvcs.dll
2007-09-10 21:12 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-09-10 20:46 <DIR> d-------- C:\Program Files\Lavasoft
2007-09-10 20:46 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-09-10 20:44 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-09 22:27 <DIR> d-------- C:\Program Files\DivX
2007-09-04 20:11 <DIR> d-------- C:\Program Files\Steam
2007-09-04 18:07 <DIR> d-------- C:\DOCUME~1\user\APPLIC~1\HP
2007-09-04 18:07 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\HP
2007-09-04 18:05 <DIR> d-------- C:\Program Files\Common Files\HP
2007-09-04 18:03 48,640 --a------ C:\WINDOWS\system32\hpzll4pi.dll
2007-09-04 17:58 94,208 --a------ C:\WINDOWS\system32\HPZipt12.dll
2007-09-04 17:58 69,632 --a------ C:\WINDOWS\system32\HPZipm12.exe
2007-09-04 17:58 65,536 --a------ C:\WINDOWS\system32\HPZinw12.exe
2007-09-04 17:58 57,344 --a------ C:\WINDOWS\system32\HPZisn12.dll
2007-09-04 17:58 306,688 --a------ C:\WINDOWS\IsUninst.exe
2007-09-04 17:58 282,680 --a------ C:\WINDOWS\system32\HPZidr12.dll
2007-09-04 17:58 204,800 --a------ C:\WINDOWS\system32\HPZipr12.dll
2007-09-04 17:57 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2007-09-04 17:57 31,616 --a------ C:\WINDOWS\system32\dllcache\usbccgp.sys
2007-09-04 17:57 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2007-09-04 17:57 25,856 --a------ C:\WINDOWS\system32\dllcache\usbprint.sys
2007-09-04 17:56 14,916 --------- C:\WINDOWS\hphmdl12.dat
2007-09-04 17:56 123,996 --a------ C:\WINDOWS\HPHins12.dat
2007-08-25 21:20 <DIR> d-------- C:\Program Files\Magic Workstation
2007-08-25 10:00 765,952 --a------ C:\WINDOWS\system32\xvidcore.dll
2007-08-25 10:00 180,224 --a------ C:\WINDOWS\system32\xvidvfw.dll
2007-08-25 10:00 <DIR> d-------- C:\Program Files\Xvid
2007-08-22 21:04 <DIR> d-------- C:\Program Files\Azureus
2007-08-22 21:04 <DIR> d-------- C:\DOCUME~1\user\APPLIC~1\Azureus
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-17 08:28 --------- d-------- C:\Program Files\mIRC
2007-09-16 21:34 75884 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-09-16 21:34 10364 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2007-09-13 14:35 --------- d-------- C:\Program Files\FlashGet
2007-09-04 20:41 --------- d-------- C:\Program Files\Trillian
2007-08-26 12:54 --------- d-------- C:\Program Files\Winamp
2007-08-15 05:14 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\YAHOO
2007-08-15 05:13 --------- d-------- C:\Program Files\Real
2007-08-15 05:13 --------- d-------- C:\Program Files\CyberLink
2007-08-15 05:08 --------- d-------- C:\Program Files\RGB
2007-08-15 04:34 --------- d-------- C:\DOCUME~1\user\APPLIC~1\dvdcss
2007-08-11 20:32 --------- d-------- C:\DOCUME~1\user\APPLIC~1\Real
2007-08-10 15:41 --------- d-------- C:\DOCUME~1\user\APPLIC~1\Template
2007-08-07 21:43 --------- d-------- C:\Program Files\Real Alternative
2007-08-07 21:43 --------- d-------- C:\Program Files\Media Player Classic
2007-08-07 21:43 --------- d-------- C:\Program Files\Common Files\Real
2007-08-07 21:43 --------- d-------- C:\DOCUME~1\user\APPLIC~1\Media Player Classic
2007-08-07 21:43 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Real
2007-08-07 18:05 --------- d-------- C:\DOCUME~1\user\APPLIC~1\AdobeUM
2007-08-07 13:58 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-08-07 13:56 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-08-07 00:06 --------- d-------- C:\DOCUME~1\user\APPLIC~1\vlc
2007-08-07 00:03 --------- d-------- C:\Program Files\VideoLAN
2007-08-05 01:13 --------- d-------- C:\Program Files\Razor
2007-08-04 23:26 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-04 23:26 --------- d-------- C:\Program Files\EA Games
2007-08-04 22:34 614656 --a------ C:\WINDOWS\system32\Windows Vista Screensaver v2.scr
2007-08-04 22:34 --------- d-------- C:\Program Files\Home
2007-08-04 21:57 --------- d-------- C:\DOCUME~1\user\APPLIC~1\Trillian
2007-08-04 20:59 --------- d-------- C:\DOCUME~1\user\APPLIC~1\U3
2007-08-04 20:37 --------- d-------- C:\Program Files\Dell
2007-08-04 20:31 --------- d--h----- C:\DOCUME~1\user\APPLIC~1\Gtek
2007-08-04 20:31 --------- d--h----- C:\DOCUME~1\ADMINI~1\APPLIC~1\GTek
2007-08-04 20:26 --------- d-------- C:\DOCUME~1\user\APPLIC~1\AOL
2007-08-04 20:26 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL
2007-08-04 20:26 --------- d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\AOL
2007-08-04 17:33 21425 --a------ C:\WINDOWS\system32\drivers\AegisP.sys
2007-08-04 17:33 --------- d-------- C:\DOCUME~1\user\APPLIC~1\Intel
2007-08-04 17:33 --------- d-------- C:\DOCUME~1\NETWOR~1\APPLIC~1\Intel
2007-08-04 17:33 --------- d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Intel
2007-08-04 17:33 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Intel
2007-08-04 17:33 --------- d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Intel
2007-08-04 17:32 --------- d-------- C:\Program Files\Intel
2007-08-04 17:32 --------- d-------- C:\DOCUME~1\user\APPLIC~1\WinRAR
2007-08-04 17:24 --------- d-------- C:\DOCUME~1\user\APPLIC~1\ATI
2007-08-04 17:20 --------- d-------- C:\Program Files\ATI Technologies
2007-08-04 12:50 163712 --a------ C:\WINDOWS\system32\drivers\vidstub.sys
2007-08-04 12:32 --------- d-------- C:\Program Files\Stardock
2007-08-04 12:32 --------- d-------- C:\Program Files\Common Files\Stardock
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\dllcache\cdm.dll
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\dllcache\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\dllcache\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\dllcache\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\dllcache\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\dllcache\wups.dll
2007-07-26 19:06 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-07-26 19:06 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-06-28 12:51 206088 --a------ C:\WINDOWS\system32\klogon.dll
2007-06-26 11:13 851968 --------- C:\WINDOWS\system32\dllcache\vgx.dll
2007-06-26 10:35 665600 --------- C:\WINDOWS\system32\dllcache\wininet.dll
2007-06-26 02:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-26 02:08 1104896 --------- C:\WINDOWS\system32\dllcache\msxml3.dll
2007-06-19 09:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-19 09:31 282112 --------- C:\WINDOWS\system32\dllcache\gdi32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{733E9132-53CA-4C97-9AC9-145C4502FA20}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BootSkin Startup Jobs"="C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" [2004-04-26 16:21]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2007-06-28 12:51]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2005-09-26 20:34]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 07:00]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\Program Files\Stardock\Object Desktop\Windowblinds\wbsrv.dll 2005-12-06 22:16 176128 C:\Program Files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=wbsys.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AAWTray]
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch]
C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
"C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
C:\WINDOWS\system32\WLTRAY.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
"C:\Program Files\D-Tools\daemon.exe" -lang 1033
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
C:\Program Files\Dell\QuickSet\quickset.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
"C:\Program Files\Dell Support\DSAgnt.exe" /startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
C:\WINDOWS\system32\dla\tfswctrl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
C:\WINDOWS\ehome\ehtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
C:\WINDOWS\system32\hkcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
C:\WINDOWS\system32\igfxpers.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
C:\WINDOWS\system32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless]
"C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelZeroConfig]
"C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IS CfgWiz]
C:\Program Files\Norton Internet Security\cfgwiz.exe /GUID {F073BDC9-0D67-4ff0-879E-27241C843828} /MODE CfgWiz /CMDLINE "REBOOT"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
"C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ModemOnHold]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
"C:\Program Files\Dell\MediaDirect\PCMService.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
stsystra.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSC_UserPrompt]
"C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemOptimizer]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2]
C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue SpyEraser]
"C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" -m
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\URLLSTCK.exe]
C:\Program Files\Norton Internet Security\UrlLstCk.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
C:\Program Files\Winamp\winampa.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZoneAlarm Client]
"C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WebClient"=2 (0x2)
"TrkWks"=2 (0x2)
"TapiSrv"=3 (0x3)
"Schedule"=2 (0x2)
"navapsvc"=2 (0x2)
"MDM"=2 (0x2)
"McrdSvc"=2 (0x2)
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys
R3 NETw3x32;Intel(R) PRO/Wireless 3945ABG Adapter Driver for Windows XP 32 Bit;C:\WINDOWS\system32\DRIVERS\NETw3x32.sys
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
AutoRun\command- E:\setup.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4dc1a796-42d0-11dc-8cca-00038a000015}]
AutoRun\command- E:\LaunchU3.exe
.
Contents of the 'Scheduled Tasks' folder
"2007-09-11 21:24:07 C:\WINDOWS\Tasks\Uniblue SpyEraser Nag.job"
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
"2007-09-11 19:19:31 C:\WINDOWS\Tasks\Uniblue SpyEraser.job"
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
.
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-17 18:56:13
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-09-17 18:56:54
C:\ComboFix-quarantined-files.txt ... 2007-09-17 18:56
C:\ComboFix2.txt ... 2007-09-16 21:41
.
--- E O F ---
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:49:42 PM, on 9/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\mIRC\mirc.exe
C:\Program Files\Winamp\winamp.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\showme.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=1070302
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {733E9132-53CA-4C97-9AC9-145C4502FA20} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
--
End of file - 5475 bytes
Hi NY`Neil,
Just a couple of things to clear up,
Your first couple of logs show your Antivirus running, the last couple don't.
have you been stopping it ?
Fix With HJT
Close all other windows and then start HiJack This
Click Do A System Scan Only
When it has finished scanning put a check next to the following lines
O2 - BHO: (no name) - {733E9132-53CA-4C97-9AC9-145C4502FA20} - (no file)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
- Close ALL open windows (especially Internet Explorer!)-
Now click Fix checked
Click yes to any prompts
Close HijackThis
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.
Updating Java:
Download the latest version of Java Runtime Environment (JRE) 6u2
http://java.sun.com/javase/downloads/index.jsp
Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement".
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check for any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java version.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on the download to install the newest version.
Please post a final HJT log in your reply
To answer your question yes, I have been turning off my anti-virus. It was becmming a hassle when using combofix and someother stuff. it is back on now though.
I did everything you asked, system seems to be running good. My only problm now is my system startup takes uite a while. From after boot screen it sits on windows login screen for a while. Then goes to my desktop and takes 5 or so minuts to load a few programs.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:58:02 PM, on 9/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\showme.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=1070302
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
--
End of file - 5563 bytes
Is Kaspersky set to run a scan at startup ?
Having MSConfig running at startup won't help either :)
Kaspersky was set to run a scan at startup yes. Just changed it. Not much help. How do I stop MSconfig from running at startup?
Thank you for all the help by the way. Its greatly appreciated.
When you boot your PC, do you get a popup with the title
"System Configuration Utility"
I apologize for the delay in posting. Had some RL roblems recently I had to deal with.
Thank you for sticking with me.
To answer your question yes. That window does pop up on startup.
I apologize for the delay in posting. Had some RL roblems recently I had to deal with.
Thank you for sticking with me.
No problem :)
Fix With HJT
Close all other windows and then start HiJack This
Click Do A System Scan Only
When it has finished scanning put a check next to the following lines
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
- Close ALL open windows (especially Internet Explorer!)-
Now click Fix checked
Click yes to any prompts
Close HijackThis
How is the boot up now ?
Boot up is better but still seems awefully slow. I defragged and disk cleaned as ell as removed alot of un-necessary progs. Still just seems alot slower than it was before I got this virus.
Lets try one last scan to be sure.
TotalScan
Please go to this site Link >> TotalScan (http://www.nanoscan.com/as/v1/?) << LINK
Under Scan Now click the Full Scan button
Follow the prompts to install the Active X if necessary
Go and make a cup of tea/coffee/beverage of your choice and watch some TV :)
When the scan is finished, a report will be generated
Next to Scan Details click the small Save button and save the report to your desktop.
Please post the report in your reply.
Also, how old is the system and has it ever been reformatted ?
:scratch:
This topic has been archived.
If you need it re-opened, please send me a private message (pm) and provide a link to the thread.
Applies only to the original poster, anyone else with similar problems please start a new topic.