View Full Version : Big problems please help VIRTUMONDE
Iminfected
2007-11-16, 11:34
Virtumonde and Virtumonde.generic keep coming up in search and destroy. I also have a yellow triangle on start bar that keeps doing all kinds of stuff saying i have so and so trojan/virus click here. Please help. I could not get the online scanner to work. I can remove them with search and destroy but they come back. I also think Virtumonde keeps adding things "not sure what though".
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:22:26 AM, on 11/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\Fonts\svchost.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\WINDOWS\Fonts\svchost.exe
C:\Program Files\Belkin\Nostromo\nost_LM.exe
C:\Program Files\PerSono\perstray.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\mmmdajfk.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.insightbb.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Insightbb.com
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\xwniioah.dll
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingE1082] "C:\Program Files\Spybot - Search & Destroy\SDDelFile.exe" "C:\WINDOWS\system32\xwniioah.dllbox"
O4 - HKLM\..\RunOnce: [SpybotDeletingE5002] "C:\Program Files\Spybot - Search & Destroy\SDDelFile.exe" "C:\WINDOWS\system32\xwniioah.dll"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingF4932] "C:\Program Files\Spybot - Search & Destroy\SDDelFile.exe" "C:\WINDOWS\system32\xwniioah.dllbox"
O4 - HKCU\..\RunOnce: [SpybotDeletingF2239] "C:\Program Files\Spybot - Search & Destroy\SDDelFile.exe" "C:\WINDOWS\system32\xwniioah.dll"
O4 - Global Startup: Loadout Manager.lnk = C:\Program Files\Belkin\Nostromo\nost_LM.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Perstray.lnk = ?
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1190953039796
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
--
End of file - 7348 bytes
Hi Iminfected
Rename HijackThis.exe to Iminfected.exe and post back a fresh HijackThis log, please :)
Iminfected
2007-11-18, 00:03
Hi Shaba, Thank you for your help!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:02:28 PM, on 11/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\Fonts\svchost.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\WINDOWS\Fonts\svchost.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Belkin\Nostromo\nost_LM.exe
C:\Program Files\PerSono\perstray.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Trend Micro\HijackThis\Iminfected.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.insightbb.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Insightbb.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1A386684-D356-451F-A9B0-F1573D611B0F} - (no file)
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {A89A4032-2853-4570-8EEA-A6BBC7EE4EA5} - C:\WINDOWS\system32\ddayw.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\xwniioah.dll (file missing)
O2 - BHO: (no name) - {B4CBF084-F699-4555-ABB7-FF9AAFC3F511} - (no file)
O2 - BHO: (no name) - {BBB05D9E-0297-404D-A6BF-D8F2876B84A6} - C:\WINDOWS\system32\qommmkk.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\xwniioah.dll (file missing)
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Loadout Manager.lnk = C:\Program Files\Belkin\Nostromo\nost_LM.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Perstray.lnk = ?
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1190953039796
O20 - Winlogon Notify: qommmkk - C:\WINDOWS\SYSTEM32\qommmkk.dll
O20 - Winlogon Notify: xwniioah - xwniioah.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
--
End of file - 7678 bytes
Hi
We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer.
Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.
1. Download combofix from one of these links and save it to Desktop:
Link1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link2 (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Post:
- a fresh HijackThis log
- combofix report
- vundofix report
Iminfected
2007-11-19, 06:58
Hi, here is a fresh Hijack log after running vundofix. And the vundofix log after running vundofix. Combofix would not run because it said "This copy of Combofix has expired" and then uninstalled. Even after trying both links.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:56:41 PM, on 11/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\system32\xnfrwhpt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\Fonts\svchost.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\Fonts\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Belkin\Nostromo\nost_LM.exe
C:\Program Files\PerSono\perstray.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\Iminfected.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.insightbb.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1A386684-D356-451F-A9B0-F1573D611B0F} - (no file)
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7A31883F-DA86-4A71-A667-0A6E5AC47262} - C:\WINDOWS\system32\mljgd.dll
O2 - BHO: (no name) - {9C0A5D64-B88E-4FDD-AF46-923CDF14EA32} - C:\WINDOWS\system32\ddayw.dll (file missing)
O2 - BHO: (no name) - {B4CBF084-F699-4555-ABB7-FF9AAFC3F511} - (no file)
O2 - BHO: (no name) - {BBB05D9E-0297-404D-A6BF-D8F2876B84A6} - C:\WINDOWS\system32\qommmkk.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: Loadout Manager.lnk = C:\Program Files\Belkin\Nostromo\nost_LM.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Perstray.lnk = ?
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1190953039796
O20 - Winlogon Notify: qommmkk - C:\WINDOWS\SYSTEM32\qommmkk.dll
O20 - Winlogon Notify: xwniioah - xwniioah.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\xnfrwhpt.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
--
End of file - 7428 bytes
VundoFix V6.6.2
Checking Java version...
Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.
Scan started at 11:19:19 PM 11/18/2007
Listing files found while scanning....
C:\windows\system32\ddayw.dll
C:\windows\system32\pjprciob.dll
C:\windows\system32\wyadd.ini
C:\windows\system32\wyadd.ini2
C:\WINDOWS\system32\xwniioah.dll
Beginning removal...
Attempting to delete C:\windows\system32\ddayw.dll
C:\windows\system32\ddayw.dll Has been deleted!
Attempting to delete C:\windows\system32\pjprciob.dll
C:\windows\system32\pjprciob.dll Has been deleted!
Attempting to delete C:\windows\system32\wyadd.ini
C:\windows\system32\wyadd.ini Has been deleted!
Attempting to delete C:\windows\system32\wyadd.ini2
C:\windows\system32\wyadd.ini2 Has been deleted!
Performing Repairs to the registry.
Done!
Iminfected
2007-11-19, 07:13
I wanted to add some things that may or may not help you. There are some icons on my desktop that were added during or round about the time I think this virus/trojan infected me. They look like shields, one is green with a check mark and says "online security" and the other is blue with an exclamation point and says " live safety center".
Few other questions. I do want to reinstall windows on this machine for a fresh start. But there are many files and programs that I want to save and put back on that I have downloaded in the past. Will doing all this make them clean for a fresh install? Or do I take the chance of reinfecting myself again?
Also is my cabe modem and firewall router in any kind of trouble? Or will just resetting all firmware on them protect me? I have been experienceing trouble with them for some time now.
I do thank you for helping. I know this is alot to look at and ask. Maybe answers to these will more noobs like myself in the future.
This is great work you are doing and I will donate some $$.:bigthumb:
Hi
"I wanted to add some things that may or may not help you. There are some icons on my desktop that were added during or round about the time I think this virus/trojan infected me. They look like shields, one is green with a check mark and says "online security" and the other is blue with an exclamation point and says " live safety center"."
There are related to malware, yes.
"Few other questions. I do want to reinstall windows on this machine for a fresh start. But there are many files and programs that I want to save and put back on that I have downloaded in the past. Will doing all this make them clean for a fresh install? Or do I take the chance of reinfecting myself again?"
Do you want me to attempt to clean your machine or do you want to reformat?
"Also is my cabe modem and firewall router in any kind of trouble? Or will just resetting all firmware on them protect me? I have been experienceing trouble with them for some time now."
No, they shouldn't be.
Iminfected
2007-11-20, 01:50
I do want to clean it. I just want to make sure I don't reinfect myself. Is it possible if after we clean my machine, then I save many files and programs to a CD or whatever. Then I reformat and reinstall all these files and programs that I saved. That I will reinfect myself? Or will everything be clean and good after you finish helping me?
Hi
"Or will everything be clean and good after you finish helping me?"
Well there are no such infection present that would require reformatting.
This is the next step as combofix is expired:
Download Deckard's System Scanner (DSS) (http://www.techsupportforum.com/sectools/Deckard/dss.exe) to your Desktop. Note: You must be logged onto an account with administrator privileges.
Close all applications and windows.
Double-click on dss.exe to run it, and follow the prompts.
When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt to your post. in your reply
Iminfected
2007-11-20, 19:12
Deckard's System Scanner v20071014.68
Run by Frogman on 2007-11-20 11:40:59
Computer is in Normal Mode.
-- System Restore --------------------------------------------------------------
Successfully created a Deckard's System Scanner Restore Point.
-- Last 3 Restore Point(s) --
3: 2007-11-20 16:41:03 UTC - RP3 - Deckard's System Scanner Restore Point
2: 2007-11-20 16:33:26 UTC - RP2 - Last known good configuration
1: 2007-11-20 16:33:15 UTC - RP1 - System Checkpoint
Backed up registry hives.
Performed disk cleanup.
System Drive C: has 8.75 GiB (less than 15%) free.
-- HijackThis (run as Frogman.exe) ---------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:42:36 AM, on 11/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\system32\xnfrwhpt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\Fonts\svchost.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\Fonts\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Belkin\Nostromo\nost_LM.exe
C:\Program Files\PerSono\perstray.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Documents and Settings\Frogman\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Frogman.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.insightbb.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1A386684-D356-451F-A9B0-F1573D611B0F} - (no file)
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5F27AC43-B339-400D-BC85-4A0275171500} - C:\WINDOWS\system32\mljgd.dll
O2 - BHO: (no name) - {9C0A5D64-B88E-4FDD-AF46-923CDF14EA32} - C:\WINDOWS\system32\ddayw.dll (file missing)
O2 - BHO: (no name) - {B4CBF084-F699-4555-ABB7-FF9AAFC3F511} - (no file)
O2 - BHO: (no name) - {BBB05D9E-0297-404D-A6BF-D8F2876B84A6} - C:\WINDOWS\system32\qommmkk.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: Loadout Manager.lnk = C:\Program Files\Belkin\Nostromo\nost_LM.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Perstray.lnk = ?
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1190953039796
O20 - Winlogon Notify: qommmkk - C:\WINDOWS\SYSTEM32\qommmkk.dll
O20 - Winlogon Notify: xwniioah - xwniioah.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\xnfrwhpt.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
End of file - 7353 bytes
-- File Associations -----------------------------------------------------------
All associations okay.
-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------
R1 aslm75 - c:\windows\system32\drivers\aslm75.sys
R2 uacFlt (Plantronics USB Audio Adapter EQ Filter Driver) - c:\windows\system32\drivers\uacflt.sys <Not Verified; Micronas GmbH; UAC355x>
R3 MTsensor (ATK0110 ACPI UTILITY) - c:\windows\system32\drivers\asacpi.sys <Not Verified; ; ATK0100 ACPI Utility>
S3 CTEDSPFX.DLL - c:\windows\system32\ctedspfx.dll <Not Verified; Creative Technology Ltd; Creative Audio Product>
S3 CTEDSPIO.DLL - c:\windows\system32\ctedspio.dll <Not Verified; Creative Technology Ltd; Creative Audio Product>
S3 CTEDSPSY.DLL - c:\windows\system32\ctedspsy.dll <Not Verified; Creative Technology Ltd; Creative Audio Product>
S3 CTERFXFX.DLL - c:\windows\system32\cterfxfx.dll (file missing)
S3 inibtmgr (WD Bridge Controller Driver) - c:\windows\system32\drivers\inibtmgr.sys <Not Verified; Western Digital; WD 1394 Device Button Manager Driver>
-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------
R2 DomainService - c:\windows\system32\xnfrwhpt.exe /service <Not Verified; ; DDC>
-- Device Manager: Disabled ----------------------------------------------------
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Marvell Yukon 88E8053 PCI-E Gigabit Ethernet Controller
Device ID: PCI\VEN_11AB&DEV_4362&SUBSYS_81421043&REV_15\4&10CDB71B&0&00E2
Manufacturer: Marvell
Name: Marvell Yukon 88E8053 PCI-E Gigabit Ethernet Controller
PNP Device ID: PCI\VEN_11AB&DEV_4362&SUBSYS_81421043&REV_15\4&10CDB71B&0&00E2
Service: yukonwxp
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: ASUS 802.11b/g Wireless LAN Card
Device ID: PCI\VEN_11AB&DEV_1FA7&SUBSYS_138F1043&REV_07\4&23C0B1C&0&00F0
Manufacturer: Marvell
Name: ASUS 802.11b/g Wireless LAN Card
PNP Device ID: PCI\VEN_11AB&DEV_1FA7&SUBSYS_138F1043&REV_07\4&23C0B1C&0&00F0
Service: W8100XP
-- Scheduled Tasks -------------------------------------------------------------
2007-11-05 23:27:26 626 --a------ C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Frogman.job
-- Files created between 2007-10-20 and 2007-11-20 -----------------------------
2007-11-18 23:37:50 1262 --ahs---- C:\WINDOWS\system32\dgjlm.ini2
2007-11-18 23:37:43 320608 --a------ C:\WINDOWS\system32\mljgd.dll
2007-11-18 23:15:04 71232 --a------ C:\WINDOWS\system32\xnfrwhpt.exe <Not Verified; ; DDC>
2007-11-16 04:21:06 0 d-------- C:\Program Files\Trend Micro
2007-11-16 02:52:40 71232 --a------ C:\WINDOWS\system32\mmmdajfk.exe <Not Verified; ; DDC>
2007-11-16 00:49:18 0 d-------- C:\Program Files\MSXML 6.0
2007-11-16 00:46:40 0 d-------- C:\Program Files\MSBuild
2007-11-16 00:45:05 40960 --a------ C:\Documents and Settings\Frogman\f.exe
2007-11-16 00:44:51 0 --a------ C:\Documents and Settings\Frogman\x.dat
2007-11-16 00:44:35 1541 --a------ C:\Documents and Settings\Frogman\z.dat
2007-11-16 00:44:28 36352 --a------ C:\WINDOWS\system32\yayawtu.dll
2007-11-16 00:42:54 0 d-------- C:\WINDOWS\system32\XPSViewer
2007-11-16 00:41:59 0 d-------- C:\Program Files\Reference Assemblies
2007-11-16 00:40:23 0 d-------- C:\296737fd016f2e2c719c
2007-11-15 14:43:25 147456 --a------ C:\WINDOWS\system32\vbzip10.dll <Not Verified; Info-ZIP; Info-ZIP's WiZ>
2007-11-15 14:43:14 120 --a------ C:\n.bat
2007-11-15 14:42:52 0 --a------ C:\x.dat
2007-11-15 14:42:38 36352 --a------ C:\WINDOWS\system32\ssqqoom.dll
2007-11-15 14:42:37 0 --a------ C:\z.dat
2007-11-15 14:42:25 36352 --a------ C:\WINDOWS\system32\qommmkk.dll
2007-11-15 14:38:22 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-11 00:40:30 0 d-------- C:\WINDOWS\pss
2007-11-09 00:20:18 0 d-------- C:\Documents and Settings\All Users\Application Data\ATI
2007-11-09 00:16:31 593920 -----n--- C:\WINDOWS\system32\ati2sgag.exe <Not Verified; ; ATI Smart>
2007-11-09 00:16:14 0 d-------- C:\Program Files\ATI Technologies
2007-11-09 00:08:41 0 d-------- C:\WINDOWS\system32\NtmsData
2007-11-08 00:38:04 0 d-------- C:\Program Files\Activision
2007-11-07 13:26:58 0 d-------- C:\Program Files\Lavasoft
2007-11-07 13:26:57 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-07 13:25:56 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-05 19:16:37 14 --a------ C:\WINDOWS\system32\SystemInfo32.sys
2007-11-05 18:58:57 0 d-------- C:\Program Files\DNsoft.be
2007-11-05 18:45:45 139264 --a------ C:\WINDOWS\system32\xvidvfw.dll
2007-11-05 18:45:45 524288 --a------ C:\WINDOWS\system32\xvidcore.dll
2007-11-05 18:45:45 413760 --a------ C:\WINDOWS\system32\mpg4c32.dll <Not Verified; Microsoft Corporation; Microsoft MPEG-4 Video Codec>
2007-11-05 18:45:45 261632 --a------ C:\WINDOWS\system32\mcdvd_32.dll <Not Verified; MainConcept; MainConcept DV Codec "2.0.4>
2007-11-05 18:45:45 0 d-------- C:\Program Files\Common Files\AVSMedia
2007-11-05 18:45:44 0 d-------- C:\Program Files\AVSMedia
2007-11-02 18:27:58 0 d-------- C:\Documents and Settings\Frogman\Application Data\Leadertech
2007-11-01 00:10:32 0 d-------- C:\Documents and Settings\Frogman\Presets
2007-10-30 09:00:27 0 d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2007-10-30 09:00:20 0 d-------- C:\Program Files\Security Task Manager
2007-10-26 23:08:50 0 --a------ C:\WINDOWS\ativpsrm.bin
2007-10-25 03:03:50 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe Systems
2007-10-25 03:03:46 0 d-------- C:\Program Files\Common Files\Adobe Systems Shared
-- Find3M Report ---------------------------------------------------------------
2007-11-18 23:15:25 0 d-------- C:\Program Files\Common Files\Symantec Shared
2007-11-16 00:14:28 0 d-------- C:\Program Files\Norton Internet Security
2007-11-15 22:25:07 0 d-------- C:\Program Files\Mozilla Thunderbird
2007-11-13 17:30:53 0 d-------- C:\Program Files\World of Warcraft
2007-11-08 00:40:55 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-11-07 13:25:56 0 d-------- C:\Program Files\Common Files
2007-11-06 15:02:36 6911 --a------ C:\WINDOWS\mozver.dat
2007-11-06 15:02:18 0 d-------- C:\Program Files\DivX
2007-11-05 18:47:48 0 --a------ C:\Documents and Settings\Frogman\Application Data\AVSDVDPlayer.m3u
2007-11-02 14:11:38 0 d-------- C:\Program Files\Common Files\Adobe
2007-11-02 13:59:30 0 d-------- C:\Documents and Settings\Frogman\Application Data\Adobe
2007-10-23 23:35:23 0 d-------- C:\Documents and Settings\Frogman\Application Data\AdobeUM
2007-10-19 01:55:13 0 d-------- C:\Program Files\Symantec
2007-10-17 20:20:03 0 d-------- C:\Documents and Settings\Frogman\Application Data\Apple Computer
2007-10-17 20:18:31 0 d-------- C:\Program Files\QuickTime
2007-10-17 20:18:01 0 d-------- C:\Program Files\Apple Software Update
2007-10-10 17:08:35 161811 --a------ C:\Documents and Settings\Frogman\Application Data\Cosmos Prefs
2007-10-09 02:36:49 0 d-------- C:\Program Files\Creative
2007-10-09 02:35:30 409600 --a------ C:\WINDOWS\system32\wrap_oal.dll <Not Verified; Creative Labs; Creative Labs OpenAL32>
2007-10-09 02:35:29 86016 --a------ C:\WINDOWS\system32\OpenAL32.dll <Not Verified; Portions (C) Creative Labs Inc. and NVIDIA Corp.; Standard OpenAL(TM) Library>
2007-10-05 01:06:03 0 d-------- C:\Program Files\Sony
2007-10-05 01:05:31 0 d-------- C:\Program Files\Sony Setup
-- Registry Dump ---------------------------------------------------------------
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1A386684-D356-451F-A9B0-F1573D611B0F}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5F27AC43-B339-400D-BC85-4A0275171500}]
11/18/2007 11:37 PM 320608 --a------ C:\WINDOWS\system32\mljgd.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9C0A5D64-B88E-4FDD-AF46-923CDF14EA32}]
C:\WINDOWS\system32\ddayw.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B4CBF084-F699-4555-ABB7-FF9AAFC3F511}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BBB05D9E-0297-404D-A6BF-D8F2876B84A6}]
11/15/2007 02:42 PM 36352 --a------ C:\WINDOWS\system32\qommmkk.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SBDrvDet"="C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe" [12/03/2002 05:06 PM]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [05/11/2000 12:00 AM]
"DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" [08/22/2004 04:05 PM]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [12/04/2005 04:39 PM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [01/10/2007 12:59 AM]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [01/14/2007 02:11 AM]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [03/12/2007 05:30 PM]
"CTHelper"="CTHELPER.EXE" [08/11/2006 01:56 PM C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [08/11/2006 01:56 PM C:\WINDOWS\system32\CTXFIHLP.EXE]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [06/29/2007 05:24 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [10/10/2007 06:51 PM]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [11/10/2006 12:35 PM]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" []
"Host Process"="C:\WINDOWS\Fonts\svchost.exe" [01/10/2007 12:15 PM]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nDVDControl"="" []
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [10/18/2006 08:05 PM]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Loadout Manager.lnk - C:\Program Files\Belkin\Nostromo\nost_LM.exe [4/6/2004 2:49:02 PM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2/17/1999 3:05:56 PM]
Perstray.lnk - C:\Program Files\PerSono\perstray.exe [10/5/2005 11:30:06 PM]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{BBB05D9E-0297-404D-A6BF-D8F2876B84A6}"= C:\WINDOWS\system32\qommmkk.dll [11/15/2007 02:42 PM 36352]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qommmkk]
qommmkk.dll 11/15/2007 02:42 PM 36352 C:\WINDOWS\system32\qommmkk.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xwniioah]
xwniioah.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\mljgd.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Frogman^Start Menu^Programs^Startup^Cyber-shot Viewer Media Check Tool.lnk]
path=C:\Documents and Settings\Frogman\Start Menu\Programs\Startup\Cyber-shot Viewer Media Check Tool.lnk
backup=C:\WINDOWS\pss\Cyber-shot Viewer Media Check Tool.lnkStartup
*Newly Created Service* - COMHOST
Iminfected
2007-11-20, 19:15
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------
-- System Information ----------------------------------------------------------
Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English
CPU 0: Intel(R) Pentium(R) 4 CPU 3.40GHz
CPU 1: Intel(R) Pentium(R) 4 CPU 3.40GHz
Percentage of Memory in Use: 39%
Physical Memory (total/avail): 1023.23 MiB / 619.75 MiB
Pagefile Memory (total/avail): 3928.52 MiB / 3512.04 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1932.13 MiB
A: is Removable (No Media)
C: is Fixed (NTFS) - 69.23 GiB total, 8.75 GiB free.
D: is CDROM (No Media)
E: is CDROM (No Media)
\\.\PHYSICALDRIVE0 - WDC WD740GD-00FLA0 - 69.24 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 69.23 GiB - C:
-- Security Center -------------------------------------------------------------
AUOptions is disabled.
Windows Internal Firewall is disabled.
FW: Norton Internet Security v2007 (Symantec Corporation)
AV: Norton Internet Security v2007 (Symantec Corporation) Outdated
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\World of Warcraft\\WoW-1.7.1.4695-to-1.8.0-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-1.7.1.4695-to-1.8.0-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\World of Warcraft\\WoW-1.8.3.4807-to-1.8.4.4878-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-1.8.3.4807-to-1.8.4.4878-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Documents and Settings\\Frogman\\My Documents\\Downloads\\Arathi_Basin_new_EG-downloader.exe"="C:\\Documents and Settings\\Frogman\\My Documents\\Downloads\\Arathi_Basin_new_EG-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\World of Warcraft\\WoW-1.8.4.4878-to-1.9.0.4937-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-1.8.4.4878-to-1.9.0.4937-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\World of Warcraft\\WoW-1.9.2.4996-to-1.9.3.5059-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-1.9.2.4996-to-1.9.3.5059-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\World of Warcraft\\WoW-1.9.4.5086-to-1.10.0.5195-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-1.9.4.5086-to-1.10.0.5195-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Frogman\\My Documents\\Downloads\\wow-ptr-downloader2.exe"="C:\\Documents and Settings\\Frogman\\My Documents\\Downloads\\wow-ptr-downloader2.exe:*:Enabled:Blizzard Downloader"
"C:\\Documents and Settings\\Frogman\\My Documents\\Downloads\\WoW-1.10.2.5302-to-0.11.0.5344-enUS-downloader.exe"="C:\\Documents and Settings\\Frogman\\My Documents\\Downloads\\WoW-1.10.2.5302-to-0.11.0.5344-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"="C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\World of Warcraft\\WoWTest\\WoW-0.11.0.5383-to-0.11.0.5413-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoWTest\\WoW-0.11.0.5383-to-0.11.0.5413-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\World of Warcraft\\WoW-1.10.2.5302-to-1.11.0.5428-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-1.10.2.5302-to-1.11.0.5428-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\World of Warcraft\\WoW-1.11.1.5462-to-1.11.2.5464-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-1.11.1.5462-to-1.11.2.5464-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Documents and Settings\\Frogman\\My Documents\\Downloads\\WoW-1.11.2.5464-to-0.12.0.5496-enUS-downloader.exe"="C:\\Documents and Settings\\Frogman\\My Documents\\Downloads\\WoW-1.11.2.5464-to-0.12.0.5496-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\World of Warcraft\\WoWTest\\WoW-0.12.0.5537-to-0.12.0.5561-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoWTest\\WoW-0.12.0.5537-to-0.12.0.5561-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\StubInstaller.exe"="C:\\StubInstaller.exe:*:Enabled:LimeWire swarmed installer"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\World of Warcraft\\WoW-1.11.2.5464-to-1.12.0.5595-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-1.11.2.5464-to-1.12.0.5595-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Documents and Settings\\Frogman\\My Documents\\Downloads\\WoW-1.12.0.5595-to-0.12.1.5803-enUS-downloader.exe"="C:\\Documents and Settings\\Frogman\\My Documents\\Downloads\\WoW-1.12.0.5595-to-0.12.1.5803-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\World of Warcraft\\WoW-1.12.0.5595-to-1.12.1.5875-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-1.12.0.5595-to-1.12.1.5875-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\Common Files\\AOL\\1152161668\\ee\\aim6.exe"="C:\\Program Files\\Common Files\\AOL\\1152161668\\ee\\aim6.exe:*:Disabled:AIM"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Disabled:AOL Loader"
"C:\\Program Files\\Common Files\\AOL\\1152161668\\ee\\aolsoftware.exe"="C:\\Program Files\\Common Files\\AOL\\1152161668\\ee\\aolsoftware.exe:*:Disabled:AOL Services"
"C:\\WINDOWS\\system32\\mmmdajfk.exe"="C:\\WINDOWS\\system32\\mmm"
"C:\\WINDOWS\\system32\\xnfrwhpt.exe"="C:\\WINDOWS\\system32\\xnf"
-- Environment Variables -------------------------------------------------------
ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Frogman\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.5.0_03\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=CORE
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Frogman
LOGONSERVER=\\CORE
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Microsoft SQL Server\80\Tools\Binn\;C:\Program Files\ATI Technologies\ATI.ACE\Core-Static;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 5, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0205
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_03\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Frogman\LOCALS~1\Temp
TMP=C:\DOCUME~1\Frogman\LOCALS~1\Temp
USERDOMAIN=CORE
USERNAME=Frogman
USERPROFILE=C:\Documents and Settings\Frogman
windir=C:\WINDOWS
-- User Profiles ---------------------------------------------------------------
Frogman (admin)
-- Add/Remove Programs ---------------------------------------------------------
--> "C:\Program Files\Creative\SBAudigy2ZS\Program\SETUP.EXE" /S /U /W
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{87499F38-FD69-4A2B-B41A-BAB8DE9B94FE}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7B9AE66C-2A8F-4FB2-85D7-416AFFAE8408}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4E7DC12A-3597-4A94-9429-F6C6987361B1}\setup.exe" -l0x9 -removeonly
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7DADB304-AF20-48C3-A780-4B4133A08817}\setup.exe" -l0x9 -removeonly
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9C423CF6-2DAA-4A37-94B8-59D7ECC7DB13}\setup.exe" -l0x9 -removeonly
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FA6CC4B4-7741-4F8D-8E81-15C4BAB9869B}\setup.exe" -l0x9 -removeonly
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Photoshop CS2 --> msiexec /I {236BB7C4-4419-42FD-0409-1E257A25E34D}
Adobe Reader 8.1.1 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81100000003}
AppCore --> MsiExec.exe /I{EFB5B3B5-A280-4E25-BE1C-634EEFE32C1B}
Apple Software Update --> MsiExec.exe /I{74EC78BC-B379-4E29-9006-8F161DCAABA6}
ASUS Probe V2.23.06 --> C:\WINDOWS\uninst.exe -f"C:\Program Files\ASUS\Probe\DeIsL1.isu" -c"C:\Program Files\ASUS\Probe\probunis.dll"
ASUSUpdate --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{587178E7-B1DF-494E-9838-FA4DD36E873C}\Setup.exe" -l0x9
ATI - Software Uninstall Utility --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Catalyst Control Center --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{055EE59D-217B-43A7-ABFF-507B966405D8}\setup.exe" -l0x0
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
AV --> MsiExec.exe /I{F4DB525F-A986-4249-B98B-42A8066251CA}
Call of Duty(R) 4 - Modern Warfare(TM) Demo --> C:\Program Files\InstallShield Installation Information\{6734CA10-8FB8-4C7F-B8C7-75317C617DC5}\setup.exe -runfromtemp -l0x0409
ccCommon --> MsiExec.exe /I{3CCAD2EF-CFF2-4637-82AA-AABF370282D3}
Creative Audio Console --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7B9AE66C-2A8F-4FB2-85D7-416AFFAE8408}\setup.exe" -l0x9 /remove
Creative System Information --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{87499F38-FD69-4A2B-B41A-BAB8DE9B94FE}\setup.exe" -l0x9 /remove
DAEMON Tools --> MsiExec.exe /I{3DED3A72-61A8-4B87-98A5-EF0BC8038AA0}
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
Fraps (remove only) --> "C:\Fraps\uninstall.exe"
HighMAT Extension to Microsoft Windows XP CD Writing Wizard --> MsiExec.exe /X{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Format SDK (KB902344) --> "C:\WINDOWS\$NtUninstallKB902344$\spuninst\spuninst.exe"
J2SE Runtime Environment 5.0 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150030}
LiveUpdate 3.2 (Symantec Corporation) --> "C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
LiveUpdate Notice (Symantec Corporation) --> MsiExec.exe /X{DBA4DB9D-EE51-4944-A419-98AB1F1249C8}
Marvell Miniport Driver --> MsiExec.exe /X{C950420B-4182-49EA-850A-A6A2ABF06C6B}
Microsoft Base Smart Card Cryptographic Service Provider Package --> "C:\WINDOWS\$NtUninstallbasecsp$\spuninst\spuninst.exe"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office 2000 Standard --> MsiExec.exe /I{00020409-78E1-11D2-B60F-006097C998E7}
Microsoft SQL Server Desktop Engine (SONY_MEDIAMGR) --> MsiExec.exe /X{E09B48B5-E141-427A-AB0C-D3605127224A}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Mozilla Firefox (2.0.0.8) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Mozilla Thunderbird (1.5) --> C:\Program Files\Mozilla Thunderbird\uninstall\uninstall.exe /ua "1.5 (en-US)"
MSRedist --> MsiExec.exe /I{B7C61755-DB48-4003-948F-3D34DB8EAF69}
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
Norton AntiVirus --> MsiExec.exe /X{830D8CBD-C668-49e2-A969-C2C2106332E0}
Norton Confidential Browser Component --> MsiExec.exe /I{4843B611-8FCB-4428-8C23-31D0A5EAE164}
Norton Confidential Web Protection Component --> MsiExec.exe /I{D353CC51-430D-4C6F-9B7E-52003DA1E05A}
Norton Internet Security --> MsiExec.exe /I{48185814-A224-447A-81DA-71BD20580E1B}
Norton Internet Security --> MsiExec.exe /I{5AA2CD16-706F-41f3-87C5-2B5A031F2B3B}
Norton Internet Security --> MsiExec.exe /I{E3EFA461-EB83-4C3B-9C47-2C1D58A01555}
Norton Internet Security --> MsiExec.exe /I{E5EE9939-259F-4DE2-8023-5C49E16A4F43}
Norton Internet Security (Symantec Corporation) --> "C:\Program Files\Common Files\Symantec Shared\SymSetup\{5AA2CD16-706F-41f3-87C5-2B5A031F2B3B}_10_2_0_30\{5AA2CD16-706F-41f3-87C5-2B5A031F2B3B}.exe" /X
Norton Protection Center --> MsiExec.exe /I{9A129ABC-A53A-4209-A21E-D5DEDFB7CCA8}
Nostromo Array Programming Software --> MsiExec.exe /X{0F3A1C5A-DA6A-4536-A058-CBB857CAC20C}
PerSono --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D63F2860-678D-11D4-B355-0010A4F75374}\setup.exe"
QuickTime --> MsiExec.exe /I{95A890AA-B3B1-44B6-9C18-A8F7AB3EE7FC}
Security Task Manager 1.7e --> C:\Program Files\Security Task Manager\Uninstal.exe "C:\Documents and Settings\All Users\Start Menu\Programs\Security Task Manager"
Sony Media Manager 2.0 --> MsiExec.exe /X{B13F5727-F12F-4253-B6AD-26AFA880B709}
Sony Media Manager 2.2 --> MsiExec.exe /X{47AA42FD-0450-4CB4-ADAF-B6E770AA7B2F}
Sony Picture Utility --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D5068583-D569-468B-9755-5FBF5848F46F}\setup.exe" -l0x9 /removeonly uninstall -removeonly
Sony USB Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5C29CB8B-AC1E-4114-8D68-9CD080140D4A}\Setup.exe" UNINSTALL
Sony Vegas 6.0 --> MsiExec.exe /X{5FCE0BF9-A1AA-4FA3-A28C-F62431CD52C4}
Sony Vegas Movie Studio Platinum 7.0a --> MsiExec.exe /X{D5D36DAE-B5F1-4B86-AFC1-32B7DF7E5EF7}
Sound Blaster Audigy 2 ZS --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9E2514D9-DC24-4634-B348-61F3EF0F1628}\SETUP.EXE" -l0x9
SPBBC 32bit --> MsiExec.exe /I{77772678-817F-4401-9301-ED1D01A8DA56}
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Symantec KB-DocID:2003093015493306 --> MsiExec.exe /I{08C5815C-2C6E-44f8-8748-0E61BC9AFB68}
TeamSpeak 2 RC2 --> "C:\Program Files\Teamspeak2_RC2\unins000.exe"
Turbo Lister 2 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{69640730-B830-4C24-BB5C-222DA1260548}
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Media Player\mtsAxInstaller.exe /u
Windows Communication Foundation --> MsiExec.exe /X{491DD792-AD81-429C-9EB4-86DD3D22E333}
Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Media Connect --> "C:\WINDOWS\$NtUninstallWMCSetup$\spuninst\spuninst.exe"
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Format SDK Hotfix - KB891122 --> "C:\WINDOWS\$NtUninstallKB891122$\spuninst\spuninst.exe"
Windows Presentation Foundation --> MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
Windows Workflow Foundation --> MsiExec.exe /I{7D1B85BD-AA07-48B8-808D-67A4067FC6BD}
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
World of Warcraft --> C:\Program Files\Common Files\Blizzard Entertainment\World of Warcraft\Uninstall.exe
XML Paper Specification Shared Components Pack 1.0 -->
-- Application Event Log -------------------------------------------------------
Event Record #/Type27602 / Warning
Event Submitted/Written: 11/16/2007 00:42:16 AM
Event ID/Source: 0 / System.ServiceModel.Install 3.0.0.0
Event Description:
HTTP namespace reservations are not installed.
Event Record #/Type27601 / Warning
Event Submitted/Written: 11/16/2007 00:42:12 AM
Event ID/Source: 0 / System.ServiceModel.Install 3.0.0.0
Event Description:
A TransportConfiguration node does not exists in the system.web section for protocol msmq.formatname in C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Config\web.config.
Event Record #/Type27600 / Warning
Event Submitted/Written: 11/16/2007 00:42:12 AM
Event ID/Source: 0 / System.ServiceModel.Install 3.0.0.0
Event Description:
A Protocol node does not exists in the system.web section for protocol msmq.formatname in C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Config\web.config.
Event Record #/Type27599 / Warning
Event Submitted/Written: 11/16/2007 00:42:12 AM
Event ID/Source: 0 / System.ServiceModel.Install 3.0.0.0
Event Description:
A TransportConfiguration node does not exists in the system.web section for protocol net.msmq in C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Config\web.config.
Event Record #/Type27598 / Warning
Event Submitted/Written: 11/16/2007 00:42:12 AM
Event ID/Source: 0 / System.ServiceModel.Install 3.0.0.0
Event Description:
A Protocol node does not exists in the system.web section for protocol net.msmq in C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Config\web.config.
-- Security Event Log ----------------------------------------------------------
No Errors/Warnings found.
-- System Event Log ------------------------------------------------------------
Event Record #/Type71452 / Error
Event Submitted/Written: 11/20/2007 11:33:39 AM
Event ID/Source: 12294 / ati2mtag
Event Description:
CRT invalid display type
Event Record #/Type71435 / Error
Event Submitted/Written: 11/20/2007 11:32:26 AM / 11/20/2007 11:32:49 AM
Event ID/Source: 12294 / ati2mtag
Event Description:
CRT invalid display type
Event Record #/Type71412 / Error
Event Submitted/Written: 11/18/2007 11:33:03 PM
Event ID/Source: 12294 / ati2mtag
Event Description:
CRT invalid display type
Event Record #/Type71397 / Warning
Event Submitted/Written: 11/18/2007 11:32:25 PM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 00112F58F85E. The following
error occurred:
%%121.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.
Event Record #/Type71396 / Error
Event Submitted/Written: 11/18/2007 11:31:50 PM / 11/18/2007 11:32:12 PM
Event ID/Source: 12294 / ati2mtag
Event Description:
CRT invalid display type
-- End of Deckard's System Scanner: finished at 2007-11-20 11:43:17 ------------
Hi
You have a keylogger so you should do the followig:
If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.
Please click Start > Run and type in: services.msc
Click OK
In the Services window find: DomainService
Select/highlight and right click the entry, and choose: Properties
On the General tab, under Service Status click the Stop button
Beside: Startup Type, in the drop menu, select: Disabled
Click Apply, then OK
Now, go to Start > Run, and copy/paste the following into the Open box:
sc delete DomainService
Click: OK
Open HijackThis, click do a system scan only and checkmark these:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank <--- unless you have set it
O2 - BHO: (no name) - {1A386684-D356-451F-A9B0-F1573D611B0F} - (no file)
O2 - BHO: (no name) - {5F27AC43-B339-400D-BC85-4A0275171500} - C:\WINDOWS\system32\mljgd.dll
O2 - BHO: (no name) - {9C0A5D64-B88E-4FDD-AF46-923CDF14EA32} - C:\WINDOWS\system32\ddayw.dll (file missing)
O2 - BHO: (no name) - {B4CBF084-F699-4555-ABB7-FF9AAFC3F511} - (no file)
O2 - BHO: (no name) - {BBB05D9E-0297-404D-A6BF-D8F2876B84A6} - C:\WINDOWS\system32\qommmkk.dll
O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
O20 - Winlogon Notify: qommmkk - C:\WINDOWS\SYSTEM32\qommmkk.dll
O20 - Winlogon Notify: xwniioah - xwniioah.dll (file missing)
Close all windows including browser and press fix checked.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once the scan is complete, Right Click inside the listbox (white box) and click add more files
Copy&Paste the 2 entries below into the top 2 boxes
C:\WINDOWS\system32\qommmkk.dll
C:\WINDOWS\system32\mljgd.dll
Click Add Files and Click Close Window
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.[/list]
Start -> Run -> regedit -> ok. Then File -> Export. Give it a name and press Save.
Save text below as fix.reg on Notepad (save it as all files (*.*)) on Desktop
REGEDIT4
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\mmmdajfk.exe"=-
"C:\\WINDOWS\\system32\\xnfrwhpt.exe"=-
It should look like this -> http://users.telenet.be/bluepatchy/miekiemoes/images/reg.gif
Doubleclick fix.reg, press Yes and ok.
(In case you are unsure how to create a reg file, take a look here (http://www.nellie2.co.uk/file.htm#How_to_Make_a_.Reg_File_) with screenshots.)
Please download the Killbox (http://download.bleepingcomputer.com/spyware/KillBox.exe).
Save it to the desktop.
Please run Killbox.
Select "Delete on Reboot" and "All files"
Copy the file names below to the clipboard by highlighting them and pressing Control-C:
C:\WINDOWS\system32\dgjlm.ini2
C:\WINDOWS\system32\mljgd.dll
C:\WINDOWS\system32\xnfrwhpt.exe
C:\WINDOWS\system32\mmmdajfk.exe
C:\Documents and Settings\Frogman\f.exe
C:\Documents and Settings\Frogman\x.dat
C:\Documents and Settings\Frogman\z.dat
C:\WINDOWS\system32\yayawtu.dll
C:\n.bat
C:\x.dat
C:\WINDOWS\system32\ssqqoom.dll
C:\z.dat
C:\WINDOWS\system32\qommmkk.dll
C:\WINDOWS\Fonts\svchost.exe
Go to the File menu, and choose "Paste from Clipboard".
Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here (http://www.eudaemonia.me.uk/downloads/Files/missingfilesetup.exe) to download and run missingfilesetup.exe. Then try TheKillbox again..
If your computer does not restart automatically, please restart it manually.
Re-run dss
Post:
- dss report (main.txt)
- vundofix report
Iminfected
2007-11-21, 02:51
Deckard's System Scanner v20071014.68
Run by Frogman on 2007-11-20 19:53:17
Computer is in Normal Mode.
--------------------------------------------------------------------------------
System Drive C: has 8.75 GiB (less than 15%) free.
-- HijackThis (run as Frogman.exe) ---------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:53:20 PM, on 11/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Belkin\Nostromo\nost_LM.exe
C:\Program Files\PerSono\perstray.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Frogman\Desktop\dss.exe
C:\DOCUME~1\Frogman\Desktop\Frogman.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.insightbb.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: (no name) - {33703312-33DD-4E21-801B-7DAA53CA7196} - C:\WINDOWS\system32\mljgd.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5E480AD2-A51B-432D-A9EF-1CBB07D6304F} - C:\WINDOWS\system32\ddabb.dll (file missing)
O2 - BHO: (no name) - {BBB05D9E-0297-404D-A6BF-D8F2876B84A6} - C:\WINDOWS\system32\qommmkk.dll (file missing)
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: Loadout Manager.lnk = C:\Program Files\Belkin\Nostromo\nost_LM.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Perstray.lnk = ?
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1190953039796
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
--
End of file - 6845 bytes
-- Files created between 2007-10-20 and 2007-11-20 -----------------------------
2007-11-20 19:35:12 0 d-------- C:\!KillBox
2007-11-20 18:55:57 0 d-------- C:\VundoFix Backups
2007-11-16 04:21:06 0 d-------- C:\Program Files\Trend Micro
2007-11-16 00:49:18 0 d-------- C:\Program Files\MSXML 6.0
2007-11-16 00:46:40 0 d-------- C:\Program Files\MSBuild
2007-11-16 00:42:54 0 d-------- C:\WINDOWS\system32\XPSViewer
2007-11-16 00:41:59 0 d-------- C:\Program Files\Reference Assemblies
2007-11-16 00:40:23 0 d-------- C:\296737fd016f2e2c719c
2007-11-15 14:43:25 147456 --a------ C:\WINDOWS\system32\vbzip10.dll <Not Verified; Info-ZIP; Info-ZIP's WiZ>
2007-11-15 14:38:22 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-11 00:40:30 0 d-------- C:\WINDOWS\pss
2007-11-09 00:20:18 0 d-------- C:\Documents and Settings\All Users\Application Data\ATI
2007-11-09 00:16:31 593920 -----n--- C:\WINDOWS\system32\ati2sgag.exe <Not Verified; ; ATI Smart>
2007-11-09 00:16:14 0 d-------- C:\Program Files\ATI Technologies
2007-11-09 00:08:41 0 d-------- C:\WINDOWS\system32\NtmsData
2007-11-08 00:38:04 0 d-------- C:\Program Files\Activision
2007-11-07 13:26:58 0 d-------- C:\Program Files\Lavasoft
2007-11-07 13:26:57 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-07 13:25:56 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-05 19:16:37 14 --a------ C:\WINDOWS\system32\SystemInfo32.sys
2007-11-05 18:58:57 0 d-------- C:\Program Files\DNsoft.be
2007-11-05 18:45:45 139264 --a------ C:\WINDOWS\system32\xvidvfw.dll
2007-11-05 18:45:45 524288 --a------ C:\WINDOWS\system32\xvidcore.dll
2007-11-05 18:45:45 413760 --a------ C:\WINDOWS\system32\mpg4c32.dll <Not Verified; Microsoft Corporation; Microsoft MPEG-4 Video Codec>
2007-11-05 18:45:45 261632 --a------ C:\WINDOWS\system32\mcdvd_32.dll <Not Verified; MainConcept; MainConcept DV Codec "2.0.4>
2007-11-05 18:45:45 0 d-------- C:\Program Files\Common Files\AVSMedia
2007-11-05 18:45:44 0 d-------- C:\Program Files\AVSMedia
2007-11-02 18:27:58 0 d-------- C:\Documents and Settings\Frogman\Application Data\Leadertech
2007-11-01 00:10:32 0 d-------- C:\Documents and Settings\Frogman\Presets
2007-10-30 09:00:27 0 d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2007-10-30 09:00:20 0 d-------- C:\Program Files\Security Task Manager
2007-10-26 23:08:50 0 --a------ C:\WINDOWS\ativpsrm.bin
2007-10-25 03:03:50 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe Systems
2007-10-25 03:03:46 0 d-------- C:\Program Files\Common Files\Adobe Systems Shared
-- Find3M Report ---------------------------------------------------------------
2007-11-20 19:42:34 0 d-------- C:\Program Files\Windows Media Connect 2
2007-11-18 23:15:25 0 d-------- C:\Program Files\Common Files\Symantec Shared
2007-11-16 00:14:28 0 d-------- C:\Program Files\Norton Internet Security
2007-11-15 22:25:07 0 d-------- C:\Program Files\Mozilla Thunderbird
2007-11-13 17:30:53 0 d-------- C:\Program Files\World of Warcraft
2007-11-08 00:40:55 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-11-07 13:25:56 0 d-------- C:\Program Files\Common Files
2007-11-06 15:02:36 6911 --a------ C:\WINDOWS\mozver.dat
2007-11-06 15:02:18 0 d-------- C:\Program Files\DivX
2007-11-05 18:47:48 0 --a------ C:\Documents and Settings\Frogman\Application Data\AVSDVDPlayer.m3u
2007-11-02 14:11:38 0 d-------- C:\Program Files\Common Files\Adobe
2007-11-02 13:59:30 0 d-------- C:\Documents and Settings\Frogman\Application Data\Adobe
2007-10-23 23:35:23 0 d-------- C:\Documents and Settings\Frogman\Application Data\AdobeUM
2007-10-19 01:55:13 0 d-------- C:\Program Files\Symantec
2007-10-17 20:20:03 0 d-------- C:\Documents and Settings\Frogman\Application Data\Apple Computer
2007-10-17 20:18:31 0 d-------- C:\Program Files\QuickTime
2007-10-17 20:18:01 0 d-------- C:\Program Files\Apple Software Update
2007-10-10 17:08:35 161811 --a------ C:\Documents and Settings\Frogman\Application Data\Cosmos Prefs
2007-10-09 02:36:49 0 d-------- C:\Program Files\Creative
2007-10-09 02:35:30 409600 --a------ C:\WINDOWS\system32\wrap_oal.dll <Not Verified; Creative Labs; Creative Labs OpenAL32>
2007-10-09 02:35:29 86016 --a------ C:\WINDOWS\system32\OpenAL32.dll <Not Verified; Portions (C) Creative Labs Inc. and NVIDIA Corp.; Standard OpenAL(TM) Library>
2007-10-05 01:06:03 0 d-------- C:\Program Files\Sony
2007-10-05 01:05:31 0 d-------- C:\Program Files\Sony Setup
-- Registry Dump ---------------------------------------------------------------
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{33703312-33DD-4E21-801B-7DAA53CA7196}]
C:\WINDOWS\system32\mljgd.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5E480AD2-A51B-432D-A9EF-1CBB07D6304F}]
C:\WINDOWS\system32\ddabb.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BBB05D9E-0297-404D-A6BF-D8F2876B84A6}]
C:\WINDOWS\system32\qommmkk.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SBDrvDet"="C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe" [12/03/2002 05:06 PM]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [05/11/2000 12:00 AM]
"DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" [08/22/2004 04:05 PM]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [12/04/2005 04:39 PM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [01/10/2007 12:59 AM]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [01/14/2007 02:11 AM]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [03/12/2007 05:30 PM]
"CTHelper"="CTHELPER.EXE" [08/11/2006 01:56 PM C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [08/11/2006 01:56 PM C:\WINDOWS\system32\CTXFIHLP.EXE]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [06/29/2007 05:24 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [10/10/2007 06:51 PM]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [11/10/2006 12:35 PM]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" []
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nDVDControl"="" []
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [10/18/2006 08:05 PM]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Loadout Manager.lnk - C:\Program Files\Belkin\Nostromo\nost_LM.exe [4/6/2004 2:49:02 PM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2/17/1999 3:05:56 PM]
Perstray.lnk - C:\Program Files\PerSono\perstray.exe [10/5/2005 11:30:06 PM]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{BBB05D9E-0297-404D-A6BF-D8F2876B84A6}"= C:\WINDOWS\system32\qommmkk.dll [ ]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Frogman^Start Menu^Programs^Startup^Cyber-shot Viewer Media Check Tool.lnk]
path=C:\Documents and Settings\Frogman\Start Menu\Programs\Startup\Cyber-shot Viewer Media Check Tool.lnk
backup=C:\WINDOWS\pss\Cyber-shot Viewer Media Check Tool.lnkStartup
*Newly Created Service* - COMHOST
-- End of Deckard's System Scanner: finished at 2007-11-20 19:53:48 ------------
Iminfected
2007-11-21, 03:05
VundoFix V6.6.2
Checking Java version...
Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.
Scan started at 6:55:57 PM 11/20/2007
Listing files found while scanning....
No infected files were found.
Beginning removal...
Attempting to delete C:\WINDOWS\system32\mljgd.dll
C:\WINDOWS\system32\mljgd.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\qommmkk.dll
C:\WINDOWS\system32\qommmkk.dll Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\WINDOWS\system32\qommmkk.dll
C:\WINDOWS\system32\qommmkk.dll Could not be deleted.
Performing Repairs to the registry.
Done!
VundoFix V6.6.2
Checking Java version...
Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.
Scan started at 7:14:40 PM 11/20/2007
Listing files found while scanning....
C:\windows\system32\bbadd.ini
C:\windows\system32\bbadd.ini2
C:\windows\system32\ddabb.dll
Beginning removal...
Attempting to delete C:\windows\system32\bbadd.ini
C:\windows\system32\bbadd.ini Has been deleted!
Attempting to delete C:\windows\system32\bbadd.ini2
C:\windows\system32\bbadd.ini2 Has been deleted!
Attempting to delete C:\windows\system32\ddabb.dll
C:\windows\system32\ddabb.dll Has been deleted!
Performing Repairs to the registry.
Done!
Hi Shaba, Thank you again for your help.
I have a few questions that will help me determine how much the keylogger has compromised me. Anything you can tell me about it will help me. Like, When was it installed? How long has it been there? What was the file name? How did I get it? What program did I download and install had the keylogger in it? Anything you can tell me will help me determine when it was first installed and how much info it has captured. Was this aquired from just visiting a website or did I download something and it was in the download?
I only encounterd two errors when doing what you said this last time here they are.
Error came up when stopping DomainService, it said something like "takeing to long".
When putting a checkmark in Hijackthis, the second BHO on your list was not there.
Hi
"I have a few questions that will help me determine how much the keylogger has compromised me. Anything you can tell me about it will help me. Like, When was it installed? How long has it been there? What was the file name? How did I get it? What program did I download and install had the keylogger in it? Anything you can tell me will help me determine when it was first installed and how much info it has captured. Was this aquired from just visiting a website or did I download something and it was in the download?"
Well I don't know when it was installed as creation date didn't show up in dss report. File name was C:\WINDOWS\Fonts\svchost.exe. I don't think that you downloaded anything; it may have come from some website. What I do know is that it stored stolen in files below which are now in C:\!KillBox folder:
2007-11-16 00:44:51 0 --a------ C:\Documents and Settings\Frogman\x.dat
2007-11-16 00:44:35 1541 --a------ C:\Documents and Settings\Frogman\z.dat
2007-11-15 14:42:52 0 --a------ C:\x.dat
2007-11-15 14:42:37 0 --a------ C:\z.dat
Open HijackThis, click do a system scan only and checkmark these:
O2 - BHO: (no name) - {33703312-33DD-4E21-801B-7DAA53CA7196} - C:\WINDOWS\system32\mljgd.dll (file missing)
O2 - BHO: (no name) - {5E480AD2-A51B-432D-A9EF-1CBB07D6304F} - C:\WINDOWS\system32\ddabb.dll (file missing)
O2 - BHO: (no name) - {BBB05D9E-0297-404D-A6BF-D8F2876B84A6} - C:\WINDOWS\system32\qommmkk.dll (file missing)
Close all windows including browser and press fix checked.
Reboot.
Please do an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/downloads/kws/kavwebscan.html). You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings
In the scan settings make sure that the following are selected:
o Scan using the following Anti-Virus database:
+ Extended (If available otherwise Standard)
o Scan Options:
+ Scan Archives
+ Scan Mail Bases
Click OK
Now under select a target to scan select My Computer
The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button
Save the file to your desktop.
Copy and paste that information in your next post.
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
Post:
- a fresh HijackThis log
- kaspersky report
Iminfected
2007-11-22, 00:01
Thanks for the info on the keylogger. I dont think I have had it very long, maybe 2 weeks prior to posting here. The only thing I see that it captured was old email names and passwords from Outlook, good thing I stopped useing it 2 years ago.
The Kaspersky report is long. I'm not sure but it looks like I was being used as a host for hundreds of cracked movies and games. Please tell me what you can about this. How is this possible? Is that what was going on? Are those programs and movies on my computer now? I am trying to learn as we fix things.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:57:00 PM, on 11/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Belkin\Nostromo\nost_LM.exe
C:\Program Files\PerSono\perstray.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Frogman\Desktop\Iminfected.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.insightbb.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: Loadout Manager.lnk = C:\Program Files\Belkin\Nostromo\nost_LM.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Perstray.lnk = ?
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1190953039796
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
--
End of file - 6603 bytes
Iminfected
2007-11-22, 00:07
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, November 21, 2007 4:49:33 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 21/11/2007
Kaspersky Anti-Virus database records: 463232
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
Scan Statistics:
Total number of scanned objects: 52865
Number of viruses found: 7
Number of infected objects: 1994
Number of suspicious objects: 0
Duration of the scan process: 00:34:44
Infected Object Name / Virus Name / Last Action
C:\!KillBox\f.exe Infected: not-a-virus:PSWTool.Win32.FirePass.a skipped
C:\!KillBox\mmmdajfk.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\!KillBox\qommmkk.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.apn skipped
C:\!KillBox\ssqqoom.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.apn skipped
C:\!KillBox\svchost.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\!KillBox\xnfrwhpt.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\!KillBox\yayawtu.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.apn skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2007-11-21_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBConfig.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDebug.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDetect.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBNotify.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBRefr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg2.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetDev.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetLoc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetUsr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBStHash.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBValid.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPPolicy.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStart.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStop.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtErEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\737DC70D.TMP Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtMoEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtNvEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtScEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtTxFEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtViEvt.log Object is locked skipped
C:\Documents and Settings\Frogman\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-3ad601a5-5b5adbc5.zip/vmain.class Infected: Exploit.Java.Gimsh.b skipped
C:\Documents and Settings\Frogman\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-3ad601a5-5b5adbc5.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Frogman\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6d3811e3-11551834.zip/vmain.class Infected: Exploit.Java.Gimsh.b skipped
C:\Documents and Settings\Frogman\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6d3811e3-11551834.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Frogman\Application Data\Thunderbird\Profiles\f122s0od.default\Mail\Local Folders\Inbox/[From postmaster@hotmail.com][Date Thu, 08 Mar 2007 23:12:24 -0800]/Buy_Meds_Here.html Infected: Trojan.JS.Redirector.b skipped
C:\Documents and Settings\Frogman\Application Data\Thunderbird\Profiles\f122s0od.default\Mail\Local Folders\Inbox/[From postmaster@hotmail.com][Date Fri, 09 Mar 2007 08:23:17 -0800]/UNNAMED/UNNAMED/[From Online Rx<Theron@kvbzhjp.com>][Date 9 Mar 2007 08:23:17 -0800]/Buy_Meds_Here.html Infected: Trojan.JS.Redirector.b skipped
C:\Documents and Settings\Frogman\Application Data\Thunderbird\Profiles\f122s0od.default\Mail\Local Folders\Inbox/[From postmaster@hotmail.com][Date Fri, 09 Mar 2007 08:23:17 -0800]/UNNAMED/UNNAMED Infected: Trojan.JS.Redirector.b skipped
C:\Documents and Settings\Frogman\Application Data\Thunderbird\Profiles\f122s0od.default\Mail\Local Folders\Inbox/[From postmaster@hotmail.com][Date Fri, 09 Mar 2007 08:23:17 -0800]/UNNAMED Infected: Trojan.JS.Redirector.b skipped
C:\Documents and Settings\Frogman\Application Data\Thunderbird\Profiles\f122s0od.default\Mail\Local Folders\Inbox Mail Berkeley mbox: infected - 4 skipped
C:\Documents and Settings\Frogman\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Frogman\Desktop\backups\backup-20071120-185459-549.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.apn skipped
C:\Documents and Settings\Frogman\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Frogman\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Frogman\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Frogman\Local Settings\Temporary Internet Files\Content.IE5\44TTJ35N\pochki20071106[1] Infected: Trojan.Win32.Obfuscated.kp skipped
C:\Documents and Settings\Frogman\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Frogman\Local Settings\Temporary Internet Files\Content.IE5\O5UJK5IZ\upd32_v14[1] Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped
C:\Documents and Settings\Frogman\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Frogman\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\NFWEVT.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVApp.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVError.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVVirus.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{9C4AEE17-2676-4946-989D-703E5BBB5A2E}\RP3\A0000038.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\System Volume Information\_restore{9C4AEE17-2676-4946-989D-703E5BBB5A2E}\RP3\A0000039.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\System Volume Information\_restore{9C4AEE17-2676-4946-989D-703E5BBB5A2E}\RP3\A0000040.exe Infected: not-a-virus:PSWTool.Win32.FirePass.a skipped
C:\System Volume Information\_restore{9C4AEE17-2676-4946-989D-703E5BBB5A2E}\RP3\A0000041.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.apn skipped
C:\System Volume Information\_restore{9C4AEE17-2676-4946-989D-703E5BBB5A2E}\RP3\A0000043.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.apn skipped
C:\System Volume Information\_restore{9C4AEE17-2676-4946-989D-703E5BBB5A2E}\RP3\A0000044.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.apn skipped
C:\System Volume Information\_restore{9C4AEE17-2676-4946-989D-703E5BBB5A2E}\RP3\A0000045.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\System Volume Information\_restore{9C4AEE17-2676-4946-989D-703E5BBB5A2E}\RP3\change.log Object is locked skipped
C:\VundoFix Backups\qommmkk.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.apn skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Fonts\'\00jj99uuii66ddxxqqq.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINDOWS\Fonts\'\00jj99uuii66ddxxqqq.zip ZIP: infected - 1 skipped
C:\WINDOWS\Fonts\'\10 Man Cum Slam 19 Crack.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINDOWS\Fonts\'\10 Man Cum Slam 19 Crack.zip ZIP: infected - 1 skipped
C:\WINDOWS\Fonts\'\100% Blowjobs 8 Patch.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINDOWS\Fonts\'\100% Blowjobs 8 Patch.zip ZIP: infected - 1 skipped
C:\WINDOWS\Fonts\'\101 Jukebox Classics Crack.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINDOWS\Fonts\'\101 Jukebox Classics Crack.zip ZIP: infected - 1 skipped
C:\WINDOWS\Fonts\'\123 DVD Clone v2.42 Crack.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINDOWS\Fonts\'\123 DVD Clone v2.42 Crack.zip ZIP: infected - 1 skipped
C:\WINDOWS\Fonts\'\18 And In Training Patch.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINDOWS\Fonts\'\18 And In Training Patch.zip ZIP: infected - 1 skipped
C:\WINDOWS\Fonts\'\1Click Fixer Plus 4.0 Crack.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINDOWS\Fonts\'\1Click Fixer Plus 4.0 Crack.zip ZIP: infected - 1 skipped
C:\WINDOWS\Fonts\'\20 Fantastic Hits Keygen.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINDOWS\Fonts\'\20 Fantastic Hits Keygen.zip ZIP: infected - 1 skipped
C:\WINDOWS\Fonts\'\20 Years Of Jethro Tull, Awesome Collection Patch.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINDOWS\Fonts\'\20 Years Of Jethro Tull, Awesome Collection Patch.zip ZIP: infected - 1 skipped
C:\WINDOWS\Fonts\'\30 Days Of Night Crack.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINDOWS\Fonts\'\30 Days Of Night Crack.zip ZIP: infected - 1 skipped
C:\WINDOWS\Fonts\'\300 (2007) Crack.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINDOWS\Fonts\'\300 (2007) Crack.zip ZIP: infected - 1 skipped
C:\WINDOWS\Fonts\'\3D Live Pool v2.32 Patch.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINDOWS\Fonts\'\3D Live Pool v2.32 Patch.zip ZIP: infected - 1 skipped
C:\WINDOWS\Fonts\'\501 Levi's Hits Keygen.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINDOWS\Fonts\'\501 Levi's Hits Keygen.zip ZIP: infected - 1 skipped
C:\WINDOWS\Fonts\'\88 Minutes (2007) Keygen.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINDOWS\Fonts\'\88 Minutes (2007) Keygen.zip ZIP: infected - 1 skipped
C:\WINDOWS\Fonts\'\88 Minutes DVD-ripp (2007) Patch.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINDOWS\Fonts\'\88 Minutes DVD-ripp (2007) Patch.zip ZIP: infected - 1 skipped
C:\WINDOWS\Fonts\'\A Mike's Apartment - Teen Jennifer Crack.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINDOWS\Fonts\'\A Mike's Apartment - Teen Jennifer Crack.zip ZIP: infected - 1 skipped
C:\WINDOWS\Fonts\'\A-Z RealPlayer Video Converter v3.23 Crack.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINDOWS\Fonts\'\A-Z RealPlayer Video Converter v3.23 Crack.zip ZIP: infected - 1 skipped
C:\WINDOWS\Fonts\'\A-Z RealPlayer Video Converter v3.75 Crack.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINDOWS\Fonts\'\A-Z RealPlayer Video Converter v3.75 Crack.zip ZIP: infected - 1 skipped
C:\WINDOWS\Fonts\'\A-Z WMV Video Converter v3.70 Crack.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINDOWS\Fonts\'\A-Z WMV Video Converter v3.70 Crack.zip ZIP: infected - 1 skipped
C:\WINDOWS\Fonts\'\A1Click Ultra PC Cleaner v1.01.48 Patch.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINDOWS\Fonts\'\A1Click Ultra PC Cleaner v1.01.48 Patch.zip ZIP: infected - 1 skipped
C:\WINDOWS\Fonts\'\Ableton Live v6.0.1.10 Patch.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINDOWS\Fonts\'\Ableton Live v6.0.1.10 Patch.zip ZIP: infected - 1 skipped
C:\WINDOWS\Fonts\'\Absolute MP3 Splitter and Converter 2.8.4 Patch.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINDOWS\Fonts\'\Absolute MP3 Splitter and Converter 2.8.4 Patch.zip ZIP: infected - 1 skipped
C:\WINDOWS\Fonts\'\Absolute MP3 Splitter v2.6.8 Patch.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINDOWS\Fonts\'\Absolute MP3 Splitter v2.6.8 Patch.zip ZIP: infected - 1 skipped
Iminfected
2007-11-22, 00:09
C:\WINDOWS\Fonts\'\ACDSee Pro 8.0.67 Keygen.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINDOWS\Fonts\'\ACDSee Pro 8.0.67 Keygen.zip ZIP: infected - 1 skipped
C:\WINDOWS\Fonts\'\Ace Utilities v4.0.0.4050 Keygen.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINDOWS\Fonts\'\Ace Utilities v4.0.0.4050 Keygen.zip ZIP: infected - 1 skipped
C:\WINDOWS\Fonts\'\Acoustica Cd Dvd Label Crack.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINDOWS\Fonts\'\Acoustica Cd Dvd Label Crack.zip ZIP: infected - 1 skipped
C:\WINDOWS\Fonts\'\Act of War High Treason Patch.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINDOWS\Fonts\'\Act of War High Treason Patch.zip ZIP: infected - 1 skipped
C:\WINDOWS\Fonts\'\Adobe Acrobat Reader 7.0 Crack.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINDOWS\Fonts\'\Adobe Acrobat Reader 7.0 Crack.zip ZIP: infected - 1 skipped
C:\WINDOWS\Fonts\'\Adobe Audition v2.0 Retail Edition Keygen.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINDOWS\Fonts\'\Adobe Audition v2.0 Retail Edition Keygen.zip ZIP: infected - 1 skipped
C:\WINDOWS\Fonts\'\Adobe Dreamweaver 8 (Macromedia) Patch.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINDOWS\Fonts\'\Adobe Dreamweaver 8 (Macromedia) Patch.zip ZIP: infected - 1 skipped
C:\WINDOWS\Fonts\'\Adobe Flash Medai Encoder 1.0.0.273 Crack.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINDOWS\Fonts\'\Adobe Flash Medai Encoder 1.0.0.273 Crack.zip ZIP: infected - 1 skipped
C:\WINDOWS\Fonts\'\Adobe PhotoShop 7.0 Patch.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINDOWS\Fonts\'\Adobe PhotoShop 7.0 Patch.zip ZIP: infected - 1 skipped
C:\WINDOWS\Fonts\'\Adobe Photoshop Cs2 9.0 Final Crack.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINDOWS\Fonts\'\Adobe Photoshop Cs2 9.0 Final Crack.zip ZIP: infected - 1 skipped
C:\WINDOWS\Fonts\'\Adobe Photoshop Elements 4.0 Patch.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINDOWS\Fonts\'\Adobe Photoshop Elements 4.0 Patch.zip ZIP: infected - 1 skipped
C:\WINDOWS\Fonts\'\Adobe Reader 8 Full Crack.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINDOWS\Fonts\'\Adobe Reader 8 Full Crack.zip ZIP: infected - 1 skipped
C:\WINDOWS\Fonts\'\Adusoft Photo DVD Slideshow v3.76 Patch.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINDOWS\Fonts\'\Adusoft Photo DVD Slideshow v3.76 Patch.zip ZIP: infected - 1 skipped
C:\WINDOWS\Fonts\'\Advanced EFS Data Recovery v3.1 Crack.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINDOWS\Fonts\'\Advanced EFS Data Recovery v3.1 Crack.zip ZIP: infected - 1 skipped
C:\WINDOWS\Fonts\'\Aerial Mahjong Patch.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINDOWS\Fonts\'\Aerial Mahjong Patch.zip ZIP: infected - 1 skipped
C:\WINDOWS\Fonts\'\Age of Empires 3 Crack.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINDOWS\Fonts\'\Age of Empires 3 Crack.zip ZIP: infected - 1 skipped
C:\WINDOWS\Fonts\'\Age of Mythology Golden Crack.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINDOWS\Fonts\'\Age of Mythology Golden Crack.zip ZIP: infected - 1 skipped
C:\WINDOWS\Fonts\'\Aha-soft Iconlover 4.15 Patch.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINDOWS\Fonts\'\Aha-soft Iconlover 4.15 Patch.zip ZIP: infected - 1 skipped
C:\WINDOWS\Fonts\'\Aio Iso Managers Patch.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINDOWS\Fonts\'\Aio Iso Managers Patch.zip ZIP: infected - 1 skipped
C:\WINDOWS\Fonts\'\Alanis Morissette - The Collection Keygen.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINDOWS\Fonts\'\Alanis Morissette - The Collection Keygen.zip ZIP: infected - 1 skipped
C:\WINDOWS\Fonts\'\Alanis Morissette - The Collection Patch.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINDOWS\Fonts\'\Alanis Morissette - The Collection Patch.zip ZIP: infected - 1 skipped
C:\WINDOWS\Fonts\'\All About Sex Patch.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINDOWS\Fonts\'\All About Sex Patch.zip ZIP: infected - 1 skipped
C:\WINDOWS\Fonts\'\All Ditz And Jumbo Tits 2 Patch.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINDOWS\Fonts\'\All Ditz And Jumbo Tits 2 Patch.zip ZIP: infected - 1 skipped
C:\WINDOWS\Fonts\'\All In One Nokia Phone Hack Keygen.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINDOWS\Fonts\'\All In One Nokia Phone Hack Keygen.zip ZIP: infected - 1 skipped
C:\WINDOWS\Fonts\'\All Media Fix 6.9 with Serial Key and Keygen Keygen.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINDOWS\Fonts\'\All Media Fix 6.9 with Serial Key and Keygen Keygen.zip ZIP: infected - 1 skipped
C:\WINDOWS\Fonts\'\All That Remains - The Fall Of Ideals Keygen.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINDOWS\Fonts\'\All That Remains - The Fall Of Ideals Keygen.zip ZIP: infected - 1 skipped
C:\WINDOWS\Fonts\'\All That Remains - The Fall Of Ideals Patch.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINDOWS\Fonts\'\All That Remains - The Fall Of Ideals Patch.zip ZIP: infected - 1 skipped
C:\WINDOWS\Fonts\'\Allok MP3 to AMR Converter 2.6.2 Patch.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINDOWS\Fonts\'\Allok MP3 to AMR Converter 2.6.2 Patch.zip ZIP: infected - 1 skipped
C:\WINDOWS\Fonts\'\Altdo Video Converter Diamond 4.2 Keygen.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINDOWS\Fonts\'\Altdo Video Converter Diamond 4.2 Keygen.zip ZIP: infected - 1 skipped
C:\WINDOWS\Fonts\'\Amazing Grace (2007)DVDRip Keygen.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINDOWS\Fonts\'\Amazing Grace (2007)DVDRip Keygen.zip ZIP: infected - 1 skipped
C:\WINDOWS\Fonts\'\American conquest Patch.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINDOWS\Fonts\'\American conquest Patch.zip ZIP: infected - 1 skipped
C:\WINDOWS\Fonts\'\American McGee's Scrapland Crack.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINDOWS\Fonts\'\American McGee's Scrapland Crack.zip ZIP: infected - 1 skipped
C:\WINDOWS\Fonts\'\American Pie - The Naked Mile 2006 Keygen.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINDOWS\Fonts\'\American Pie - The Naked Mile 2006 Keygen.zip ZIP: infected - 1 skipped
C:\WINDOWS\Fonts\'\Anal Dreams 3 Crack.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINDOWS\Fonts\'\Anal Dreams 3 Crack.zip ZIP: infected - 1 skipped
C:\WINDOWS\Fonts\'\andos 3 Destination Berlin Keygen.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINDOWS\Fonts\'\andos 3 Destination Berlin Keygen.zip ZIP: infected - 1 skipped
C:\WINDOWS\Fonts\'\Andromeda 121 Keygen.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINDOWS\Fonts\'\Andromeda 121 Keygen.zip ZIP: infected - 1 skipped
C:\WINDOWS\Fonts\'\Animake v3.6 Keygen.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINDOWS\Fonts\'\Animake v3.6 Keygen.zip ZIP: infected - 1 skipped
C:\WINDOWS\Fonts\'\Anno 1701 Patch.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINDOWS\Fonts\'\Anno 1701 Patch.zip ZIP: infected - 1 skipped
C:\WINDOWS\Fonts\'\AnyDVD 6.0.9.5 Patch.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINDOWS\Fonts\'\AnyDVD 6.0.9.5 Patch.zip ZIP: infected - 1 skipped
C:\WINDOWS\Fonts\'\AnyReader v2.0.85 Crack.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINDOWS\Fonts\'\AnyReader v2.0.85 Crack.zip ZIP: infected - 1 skipped
C:\WINDOWS\Fonts\'\Aone Ultra DVD Creator v1.7.9 Keygen.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINDOWS\Fonts\'\Aone Ultra DVD Creator v1.7.9 Keygen.zip ZIP: infected - 1 skipped
C:\WINDOWS\Fonts\'\Apex Video Converter Super 5.56 Crack.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINDOWS\Fonts\'\Apex Video Converter Super 5.56 Crack.zip ZIP: infected - 1 skipped
C:\WINDOWS\Fonts\'\Apex Video Converter Super v5.93 Crack.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINDOWS\Fonts\'\Apex Video Converter Super v5.93 Crack.zip ZIP: infected - 1 skipped
C:\WINDOWS\Fonts\'\Apocalypto (2006) Patch.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINDOWS\Fonts\'\Apocalypto (2006) Patch.zip ZIP: infected - 1 skipped
C:\WINDOWS\Fonts\'\Arial CD Ripper v1.5.9 Keygen.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINDOWS\Fonts\'\Arial CD Ripper v1.5.9 Keygen.zip ZIP: infected - 1 skipped
C:\WINDOWS\Fonts\'\Arial CD Ripper v1.6.2 Patch.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINDOWS\Fonts\'\Arial CD Ripper v1.6.2 Patch.zip ZIP: infected - 1 skipped
C:\WINDOWS\Fonts\'\ArmA Armed Assault Patch.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINDOWS\Fonts\'\ArmA Armed Assault Patch.zip ZIP: infected - 1 skipped
C:\WINDOWS\Fonts\'\Arsonists Get All The Girls - The Game Of Life Crack.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINDOWS\Fonts\'\Arsonists Get All The Girls - The Game Of Life Crack.zip ZIP: infected - 1 skipped
C:\WINDOWS\Fonts\'\ASCII Generator v0.8.2b Crack.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINDOWS\Fonts\'\ASCII Generator v0.8.2b Crack.zip ZIP: infected - 1 skipped
C:\WINDOWS\Fonts\'\Ashampoo AntiVirus v1.40 Crack.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINDOWS\Fonts\'\Ashampoo AntiVirus v1.40 Crack.zip ZIP: infected - 1 skipped
C:\WINDOWS\Fonts\'\Ashampoo Firewall Pro v1.12 Patch.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINDOWS\Fonts\'\Ashampoo Firewall Pro v1.12 Patch.zip ZIP: infected - 1 skipped
C:\WINDOWS\Fonts\'\Ashampoo Magical Defrag 2.05 Crack.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINDOWS\Fonts\'\Ashampoo Magical Defrag 2.05 Crack.zip ZIP: infected - 1 skipped
C:\WINDOWS\Fonts\'\Ashampoo Magical Defrag v2.10 Patch.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINDOWS\Fonts\'\Ashampoo Magical Defrag v2.10 Patch.zip ZIP: infected - 1 skipped
C:\WINDOWS\Fonts\'\Ashampoo Photo Commander 5.20 Patch.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINDOWS\Fonts\'\Ashampoo Photo Commander 5.20 Patch.zip ZIP: infected - 1 skipped
C:\WINDOWS\Fonts\'\Ashampoo WinOptimizer 4.00 Keygen.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINDOWS\Fonts\'\Ashampoo WinOptimizer 4.00 Keygen.zip ZIP: infected - 1 skipped
C:\WINDOWS\Fonts\'\Aspect Tools v5.3.0.76 Keygen.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINDOWS\Fonts\'\Aspect Tools v5.3.0.76 Keygen.zip ZIP: infected - 1 skipped
C:\WINDOWS\Fonts\'\Ass For Days Patch.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINDOWS\Fonts\'\Ass For Days Patch.zip ZIP: infected - 1 skipped
C:\WINDOWS\Fonts\'\Astro22 Professional Edition v7.05.56 Crack.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINDOWS\Fonts\'\Astro22 Professional Edition v7.05.56 Crack.zip ZIP: infected - 1 skipped
C:\WINDOWS\Fonts\'\Astro22 Professional Edition v7.05.56 Patch.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINDOWS\Fonts\'\Astro22 Professional Edition v7.05.56 Patch.zip ZIP: infected - 1 skipped
C:\WINDOWS\Fonts\'\Atani v4.1.1 Patch.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINDOWS\Fonts\'\Atani v4.1.1 Patch.zip ZIP: infected - 1 skipped
C:\WINDOWS\Fonts\'\AusLogics BoostSpeed v3.7.2.680 Keygen.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINDOWS\Fonts\'\AusLogics BoostSpeed v3.7.2.680 Keygen.zip ZIP: infected - 1 skipped
C:\WINDOWS\Fonts\'\AutoCAD 2007 Trial 100% Working Crack Keygen.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINDOWS\Fonts\'\AutoCAD 2007 Trial 100% Working Crack Keygen.zip ZIP: infected - 1 skipped
C:\WINDOWS\Fonts\'\Autodesk AutoCAD Electrical 2007 Keygen.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINDOWS\Fonts\'\Autodesk AutoCAD Electrical 2007 Keygen.zip ZIP: infected - 1 skipped
C:\WINDOWS\Fonts\'\Automize 7.21 Enterprise Keygen.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINDOWS\Fonts\'\Automize 7.21 Enterprise Keygen.zip ZIP: infected - 1 skipped
C:\WINDOWS\Fonts\'\AutoPlay Media Studio v6.0.5.0 Crack.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINDOWS\Fonts\'\AutoPlay Media Studio v6.0.5.0 Crack.zip ZIP: infected - 1 skipped
C:\WINDOWS\Fonts\'\Av Voice Changer 4.0.75! Crack.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINDOWS\Fonts\'\Av Voice Changer 4.0.75! Crack.zip ZIP: infected - 1 skipped
C:\WINDOWS\Fonts\'\avast! Professional Edition v4.7.1043 Keygen.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINDOWS\Fonts\'\avast! Professional Edition v4.7.1043 Keygen.zip ZIP: infected - 1 skipped
C:\WINDOWS\Fonts\'\AVG Internet Security 7.5.446a965 Keygen.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINDOWS\Fonts\'\AVG Internet Security 7.5.446a965 Keygen.zip ZIP: infected - 1 skipped
C:\WINDOWS\Fonts\'\AVI DVD Burner 2007 v2.25 Patch.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINDOWS\Fonts\'\AVI DVD Burner 2007 v2.25 Patch.zip ZIP: infected - 1 skipped
C:\WINDOWS\Fonts\'\Baby Face 2 Patch.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINDOWS\Fonts\'\Baby Face 2 Patch.zip ZIP: infected - 1 skipped
C:\WINDOWS\Fonts\'\Baby Face 7 Patch.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINDOWS\Fonts\'\Baby Face 7 Patch.zip ZIP: infected - 1 skipped
C:\WINDOWS\Fonts\'\Babylon 6 Keygen.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINDOWS\Fonts\'\Babylon 6 Keygen.zip ZIP: infected - 1 skipped
C:\WINDOWS\Fonts\'\Babylon 7.0.0 r13 Crack.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINDOWS\Fonts\'\Babylon 7.0.0 r13 Crack.zip ZIP: infected - 1 skipped
C:\WINDOWS\Fonts\'\Back To School Special Patch.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINDOWS\Fonts\'\Back To School Special Patch.zip ZIP: infected - 1 skipped
C:\WINDOWS\Fonts\'\BackStreet Boys Unbreakable (2007) Crack.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINDOWS\Fonts\'\BackStreet Boys Unbreakable (2007) Crack.zip ZIP: infected - 1 skipped
C:\WINDOWS\Fonts\'\BackStreet Boys Unbreakable (2007) Keygen.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINDOWS\Fonts\'\BackStreet Boys Unbreakable (2007) Keygen.zip ZIP: infected - 1 skipped
C:\WINDOWS\Fonts\'\BackupMade Simple v5.1.207 Patch.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINDOWS\Fonts\'\BackupMade Simple v5.1.207 Patch.zip ZIP: infected - 1 skipped
C:\WINDOWS\Fonts\'\Band Camp Keygen.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINDOWS\Fonts\'\Band Camp Keygen.zip ZIP: infected - 1 skipped
C:\WINDOWS\Fonts\'\Bangbros - Bangbus Christina Crack.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINDOWS\Fonts\'\Bangbros - Bangbus Christina Crack.zip ZIP: infected - 1 skipped
C:\WINDOWS\Fonts\'\Bangbros - Bangbus JJ Patch.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINDOWS\Fonts\'\Bangbros - Bangbus JJ Patch.zip ZIP: infected - 1 skipped
C:\WINDOWS\Fonts\'\Bangbros - Bangbus Maryjane Crack.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINDOWS\Fonts\'\Bangbros - Bangbus Maryjane Crack.zip ZIP: infected - 1 skipped
C:\WINDOWS\Fonts\'\Bangbros - Bangbus Mimi Keygen.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINDOWS\Fonts\'\Bangbros - Bangbus Mimi Keygen.zip ZIP: infected - 1 skipped
C:\WINDOWS\Fonts\'\Banged Hard In The Bathroom Patch.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINDOWS\Fonts\'\Banged Hard In The Bathroom Patch.zip ZIP: infected - 1 skipped
C:\WINDOWS\Fonts\'\Basshunter-LOL Patch.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINDOWS\Fonts\'\Basshunter-LOL Patch.zip ZIP: infected - 1 skipped
C:\WINDOWS\Fonts\'\BatchRename Pro v3.11 Keygen.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINDOWS\Fonts\'\BatchRename Pro v3.11 Keygen.zip ZIP: infected - 1 skipped
C:\WINDOWS\Fonts\'\Battlefield 2 Deluxe Edition Patch.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINDOWS\Fonts\'\Battlefield 2 Deluxe Edition Patch.zip ZIP: infected - 1 skipped
Iminfected
2007-11-22, 00:11
I skipped to the end on the Kaspersky log. I wanted to give you a good example of whats in it. There are hundreds more.
C:\WINDOWS\Fonts\Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{7ED07F59-AF47-4ABD-839E-E11A832C900B}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\{00000001-00000000-0000000A-00001102-00000004-20021102}.CDF Object is locked skipped
Scan process completed.
Hi
"I'm not sure but it looks like I was being used as a host for hundreds of cracked movies and games. Please tell me what you can about this. How is this possible? Is that what was going on? Are those programs and movies on my computer now? I am trying to learn as we fix things."
Yes they are.
That keylogger + friends downloaded those. We use SDFix against those.
Empty these folders:
C:\!KillBox\
C:\Documents and Settings\Frogman\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar
Empty Recycle Bin
Please download ATF Cleaner by Atribune (http://www.atribune.org/ccount/click.php?id=1) and save
it to desktop.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit to close ATF-Cleaner.
Download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.exe) and save it to your Desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.
Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
Iminfected
2007-11-23, 07:01
SDFix: Version 1.115
Run by Frogman on Thu 11/22/2007 at 11:52 PM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Safe Mode:
Checking Services:
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting...
Normal Mode:
Checking Files:
Trojan Files Found:
C:\WINDOWS\Fonts\Crack.exe - Deleted
C:\WINDOWS\Fonts\*.zip - 1 File(s) 637,944 bytes - Deleted
C:\WINDOWS\Fonts\'\*.zip - 982 File(s) 626,461,990 bytes - Deleted
Folder C:\WINDOWS\Fonts\' - Removed
Removing Temp Files...
ADS Check:
C:\WINDOWS
No streams found.
C:\WINDOWS\system32
No streams found.
C:\WINDOWS\system32\svchost.exe
No streams found.
C:\WINDOWS\system32\ntoskrnl.exe
No streams found.
Final Check:
catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-22 23:56:27
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_UACFLT]
"NextInstance"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_UACFLT\0000]
"Service"="uacFlt"
"Legacy"=dword:00000001
"ConfigFlags"=dword:00000000
"Class"="LegacyDriver"
"ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"DeviceDesc"="Plantronics USB Audio Adapter EQ Filter Driver"
"Capabilities"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Control\Session Manager\Memory Management\PrefetchParameters]
"VideoInitTime"=dword:000010d8
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Control\Watchdog\Display]
"ShutdownCount"=dword:00000566
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\SharedAccess\Epoch]
"Epoch"=dword:00003283
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\SPBBCDrv\Parameters]
"Configuration"="C:\Program Files\Common Files\Symantec Shared\SPBBC\2007-11-21-2c9f.kc"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\Tcpip\Parameters\Interfaces\{00CD4987-2CB7-4631-9C5A-182743264320}]
"LeaseObtainedTime"=dword:47449851
"T1"=dword:47454111
"T2"=dword:4745bfa1
"LeaseTerminatesTime"=dword:4745e9d1
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\wscsvc]
"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\{00CD4987-2CB7-4631-9C5A-182743264320}\Parameters\Tcpip]
"LeaseObtainedTime"=dword:47449851
"T1"=dword:47454111
"T2"=dword:4745bfa1
"LeaseTerminatesTime"=dword:4745e9d1
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
Remaining Services:
------------------
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\World of Warcraft\\WoW-1.7.1.4695-to-1.8.0-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-1.7.1.4695-to-1.8.0-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\World of Warcraft\\WoW-1.8.3.4807-to-1.8.4.4878-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-1.8.3.4807-to-1.8.4.4878-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Documents and Settings\\Frogman\\My Documents\\Downloads\\Arathi_Basin_new_EG-downloader.exe"="C:\\Documents and Settings\\Frogman\\My Documents\\Downloads\\Arathi_Basin_new_EG-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\World of Warcraft\\WoW-1.8.4.4878-to-1.9.0.4937-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-1.8.4.4878-to-1.9.0.4937-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\World of Warcraft\\WoW-1.9.2.4996-to-1.9.3.5059-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-1.9.2.4996-to-1.9.3.5059-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\World of Warcraft\\WoW-1.9.4.5086-to-1.10.0.5195-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-1.9.4.5086-to-1.10.0.5195-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Frogman\\My Documents\\Downloads\\wow-ptr-downloader2.exe"="C:\\Documents and Settings\\Frogman\\My Documents\\Downloads\\wow-ptr-downloader2.exe:*:Enabled:Blizzard Downloader"
"C:\\Documents and Settings\\Frogman\\My Documents\\Downloads\\WoW-1.10.2.5302-to-0.11.0.5344-enUS-downloader.exe"="C:\\Documents and Settings\\Frogman\\My Documents\\Downloads\\WoW-1.10.2.5302-to-0.11.0.5344-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"="C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\World of Warcraft\\WoWTest\\WoW-0.11.0.5383-to-0.11.0.5413-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoWTest\\WoW-0.11.0.5383-to-0.11.0.5413-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\World of Warcraft\\WoW-1.10.2.5302-to-1.11.0.5428-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-1.10.2.5302-to-1.11.0.5428-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\World of Warcraft\\WoW-1.11.1.5462-to-1.11.2.5464-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-1.11.1.5462-to-1.11.2.5464-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Documents and Settings\\Frogman\\My Documents\\Downloads\\WoW-1.11.2.5464-to-0.12.0.5496-enUS-downloader.exe"="C:\\Documents and Settings\\Frogman\\My Documents\\Downloads\\WoW-1.11.2.5464-to-0.12.0.5496-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\World of Warcraft\\WoWTest\\WoW-0.12.0.5537-to-0.12.0.5561-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoWTest\\WoW-0.12.0.5537-to-0.12.0.5561-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\StubInstaller.exe"="C:\\StubInstaller.exe:*:Enabled:LimeWire swarmed installer"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\World of Warcraft\\WoW-1.11.2.5464-to-1.12.0.5595-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-1.11.2.5464-to-1.12.0.5595-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Documents and Settings\\Frogman\\My Documents\\Downloads\\WoW-1.12.0.5595-to-0.12.1.5803-enUS-downloader.exe"="C:\\Documents and Settings\\Frogman\\My Documents\\Downloads\\WoW-1.12.0.5595-to-0.12.1.5803-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\World of Warcraft\\WoW-1.12.0.5595-to-1.12.1.5875-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-1.12.0.5595-to-1.12.1.5875-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\Common Files\\AOL\\1152161668\\ee\\aim6.exe"="C:\\Program Files\\Common Files\\AOL\\1152161668\\ee\\aim6.exe:*:Disabled:AIM"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Disabled:AOL Loader"
"C:\\Program Files\\Common Files\\AOL\\1152161668\\ee\\aolsoftware.exe"="C:\\Program Files\\Common Files\\AOL\\1152161668\\ee\\aolsoftware.exe:*:Disabled:AOL Services"
"C:\\WINDOWS\\system32\\mmmdajfk.exe"="C:\\WINDOWS\\system32\\mmm"
"C:\\WINDOWS\\system32\\xnfrwhpt.exe"="C:\\WINDOWS\\system32\\xnf"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
Remaining Files:
---------------
File Backups: - C:\SDFix\backups\backups.zip
Files with Hidden Attributes:
Wed 4 Aug 2004 93,184 A.SH. --- "C:\Program Files\Internet Explorer\iexplore.exe"
Wed 13 Oct 2004 1,694,208 ..SH. --- "C:\Program Files\Messenger\msmsgs.exe"
Wed 4 Aug 2004 60,416 A.SH. --- "C:\Program Files\Outlook Express\msimn.exe"
Mon 1 Jan 2007 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Thu 25 Jan 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Fri 9 Sep 2005 1,740 A..HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\ccReg.reg"
Fri 9 Sep 2005 274,904 A..HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\CommonClient.reg"
Fri 16 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\20071120194750\backup\DOCUME~1\Frogman\LOCALS~1\Temp\ico11.tmp"
Fri 16 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\20071120194750\backup\DOCUME~1\Frogman\LOCALS~1\Temp\ico12.tmp"
Fri 16 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\20071120194750\backup\DOCUME~1\Frogman\LOCALS~1\Temp\ico13.tmp"
Fri 16 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\20071120194750\backup\DOCUME~1\Frogman\LOCALS~1\Temp\ico14.tmp"
Fri 16 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\20071120194750\backup\DOCUME~1\Frogman\LOCALS~1\Temp\ico15.tmp"
Fri 16 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\20071120194750\backup\DOCUME~1\Frogman\LOCALS~1\Temp\ico16.tmp"
Fri 16 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\20071120194750\backup\DOCUME~1\Frogman\LOCALS~1\Temp\ico17.tmp"
Fri 16 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\20071120194750\backup\DOCUME~1\Frogman\LOCALS~1\Temp\ico18.tmp"
Fri 16 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\20071120194750\backup\DOCUME~1\Frogman\LOCALS~1\Temp\ico19.tmp"
Fri 16 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\20071120194750\backup\DOCUME~1\Frogman\LOCALS~1\Temp\ico1A.tmp"
Fri 16 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\20071120194750\backup\DOCUME~1\Frogman\LOCALS~1\Temp\ico1C.tmp"
Fri 16 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\20071120194750\backup\DOCUME~1\Frogman\LOCALS~1\Temp\ico1D.tmp"
Fri 16 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\20071120194750\backup\DOCUME~1\Frogman\LOCALS~1\Temp\ico1E.tmp"
Fri 16 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\20071120194750\backup\DOCUME~1\Frogman\LOCALS~1\Temp\ico1F.tmp"
Fri 16 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\20071120194750\backup\DOCUME~1\Frogman\LOCALS~1\Temp\ico20.tmp"
Fri 16 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\20071120194750\backup\DOCUME~1\Frogman\LOCALS~1\Temp\ico23.tmp"
Fri 16 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\20071120194750\backup\DOCUME~1\Frogman\LOCALS~1\Temp\ico24.tmp"
Fri 16 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\20071120194750\backup\DOCUME~1\Frogman\LOCALS~1\Temp\ico25.tmp"
Fri 16 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\20071120194750\backup\DOCUME~1\Frogman\LOCALS~1\Temp\ico26.tmp"
Fri 16 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\20071120194750\backup\DOCUME~1\Frogman\LOCALS~1\Temp\ico27.tmp"
Fri 16 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\20071120194750\backup\DOCUME~1\Frogman\LOCALS~1\Temp\ico28.tmp"
Fri 16 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\20071120194750\backup\DOCUME~1\Frogman\LOCALS~1\Temp\ico29.tmp"
Fri 16 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\20071120194750\backup\DOCUME~1\Frogman\LOCALS~1\Temp\ico2A.tmp"
Fri 16 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\20071120194750\backup\DOCUME~1\Frogman\LOCALS~1\Temp\ico2B.tmp"
Fri 16 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\20071120194750\backup\DOCUME~1\Frogman\LOCALS~1\Temp\ico2C.tmp"
Fri 16 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\20071120194750\backup\DOCUME~1\Frogman\LOCALS~1\Temp\ico2D.tmp"
Fri 16 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\20071120194750\backup\DOCUME~1\Frogman\LOCALS~1\Temp\ico2E.tmp"
Fri 16 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\20071120194750\backup\DOCUME~1\Frogman\LOCALS~1\Temp\ico2F.tmp"
Fri 16 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\20071120194750\backup\DOCUME~1\Frogman\LOCALS~1\Temp\ico30.tmp"
Fri 16 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\20071120194750\backup\DOCUME~1\Frogman\LOCALS~1\Temp\ico31.tmp"
Fri 16 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\20071120194750\backup\DOCUME~1\Frogman\LOCALS~1\Temp\ico32.tmp"
Fri 16 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\20071120194750\backup\DOCUME~1\Frogman\LOCALS~1\Temp\ico33.tmp"
Fri 16 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\20071120194750\backup\DOCUME~1\Frogman\LOCALS~1\Temp\ico34.tmp"
Fri 16 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\20071120194750\backup\DOCUME~1\Frogman\LOCALS~1\Temp\ico35.tmp"
Fri 16 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\20071120194750\backup\DOCUME~1\Frogman\LOCALS~1\Temp\ico36.tmp"
Fri 16 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\20071120194750\backup\DOCUME~1\Frogman\LOCALS~1\Temp\ico37.tmp"
Fri 16 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\20071120194750\backup\DOCUME~1\Frogman\LOCALS~1\Temp\ico38.tmp"
Fri 16 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\20071120194750\backup\DOCUME~1\Frogman\LOCALS~1\Temp\ico39.tmp"
Fri 16 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\20071120194750\backup\DOCUME~1\Frogman\LOCALS~1\Temp\ico3A.tmp"
Fri 16 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\20071120194750\backup\DOCUME~1\Frogman\LOCALS~1\Temp\ico3B.tmp"
Fri 16 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\20071120194750\backup\DOCUME~1\Frogman\LOCALS~1\Temp\ico3C.tmp"
Fri 16 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\20071120194750\backup\DOCUME~1\Frogman\LOCALS~1\Temp\ico3D.tmp"
Fri 16 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\20071120194750\backup\DOCUME~1\Frogman\LOCALS~1\Temp\ico3E.tmp"
Fri 16 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\20071120194750\backup\DOCUME~1\Frogman\LOCALS~1\Temp\ico3F.tmp"
Fri 16 Nov 2007 4,286 A..H. --- "C:\Deckard\System Scanner\20071120194750\backup\DOCUME~1\Frogman\LOCALS~1\Temp\ico40.tmp"
Finished!
Iminfected
2007-11-23, 07:03
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:01:37 AM, on 11/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Belkin\Nostromo\nost_LM.exe
C:\Program Files\PerSono\perstray.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Documents and Settings\Frogman\Desktop\Iminfected.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.insightbb.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: Loadout Manager.lnk = C:\Program Files\Belkin\Nostromo\nost_LM.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Perstray.lnk = ?
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1190953039796
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
--
End of file - 6961 bytes
Hi
First we'll need to backup registry:
Start -> Run -> regedit -> ok. Then File -> Export. Give it a name and press Save.
Save text below as fix.reg on Notepad (save it as all files (*.*)) on Desktop
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\WINDOWS\\system32\\mmmdajfk.exe"=-
"C:\\WINDOWS\\system32\\xnfrwhpt.exe"=-
It should look like this -> http://users.telenet.be/bluepatchy/miekiemoes/images/reg.gif
Doubleclick fix.reg, press Yes and ok.
(In case you are unsure how to create a reg file, take a look here (http://www.nellie2.co.uk/file.htm#How_to_Make_a_.Reg_File_) with screenshots.)
Empty these folders:
C:\!KillBox\
C:\VundoFix Backups\
C:\Documents and Settings\Frogman\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar
Empty Recycle Bin
Delete these mails from your Inbox and empty Deleted items:
C:\Documents and Settings\Frogman\Application Data\Thunderbird\Profiles\f122s0od.default\Mail\Local Folders\Inbox/[From postmaster@hotmail.com][Date Thu, 08 Mar 2007 23:12:24 -0800]/Buy_Meds_Here.html Infected: Trojan.JS.Redirector.b skipped
C:\Documents and Settings\Frogman\Application Data\Thunderbird\Profiles\f122s0od.default\Mail\Local Folders\Inbox/[From postmaster@hotmail.com][Date Fri, 09 Mar 2007 08:23:17 -0800]/UNNAMED/UNNAMED/[From Online Rx<Theron@kvbzhjp.com>][Date 9 Mar 2007 08:23:17 -0800]/Buy_Meds_Here.html Infected: Trojan.JS.Redirector.b skipped
C:\Documents and Settings\Frogman\Application Data\Thunderbird\Profiles\f122s0od.default\Mail\Local Folders\Inbox/[From postmaster@hotmail.com][Date Fri, 09 Mar 2007 08:23:17 -0800]/UNNAMED/UNNAMED Infected: Trojan.JS.Redirector.b skipped
C:\Documents and Settings\Frogman\Application Data\Thunderbird\Profiles\f122s0od.default\Mail\Local Folders\Inbox/[From postmaster@hotmail.com][Date Fri, 09 Mar 2007 08:23:17 -0800]/UNNAMED Infected: Trojan.JS.Redirector.b skipped
C:\Documents and Settings\Frogman\Application Data\Thunderbird\Profiles\f122s0od.default\Mail\Local Folders\Inbox Mail Berkeley mbox: infected - 4 skipped
Please download ATF Cleaner by Atribune (http://www.atribune.org/ccount/click.php?id=1) and save
it to desktop.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit to close ATF-Cleaner.
Re-scan with kaspersky
Post:
- a fresh HijackThis log
- kaspersky report
Iminfected
2007-11-24, 06:34
Those mails were not in my thunderbird inbox. So I just deleted the inbox file from each folder. I also reinstalled outlook express and deleted all the mail that was still in there.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:33:57 PM, on 11/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Belkin\Nostromo\nost_LM.exe
C:\Program Files\PerSono\perstray.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Frogman\Desktop\Iminfected.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.insightbb.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: Loadout Manager.lnk = C:\Program Files\Belkin\Nostromo\nost_LM.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Perstray.lnk = ?
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1190953039796
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
--
End of file - 6604 bytes
Iminfected
2007-11-24, 06:39
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, November 23, 2007 11:32:58 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 24/11/2007
Kaspersky Anti-Virus database records: 464779
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
Scan Statistics:
Total number of scanned objects: 49060
Number of viruses found: 4
Number of infected objects: 19
Number of suspicious objects: 0
Duration of the scan process: 00:33:12
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2007-11-23_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBConfig.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDebug.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDetect.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBNotify.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBRefr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg2.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetDev.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetLoc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetUsr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBStHash.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBValid.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPPolicy.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStart.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStop.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtErEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\B7344895.TMP Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtMoEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtNvEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtScEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtTxFEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtViEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SubEng\submissions.idx Object is locked skipped
C:\Documents and Settings\Frogman\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Frogman\Desktop\backups\backup-20071120-185459-549.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.apn skipped
C:\Documents and Settings\Frogman\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Frogman\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Frogman\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Frogman\Local Settings\History\History.IE5\MSHist012007112320071124\index.dat Object is locked skipped
C:\Documents and Settings\Frogman\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Frogman\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Frogman\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\NFWEVT.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVApp.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVError.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVVirus.log Object is locked skipped
C:\SDFix\backups\backups.zip/backups/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\SDFix\backups\backups.zip ZIP: infected - 1 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{9C4AEE17-2676-4946-989D-703E5BBB5A2E}\RP3\A0000038.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\System Volume Information\_restore{9C4AEE17-2676-4946-989D-703E5BBB5A2E}\RP3\A0000039.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\System Volume Information\_restore{9C4AEE17-2676-4946-989D-703E5BBB5A2E}\RP3\A0000040.exe Infected: not-a-virus:PSWTool.Win32.FirePass.a skipped
C:\System Volume Information\_restore{9C4AEE17-2676-4946-989D-703E5BBB5A2E}\RP3\A0000041.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.apn skipped
C:\System Volume Information\_restore{9C4AEE17-2676-4946-989D-703E5BBB5A2E}\RP3\A0000043.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.apn skipped
C:\System Volume Information\_restore{9C4AEE17-2676-4946-989D-703E5BBB5A2E}\RP3\A0000044.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.apn skipped
C:\System Volume Information\_restore{9C4AEE17-2676-4946-989D-703E5BBB5A2E}\RP3\A0000045.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\System Volume Information\_restore{9C4AEE17-2676-4946-989D-703E5BBB5A2E}\RP4\A0000078.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\System Volume Information\_restore{9C4AEE17-2676-4946-989D-703E5BBB5A2E}\RP4\A0000079.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.apn skipped
C:\System Volume Information\_restore{9C4AEE17-2676-4946-989D-703E5BBB5A2E}\RP4\A0000080.exe Infected: not-a-virus:PSWTool.Win32.FirePass.a skipped
C:\System Volume Information\_restore{9C4AEE17-2676-4946-989D-703E5BBB5A2E}\RP4\A0000081.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\System Volume Information\_restore{9C4AEE17-2676-4946-989D-703E5BBB5A2E}\RP4\A0000083.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.apn skipped
C:\System Volume Information\_restore{9C4AEE17-2676-4946-989D-703E5BBB5A2E}\RP4\A0000084.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.apn skipped
C:\System Volume Information\_restore{9C4AEE17-2676-4946-989D-703E5BBB5A2E}\RP4\A0000085.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\System Volume Information\_restore{9C4AEE17-2676-4946-989D-703E5BBB5A2E}\RP4\A0000090.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\System Volume Information\_restore{9C4AEE17-2676-4946-989D-703E5BBB5A2E}\RP4\A0000095.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\System Volume Information\_restore{9C4AEE17-2676-4946-989D-703E5BBB5A2E}\RP4\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{65F7527F-A529-4CAD-8F54-39E14F2B0335}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\{00000001-00000000-0000000A-00001102-00000004-20021102}.CDF Object is locked skipped
Scan process completed.
Also, I use Firefox. How do I get rid of old java versions? I dont see any in add/remove programs. Or how do I get a newer version?
Thanks again Shaba!!
Hi
"How do I get rid of old java versions? I dont see any in add/remove programs. Or how do I get a newer version?"
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. A malicious site could render Java content under older, vulnerable versions of Sun's software if the user has not removed them. Please follow these steps to remove older version Java components and update: Download the latest version of Java Runtime Environment (JRE) 6 Update 3 (http://java.sun.com/javase/downloads/index.jsp) and save it to your desktop.
Scroll down to where it says "Java Runtime Environment (JRE) 6u3...allows end-users to run Java applications".
Click the "Download" button to the right.
Read the License Agreement and then check the box that says: "Accept License Agreement".
The page will refresh.
Click on the link to download Windows Offline Installation and save the file to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u3-windows-i586-p.exe to install the newest version.
Logs look good.
All viruses are in system restore and inactive.
I give you later instructions how to empty it.
Other than that, any problems left?
Iminfected
2007-11-24, 22:02
Hi Shaba, no I guess thats it. I really want to thank you for all your help!!! I'm gonna use all the programs listed on these forums to secure my computers from now on. I guess i've been fortunate though. It's been about 2 years since i've had any virus/trojan problems. Do you guys reccomend comodo antuvirus/firewall?
Thanks again buddy!!!
Iminfected
2007-11-25, 00:10
I did a spybot S/D scan and virtumonde and virtumonde.generic came up in it. I'm not sure but these could be in backup logs or somehting that we have fixed? It would help if you could help me remove them altogether so I don't confuse them with another infection. Thank you!!
Iminfected
2007-11-25, 00:46
Sorry about multi reply's "I should have waited to post". Teatimer freaks out when I turn it on with a bunch of BHO stuff so I have to leave it off. I dunno what I should do about that.
Hi
"I did a spybot S/D scan and virtumonde and virtumonde.generic came up in it. I'm not sure but these could be in backup logs or somehting that we have fixed?"
Impossible to know. Re-scan with spybot and post back spybot report, please.
"Teatimer freaks out when I turn it on with a bunch of BHO stuff so I have to leave it off. I dunno what I should do about that."
You can try uninstalling/re-installing spybot and post back if it helped. Post also a fresh HijackThis.
Iminfected
2007-11-25, 23:02
Hi Shaba, Yes reinstalling did fix teatimer. Nothing came up in Spybot this time. I did uninstall some old programs and install some new programs like Spywareblaster and Spywareguard.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:04:17 PM, on 11/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\Comodo\Comodo AntiVirus\CMain.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Belkin\Nostromo\nost_LM.exe
C:\Program Files\PerSono\perstray.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Comodo\common\CAVASpy\cavasm.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Frogman\Desktop\Iminfected.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.insightbb.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {B4CBF084-F699-4555-ABB7-FF9AAFC3F511} - (no file)
O2 - BHO: (no name) - {BBB05D9E-0297-404D-A6BF-D8F2876B84A6} - (no file)
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [cnfgCav] "C:\Program Files\Comodo\Comodo AntiVirus\CMain.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Loadout Manager.lnk = C:\Program Files\Belkin\Nostromo\nost_LM.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Perstray.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1190953039796
O20 - Winlogon Notify: monln - C:\WINDOWS\SYSTEM32\monln.dll
O20 - Winlogon Notify: qommmkk - C:\WINDOWS\
O20 - Winlogon Notify: xwniioah - C:\WINDOWS\
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Comodo Anti-Virus and Anti-Spyware Service - Comodo Inc. - C:\Program Files\Comodo\common\CAVASpy\cavasm.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
--
End of file - 6187 bytes
Iminfected
2007-11-25, 23:03
Here is a new Kaspersky log also.
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, November 25, 2007 5:44:03 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 25/11/2007
Kaspersky Anti-Virus database records: 465303
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
Scan Statistics:
Total number of scanned objects: 63381
Number of viruses found: 4
Number of infected objects: 19
Number of suspicious objects: 0
Duration of the scan process: 00:35:52
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Comodo\Comodo AntiVirus\cav.lock Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Comodo\Comodo AntiVirus\TroubleShootLog\cavasm.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Comodo\Comodo AntiVirus\TroubleShootLog\monln.log Object is locked skipped
C:\Documents and Settings\Frogman\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Frogman\Desktop\backups\backup-20071120-185459-549.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.apn skipped
C:\Documents and Settings\Frogman\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Frogman\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Frogman\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Frogman\Local Settings\Temp\~DFA2D7.tmp Object is locked skipped
C:\Documents and Settings\Frogman\Local Settings\Temp\~DFDB50.tmp Object is locked skipped
C:\Documents and Settings\Frogman\Local Settings\Temp\~DFF44E.tmp Object is locked skipped
C:\Documents and Settings\Frogman\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Frogman\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Frogman\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped
C:\SDFix\backups\backups.zip/backups/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\SDFix\backups\backups.zip ZIP: infected - 1 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{9C4AEE17-2676-4946-989D-703E5BBB5A2E}\RP3\A0000038.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\System Volume Information\_restore{9C4AEE17-2676-4946-989D-703E5BBB5A2E}\RP3\A0000039.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\System Volume Information\_restore{9C4AEE17-2676-4946-989D-703E5BBB5A2E}\RP3\A0000040.exe Infected: not-a-virus:PSWTool.Win32.FirePass.a skipped
C:\System Volume Information\_restore{9C4AEE17-2676-4946-989D-703E5BBB5A2E}\RP3\A0000041.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.apn skipped
C:\System Volume Information\_restore{9C4AEE17-2676-4946-989D-703E5BBB5A2E}\RP3\A0000043.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.apn skipped
C:\System Volume Information\_restore{9C4AEE17-2676-4946-989D-703E5BBB5A2E}\RP3\A0000044.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.apn skipped
C:\System Volume Information\_restore{9C4AEE17-2676-4946-989D-703E5BBB5A2E}\RP3\A0000045.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\System Volume Information\_restore{9C4AEE17-2676-4946-989D-703E5BBB5A2E}\RP4\A0000078.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\System Volume Information\_restore{9C4AEE17-2676-4946-989D-703E5BBB5A2E}\RP4\A0000079.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.apn skipped
C:\System Volume Information\_restore{9C4AEE17-2676-4946-989D-703E5BBB5A2E}\RP4\A0000080.exe Infected: not-a-virus:PSWTool.Win32.FirePass.a skipped
C:\System Volume Information\_restore{9C4AEE17-2676-4946-989D-703E5BBB5A2E}\RP4\A0000081.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\System Volume Information\_restore{9C4AEE17-2676-4946-989D-703E5BBB5A2E}\RP4\A0000083.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.apn skipped
C:\System Volume Information\_restore{9C4AEE17-2676-4946-989D-703E5BBB5A2E}\RP4\A0000084.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.apn skipped
C:\System Volume Information\_restore{9C4AEE17-2676-4946-989D-703E5BBB5A2E}\RP4\A0000085.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\System Volume Information\_restore{9C4AEE17-2676-4946-989D-703E5BBB5A2E}\RP4\A0000090.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\System Volume Information\_restore{9C4AEE17-2676-4946-989D-703E5BBB5A2E}\RP4\A0000095.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\System Volume Information\_restore{9C4AEE17-2676-4946-989D-703E5BBB5A2E}\RP7\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{CF665FA1-344A-4BA1-879E-3765AEFCF2D7}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\{00000001-00000000-0000000A-00001102-00000004-20021102}.CDF Object is locked skipped
Scan process completed.
Hi
Empty this folder:
C:\SDFix\backups\
Empty Recycle Bin
Still problems?
Iminfected
2007-11-26, 22:48
I don't know if it's a problem or if its causeing any. Looks like it removed 2 from the Kaspersky log. If these are'nt harming my system anymore then I suppose we are done.
New logs.
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, November 26, 2007 3:27:34 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 26/11/2007
Kaspersky Anti-Virus database records: 466028
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
Scan Statistics:
Total number of scanned objects: 62854
Number of viruses found: 4
Number of infected objects: 17
Number of suspicious objects: 0
Duration of the scan process: 00:36:27
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Comodo\Comodo AntiVirus\TroubleShootLog\cavasm.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Comodo\Comodo AntiVirus\TroubleShootLog\monln.log Object is locked skipped
C:\Documents and Settings\Frogman\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Frogman\Desktop\backups\backup-20071120-185459-549.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.apn skipped
C:\Documents and Settings\Frogman\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Frogman\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Frogman\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Frogman\Local Settings\History\History.IE5\MSHist012007112620071127\index.dat Object is locked skipped
C:\Documents and Settings\Frogman\Local Settings\Temp\~DF8902.tmp Object is locked skipped
C:\Documents and Settings\Frogman\Local Settings\Temp\~DFAF86.tmp Object is locked skipped
C:\Documents and Settings\Frogman\Local Settings\Temp\~DFFFF4.tmp Object is locked skipped
C:\Documents and Settings\Frogman\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Frogman\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Frogman\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{9C4AEE17-2676-4946-989D-703E5BBB5A2E}\RP3\A0000038.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\System Volume Information\_restore{9C4AEE17-2676-4946-989D-703E5BBB5A2E}\RP3\A0000039.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\System Volume Information\_restore{9C4AEE17-2676-4946-989D-703E5BBB5A2E}\RP3\A0000040.exe Infected: not-a-virus:PSWTool.Win32.FirePass.a skipped
C:\System Volume Information\_restore{9C4AEE17-2676-4946-989D-703E5BBB5A2E}\RP3\A0000041.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.apn skipped
C:\System Volume Information\_restore{9C4AEE17-2676-4946-989D-703E5BBB5A2E}\RP3\A0000043.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.apn skipped
C:\System Volume Information\_restore{9C4AEE17-2676-4946-989D-703E5BBB5A2E}\RP3\A0000044.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.apn skipped
C:\System Volume Information\_restore{9C4AEE17-2676-4946-989D-703E5BBB5A2E}\RP3\A0000045.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\System Volume Information\_restore{9C4AEE17-2676-4946-989D-703E5BBB5A2E}\RP4\A0000078.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\System Volume Information\_restore{9C4AEE17-2676-4946-989D-703E5BBB5A2E}\RP4\A0000079.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.apn skipped
C:\System Volume Information\_restore{9C4AEE17-2676-4946-989D-703E5BBB5A2E}\RP4\A0000080.exe Infected: not-a-virus:PSWTool.Win32.FirePass.a skipped
C:\System Volume Information\_restore{9C4AEE17-2676-4946-989D-703E5BBB5A2E}\RP4\A0000081.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\System Volume Information\_restore{9C4AEE17-2676-4946-989D-703E5BBB5A2E}\RP4\A0000083.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.apn skipped
C:\System Volume Information\_restore{9C4AEE17-2676-4946-989D-703E5BBB5A2E}\RP4\A0000084.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.apn skipped
C:\System Volume Information\_restore{9C4AEE17-2676-4946-989D-703E5BBB5A2E}\RP4\A0000085.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\System Volume Information\_restore{9C4AEE17-2676-4946-989D-703E5BBB5A2E}\RP4\A0000090.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\System Volume Information\_restore{9C4AEE17-2676-4946-989D-703E5BBB5A2E}\RP4\A0000095.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\System Volume Information\_restore{9C4AEE17-2676-4946-989D-703E5BBB5A2E}\RP8\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{3E38107D-75A8-4665-9FB5-04155DEF372F}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\{00000001-00000000-0000000A-00001102-00000004-20021102}.CDF Object is locked skipped
Scan process completed.
Iminfected
2007-11-26, 22:49
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:53:04 PM, on 11/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Belkin\Nostromo\nost_LM.exe
C:\Program Files\PerSono\perstray.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Comodo\common\CAVASpy\cavasm.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Comodo\Comodo AntiVirus\CMain.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Frogman\Desktop\Iminfected.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.insightbb.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {B4CBF084-F699-4555-ABB7-FF9AAFC3F511} - (no file)
O2 - BHO: (no name) - {BBB05D9E-0297-404D-A6BF-D8F2876B84A6} - (no file)
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [cnfgCav] "C:\Program Files\Comodo\Comodo AntiVirus\CMain.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Loadout Manager.lnk = C:\Program Files\Belkin\Nostromo\nost_LM.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Perstray.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1190953039796
O20 - Winlogon Notify: monln - C:\WINDOWS\SYSTEM32\monln.dll
O20 - Winlogon Notify: qommmkk - C:\WINDOWS\
O20 - Winlogon Notify: xwniioah - C:\WINDOWS\
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Comodo Anti-Virus and Anti-Spyware Service - Comodo Inc. - C:\Program Files\Comodo\common\CAVASpy\cavasm.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
--
End of file - 6220 bytes
Hi
Logs look good.
All viruses are in system restore and inactive.
I give you later instructions how to empty it.
Other than that, any problems left?
Iminfected
2007-11-28, 02:26
Great thanks! No I guess thats it.
Hi
Then you're clean!
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
You can fix these, they're leftovers:
O2 - BHO: (no name) - {B4CBF084-F699-4555-ABB7-FF9AAFC3F511} - (no file)
O2 - BHO: (no name) - {BBB05D9E-0297-404D-A6BF-D8F2876B84A6} - (no file)
O20 - Winlogon Notify: qommmkk - C:\WINDOWS\
O20 - Winlogon Notify: xwniioah - C:\WINDOWS\
Next we remove all used tools.
Please download OTMoveIt (http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe) and save it to desktop.
Double-click OTMoveIt.exe.
Click the CleanUp! button.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.
Note: If you receive a warning from your firewall or other security programs regarding OTMoveIt attempting to contact the internet, please allow it to do so.
Disable and Enable System Restore. - If you are using Windows XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.
You can find instructions on how to enable and re-enable system restore here:
Windows XP System Restore Guide (http://www.bleepingcomputer.com/forums/tutorial56.html)
Re-enable system restore with instructions from tutorial above
Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com (http://www.windowsupdate.com) regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
A tutorial on installing & using this product can be found here:
Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/tutorials/tutorial49.html)
Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.
Here are some additional utilities that will enhance your safety
MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Google Toolbar (http://toolbar.google.com/) <= Get the free google toolbar to help stop pop up windows.
Comodo BOCLEAN (http://www.comodo.com/boclean/boclean.html) <= Stop identity thieves from getting personal information. Instantly detects well over 1,000,000 unique, variant and repack malware in total. And it's free.
Winpatrol (http://www.winpatrol.com/) <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software (http://www.winpatrol.com/features.html)
Stand Up and Be Counted ---> Malware Complaints (http://www.malwarecomplaints.info/index.php) <--- where you can make difference!
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.
Also, please read this great article by Tony Klein So How Did I Get Infected In First Place (http://castlecops.com/postlite7736-.html)
Happy surfing and stay clean!
Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.
Everyone else please begin a New Topic.