View Full Version : Virtumonde and other nasty things!
Please, somebody help me !!!:eek::eek::eek:
Recently my computer was infected by Virtumonde virus (at least Spybot said so) and I can't do anything about it. It aledgedly erase it but after rebooting it's here again. My NOD32 is freaking out, reporting some various threats (Adware.Ezula, Adware.SecToolbar, TrojanProxy.Wopla, BHO.G Trojan and finally AdwareVirtumonde application). I tried to fix it manually, (tried to resolve it with vundofix and combofix but no success), since I had some experience with this kind of problems, but it seems that was too much for me.
Except this I suspect there are some other malicious stuff, so I wouldn't mind if you could help with those too.
I'm posting HJT log file, hopefully somebody will know what to do.
Sorry, but I didn't post Kaspersky Online Scanner log, I tried it but it lasted forever so I never finished scanning.
P.S. Sorry for my English if I have made some writing or grammar mistakes.:oops:
HERE'S THE HJT LOG FILE:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:39:16, on 11/21/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Anti-Blaxx\Anti-Blaxx.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = cache.eunet.yu:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.eunet.yu;*.eunet.yu;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: {67c2c864-f944-17cb-f9f4-5033b0d560f6} - {6f065d0b-3305-4f9f-bc71-449f468c2c76} - C:\WINDOWS\System32\khicetfk.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {B0EA6244-E349-4C46-BE8B-22F85D0047D2} - C:\WINDOWS\System32\awtqn.dll (file missing)
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdmcks.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Anti-Blaxx Manager] C:\Program Files\Anti-Blaxx\Anti-Blaxx.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [SysMetrix] C:\Program Files\SysMetrix\SysMetrix.exe
O4 - HKLM\..\Run: [Desktop Service] C:\Program Files\Free-Soft\Virtual Desktop\DesktopLoader.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [cc7895f6] rundll32.exe "C:\WINDOWS\System32\fmuadynm.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [ClockSync] C:\Program Files\ClockSync\Sync.exe /q
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: Sid Registration.lnk = F:\ATR1.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Download with Go!Zilla - file://C:\Program Files\Go!Zilla\download-with-gozilla.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Microsoft AntiSpyware helper - {19DD688F-FAA3-49F5-AEEE-5A8C550A403B} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {19DD688F-FAA3-49F5-AEEE-5A8C550A403B} - (no file) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O13 - WWW. Prefix: http://
O15 - Trusted Zone: www.vetup.minpolj.sr.gov.yu
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\explorer.cab
O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
O16 - DPF: {62BC5DB2-0044-4040-B366-D628F3CFD551} (PowerTeam HTML Printing Behavior) - http://www.vetup.minpolj.sr.gov.yu/VetUp/include/reportengine/PrinterBvr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D515463C-AD78-4558-AAAD-6973E8741F5B}: NameServer = 194.247.192.33 194.247.192.1
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
--
End of file - 7553 bytes
Hello acoas
Welcome to Safer Networking.
Please read Before YouPost (http://forums.spybot.info/showthread.php?t=288)
That said, All advice given by anyone volunteering here, is taken at own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.
You do have some things going on that we need to fix, Not to worry about your english, your doing just fine :bigthumb:
First thing I would do in uninstall both these programs from your Add Remove Programs in the Control Panel
C:\Program Files\Security iGuard<-- This is a rogue program and not recommended
C:\Program Files\ClockSync <-- is bundled with Spyware
Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.
O2 - BHO: {67c2c864-f944-17cb-f9f4-5033b0d560f6} - {6f065d0b-3305-4f9f-bc71-449f468c2c76} - C:\WINDOWS\System32\khicetfk.dll (file missing)
O2 - BHO: (no name) - {B0EA6244-E349-4C46-BE8B-22F85D0047D2} - C:\WINDOWS\System32\awtqn.dll (file missing)
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKLM\..\Run: [cc7895f6] rundll32.exe "C:\WINDOWS\System32\fmuadynm.dll",b
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKCU\..\Run: [ClockSync] C:\Program Files\ClockSync\Sync.exe /q
O4 - Startup: PowerReg Scheduler.exe
O9 - Extra button: Microsoft AntiSpyware helper - {19DD688F-FAA3-49F5-AEEE-5A8C550A403B} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {19DD688F-FAA3-49F5-AEEE-5A8C550A403B} - (no file) (HKCU)
O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\explorer.cab
O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
Download VundoFix (http://www.atribune.org/ccount/click.php?id=4 ) to your desktop
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.
Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post the Combofix log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
This is important , do this before you post a new log
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe<-- Right click on Hijackthis.exe ( looks like a man with a spyglass ) and rename it to Scanner.exe
Let me see the Vundo report, the Combofix report and a new HJT log renamed please.
Hi!
First, I didn't found these programs in my Add Remove Programs section in the Control Panel, or even on their supposed locations:
C:\Program Files\Security iGuard
C:\Program Files\ClockSync
Second, I did everything else:
VUNDO REPORT
VundoFix V6.6.2
Checking Java version...
Java version is 1.5.0.7
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.10
Scan started at 23:17:06 11/21/2007
Listing files found while scanning....
No infected files were found.
COMBOFIX REPORT
ComboFix 07-11-19.3 - ALEKSANDAR 2007-11-21 23:51:49.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.187 [GMT 1:00]
Running from: C:\Documents and Settings\ALEKSANDAR\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((( Files Created from 2007-10-21 to 2007-11-21 )))))))))))))))))))))))))))))))
.
2007-11-21 16:37 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-17 14:05 82,496 --a------ C:\WINDOWS\system32\umuqdwbe.dll
2007-11-17 00:11 81,984 --a------ C:\WINDOWS\system32\ksjanive.dll
2007-11-16 22:00 <DIR> d-------- C:\Program Files\Hattrick Coach Professional new
2007-11-16 20:08 81,984 --a------ C:\WINDOWS\system32\kotwmjsk.dll
2007-11-16 20:02 679,941 ---hs---- C:\WINDOWS\system32\mnydaumf.ini
2007-11-15 19:51 669,500 ---hs---- C:\WINDOWS\system32\mpnmbfcq.ini
2007-11-14 21:45 143 --a------ C:\WINDOWS\system32\mcrh.tmp
2007-11-14 19:59 671,627 ---hs---- C:\WINDOWS\system32\kgorpbos.ini
2007-11-14 17:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-13 19:46 88,128 --a------ C:\WINDOWS\system32\jisblxpe.dll
2007-11-11 12:45 79,936 --a------ C:\WINDOWS\system32\kmcsqhtn.dll
2007-11-10 15:44 36,352 --a------ C:\WINDOWS\system32\tuvvwxy.dll
2007-11-10 15:43 36,352 --a------ C:\WINDOWS\system32\opnoolj.dll
2007-11-10 15:42 32,764 --a------ C:\WINDOWS\17PHolmes572.exe
2007-11-02 19:39 <DIR> d-------- C:\Program Files\Clickster
2007-10-28 21:05 <DIR> d-------- C:\Program Files\Amiglobe 2006
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-21 22:50 --------- d-----w C:\Documents and Settings\ALEKSANDAR\Application Data\Free Download Manager
2007-11-21 13:49 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-20 19:54 --------- d-----w C:\Program Files\HT Ratings
2007-11-17 12:51 82,496 ----a-w C:\WINDOWS\system32\xepnqktt.dll
2007-11-16 23:22 81,984 ----a-w C:\WINDOWS\system32\vmndgpur.dll
2007-11-16 23:17 81,984 ----a-w C:\WINDOWS\system32\ctwakkkh.dll
2007-11-16 23:06 81,984 ----a-w C:\WINDOWS\system32\gcndbhpd.dll
2007-11-16 23:01 81,984 ----a-w C:\WINDOWS\system32\wjfbmcud.dll
2007-11-16 22:21 81,984 ----a-w C:\WINDOWS\system32\eauayrdu.dll
2007-11-16 19:28 --------- d-----w C:\Documents and Settings\ALEKSANDAR\Application Data\GameHouse
2007-11-16 19:27 --------- d-----w C:\Program Files\GameHouse
2007-11-15 18:53 79,936 ----a-w C:\WINDOWS\system32\eumhnadx.dll
2007-11-15 16:05 --------- d-----w C:\Program Files\SokkerViewer j
2007-11-15 01:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-10 14:59 502,208 ----a-w C:\WINDOWS\system32\drivers\amon.sys
2007-11-10 14:59 270,336 ----a-w C:\WINDOWS\system32\imon.dll
2007-11-10 14:43 36,352 ----a-w C:\WINDOWS\system32\gebabay.dll
2007-11-06 17:54 --------- d-----w C:\Program Files\HattrickOk
2007-11-03 14:07 --------- d-----w C:\Program Files\SHISEN
2007-11-02 16:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\MumboJumbo
2007-10-23 17:57 --------- d-----w C:\Program Files\Gham
2007-10-20 11:43 --------- d-----w C:\Documents and Settings\ALEKSANDAR\Application Data\Super-Cow
2007-10-15 14:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\SecretsOfOlympus
2007-10-14 10:09 --------- d-----w C:\Documents and Settings\ALEKSANDAR\Application Data\vlc
2007-10-14 10:07 --------- d-----w C:\Program Files\VideoLAN
2007-10-13 23:02 --------- d-----w C:\Program Files\QuickTime Alternative
2007-10-13 23:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-10-13 21:18 --------- d-----w C:\Program Files\Apple Software Update
2007-10-13 21:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2007-10-13 19:50 --------- d-----w C:\Program Files\Player
2007-10-13 19:37 --------- d-----w C:\Program Files\3GP Player
2007-10-13 11:21 --------- d-----w C:\Documents and Settings\ALEKSANDAR\Application Data\iWin
2007-10-08 19:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\PlayFirst
2007-10-08 19:28 --------- d-----w C:\Documents and Settings\ALEKSANDAR\Application Data\PlayFirst
2007-10-08 17:30 --------- d-----w C:\Documents and Settings\ALEKSANDAR\Application Data\gemsweeperextractedgfx
2007-10-08 17:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\My Games
2007-10-07 19:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\GameHouse
2007-10-06 18:11 --------- d-----w C:\Documents and Settings\ALEKSANDAR\Application Data\uTorrent
2007-10-04 17:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\HipSoft
2007-09-27 05:18 --------- d-----w C:\Documents and Settings\ALEKSANDAR\Application Data\ArcSoft
2007-09-27 05:13 --------- d-----w C:\Program Files\ArcSoft
2007-09-22 11:32 --------- d-----w C:\Program Files\Audacity
2006-03-18 21:37 560 ----a-w C:\Program Files\Global.sw
2005-07-30 20:20 524,300 ----a-w C:\Documents and Settings\ALEKSANDAR\Application Data\position.bin
2005-02-25 19:00 573,440 ----a-w C:\Documents and Settings\ALEKSANDAR\Application Data\arasan.exe
2005-02-25 18:21 1,179,648 ----a-w C:\Documents and Settings\ALEKSANDAR\Application Data\book.bin
2005-02-25 18:14 1,118,208 ----a-w C:\Documents and Settings\ALEKSANDAR\Application Data\arasanx.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-29 02:41]
"TASKMGRU"="" []
"MSIMN32"="" []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.exe" [2001-08-23 13:00 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2003-09-05 15:59 C:\WINDOWS\system32\nwiz.exe]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-07-28 14:43]
"DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" [2004-08-22 17:05]
"Anti-Blaxx Manager"="C:\Program Files\Anti-Blaxx\Anti-Blaxx.exe" [2005-05-18 16:08]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-06-16 05:03]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-06-16 05:03]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" [2006-11-09 15:07]
"SysMetrix"="C:\Program Files\SysMetrix\SysMetrix.exe" []
"Desktop Service"="C:\Program Files\Free-Soft\Virtual Desktop\DesktopLoader.exe" []
"AGRSMMSG"="AGRSMMSG.exe" [2005-06-30 06:16 C:\WINDOWS\AGRSMMSG.exe]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-11-10 15:59]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 00:19:50]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-12-24 14:57:38]
VIA RAID TOOL.lnk - C:\Program Files\VIA\RAID\raid_tool.exe [2004-07-21 09:14:21]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeviceDiscovery]
2003-05-21 17:37 229437 --a------ C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
2003-10-23 18:51 233472 --a------ C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2003-06-25 10:24 49152 --a------ C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ins3DT]
E:\INSTALL4\INS3DT.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spyware Doctor]
C:\PROGRA~1\SPYWAR~1\swdoctor.exe /Q
R0 MrFilter;EasyWrite Driver;C:\WINDOWS\System32\drivers\MrFilter.sys
R0 viasraid;viasraid;C:\WINDOWS\System32\drivers\viasraid.sys
R2 Pctspk;PCTEL Speaker Phone;C:\WINDOWS\system32\pctspk.exe
S2 Ca533av;Icatch(IV) Video Camera Device;C:\WINDOWS\System32\Drivers\Ca533av.sys
S3 FreshIO;FreshIO;\??\C:\Program Files\FreshDevices\FreshDiagnose\FreshIO.sys
S3 jnv4_mib;jnv4_mib;\??\C:\DOCUME~1\ALEKSA~1\LOCALS~1\Temp\jnv4_mib.sys
S3 k600bus;Sony Ericsson 600i driver (WDM);C:\WINDOWS\System32\DRIVERS\k600bus.sys
S3 k600mdfl;Sony Ericsson 600i USB WMC Modem Filter;C:\WINDOWS\System32\DRIVERS\k600mdfl.sys
S3 k600mdm;Sony Ericsson 600i USB WMC Modem Drivers;C:\WINDOWS\System32\DRIVERS\k600mdm.sys
S3 k600mgmt;Sony Ericsson 600i USB WMC Device Management Drivers;C:\WINDOWS\System32\DRIVERS\k600mgmt.sys
S3 k600obex;Sony Ericsson 600i USB WMC OBEX Interface Drivers;C:\WINDOWS\System32\DRIVERS\k600obex.sys
S3 Ptserlp;PCTEL Serial Device Driver for PCI;C:\WINDOWS\System32\DRIVERS\ptserlp.sys
S3 RegGuard;RegGuard;\??\C:\WINDOWS\System32\Drivers\regguard.sys
S3 USBCamera;Icatch(IV) Still Camera Device;C:\WINDOWS\System32\Drivers\Bulk533.sys
.
Contents of the 'Scheduled Tasks' folder
"2007-11-03 22:59:11 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-11-21 21:13:23 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************
catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-21 23:56:13
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
.
Completion time: 2007-11-21 23:57:38
C:\ComboFix2.txt ... 2007-11-17 18:45
.
--- E O F ---
HJT LOG (renamed)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:00:42, on 11/22/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Anti-Blaxx\Anti-Blaxx.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\WINDOWS\System32\cmd.exe
C:\ComboFix\vfind.cfexe
C:\WINDOWS\System32\cmd.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\Scanner.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = cache.eunet.yu:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.eunet.yu;*.eunet.yu;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdmcks.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Anti-Blaxx Manager] C:\Program Files\Anti-Blaxx\Anti-Blaxx.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [SysMetrix] C:\Program Files\SysMetrix\SysMetrix.exe
O4 - HKLM\..\Run: [Desktop Service] C:\Program Files\Free-Soft\Virtual Desktop\DesktopLoader.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: Sid Registration.lnk = F:\ATR1.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Download with Go!Zilla - file://C:\Program Files\Go!Zilla\download-with-gozilla.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O13 - WWW. Prefix: http://
O15 - Trusted Zone: www.vetup.minpolj.sr.gov.yu
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {62BC5DB2-0044-4040-B366-D628F3CFD551} (PowerTeam HTML Printing Behavior) - http://www.vetup.minpolj.sr.gov.yu/VetUp/include/reportengine/PrinterBvr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D515463C-AD78-4558-AAAD-6973E8741F5B}: NameServer = 194.247.192.33 194.247.192.1
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
--
End of file - 6607 bytes
Thanks in advance!!! :D:
Hello acoas,
After your clean, you need to update your Operating System to Service Pack 2 or your going to keep getting iinfected, don't do it yet, I will give you instructions once your system is clean.
Open Notepad and copy all the text inside the quote box by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad
File::
C:\WINDOWS\system32\umuqdwbe.dll
C:\WINDOWS\system32\ksjanive.dll
C:\WINDOWS\system32\kotwmjsk.dll
C:\WINDOWS\system32\mnydaumf.ini
C:\WINDOWS\system32\mpnmbfcq.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\kgorpbos.ini
C:\WINDOWS\system32\jisblxpe.dll
C:\WINDOWS\system32\kmcsqhtn.dll
C:\WINDOWS\system32\tuvvwxy.dll
C:\WINDOWS\system32\opnoolj.dll
C:\WINDOWS\17PHolmes572.exe
C:\WINDOWS\system32\xepnqktt.dll
C:\WINDOWS\system32\vmndgpur.dll
C:\WINDOWS\system32\ctwakkkh.dll
C:\WINDOWS\system32\gcndbhpd.dll
C:\WINDOWS\system32\wjfbmcud.dll
C:\WINDOWS\system32\eauayrdu.dll
C:\WINDOWS\system32\eumhnadx.dll
C:\WINDOWS\system32\gebabay.dll
Folder::
C:\Program Files\Security iGuard
C:\Program Files\ClockSync
Save this as CFScript to your desktop.
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://i24.photobucket.com/albums/c30/ken545/CFScript.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
OK, it seems that we are getting somewhere... :bigthumb:
Here's the COMBOFIX LOG
ComboFix 07-11-19.3 - ALEKSANDAR 2007-11-22 16:04:30.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.267 [GMT 1:00]
Running from: C:\Documents and Settings\ALEKSANDAR\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\ALEKSANDAR\Desktop\CFScript.txt
* Created a new restore point
FILE
C:\WINDOWS\17PHolmes572.exe
C:\WINDOWS\system32\ctwakkkh.dll
C:\WINDOWS\system32\eauayrdu.dll
C:\WINDOWS\system32\eumhnadx.dll
C:\WINDOWS\system32\gcndbhpd.dll
C:\WINDOWS\system32\gebabay.dll
C:\WINDOWS\system32\jisblxpe.dll
C:\WINDOWS\system32\kgorpbos.ini
C:\WINDOWS\system32\kmcsqhtn.dll
C:\WINDOWS\system32\kotwmjsk.dll
C:\WINDOWS\system32\ksjanive.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mnydaumf.ini
C:\WINDOWS\system32\mpnmbfcq.ini
C:\WINDOWS\system32\opnoolj.dll
C:\WINDOWS\system32\tuvvwxy.dll
C:\WINDOWS\system32\umuqdwbe.dll
C:\WINDOWS\system32\vmndgpur.dll
C:\WINDOWS\system32\wjfbmcud.dll
C:\WINDOWS\system32\xepnqktt.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\17PHolmes572.exe
C:\WINDOWS\system32\ctwakkkh.dll
C:\WINDOWS\system32\eauayrdu.dll
C:\WINDOWS\system32\eumhnadx.dll
C:\WINDOWS\system32\gcndbhpd.dll
C:\WINDOWS\system32\gebabay.dll
C:\WINDOWS\system32\jisblxpe.dll
C:\WINDOWS\system32\kgorpbos.ini
C:\WINDOWS\system32\kmcsqhtn.dll
C:\WINDOWS\system32\kotwmjsk.dll
C:\WINDOWS\system32\ksjanive.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mnydaumf.ini
C:\WINDOWS\system32\mpnmbfcq.ini
C:\WINDOWS\system32\opnoolj.dll
C:\WINDOWS\system32\tuvvwxy.dll
C:\WINDOWS\system32\umuqdwbe.dll
C:\WINDOWS\system32\vmndgpur.dll
C:\WINDOWS\system32\wjfbmcud.dll
C:\WINDOWS\system32\xepnqktt.dll
.
((((((((((((((((((((((((( Files Created from 2007-10-22 to 2007-11-22 )))))))))))))))))))))))))))))))
.
2007-11-21 16:37 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-17 17:01 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2007-11-16 22:00 <DIR> d-------- C:\Program Files\Hattrick Coach Professional new
2007-11-14 17:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-13 19:46 583,184 ---hs---- C:\WINDOWS\system32\epxlbsij.ini
2007-11-12 14:18 827,598 ---hs---- C:\WINDOWS\system32\egyxevag.ini
2007-11-10 15:59 502,208 --a------ C:\WINDOWS\system32\drivers\amon.sys
2007-11-02 19:39 <DIR> d-------- C:\Program Files\Clickster
2007-10-28 21:05 <DIR> d-------- C:\Program Files\Amiglobe 2006
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-21 22:50 --------- d-----w C:\Documents and Settings\ALEKSANDAR\Application Data\Free Download Manager
2007-11-21 13:49 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-21 13:49 --------- d-----w C:\Program Files\Paradox Interactive
2007-11-20 19:54 --------- d-----w C:\Program Files\HT Ratings
2007-11-16 19:28 --------- d-----w C:\Documents and Settings\ALEKSANDAR\Application Data\GameHouse
2007-11-16 19:27 --------- d-----w C:\Program Files\GameHouse
2007-11-15 16:05 --------- d-----w C:\Program Files\SokkerViewer j
2007-11-15 01:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-06 17:54 --------- d-----w C:\Program Files\HattrickOk
2007-11-03 14:07 --------- d-----w C:\Program Files\SHISEN
2007-11-02 16:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\MumboJumbo
2007-10-23 17:57 --------- d-----w C:\Program Files\Gham
2007-10-20 11:43 --------- d-----w C:\Documents and Settings\ALEKSANDAR\Application Data\Super-Cow
2007-10-15 14:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\SecretsOfOlympus
2007-10-14 10:09 --------- d-----w C:\Documents and Settings\ALEKSANDAR\Application Data\vlc
2007-10-14 10:07 --------- d-----w C:\Program Files\VideoLAN
2007-10-13 23:02 --------- d-----w C:\Program Files\QuickTime Alternative
2007-10-13 23:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-10-13 21:18 --------- d-----w C:\Program Files\Apple Software Update
2007-10-13 21:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2007-10-13 19:50 --------- d-----w C:\Program Files\Player
2007-10-13 19:37 --------- d-----w C:\Program Files\3GP Player
2007-10-13 11:21 --------- d-----w C:\Documents and Settings\ALEKSANDAR\Application Data\iWin
2007-10-08 19:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\PlayFirst
2007-10-08 19:28 --------- d-----w C:\Documents and Settings\ALEKSANDAR\Application Data\PlayFirst
2007-10-08 17:30 --------- d-----w C:\Documents and Settings\ALEKSANDAR\Application Data\gemsweeperextractedgfx
2007-10-08 17:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\My Games
2007-10-07 19:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\GameHouse
2007-10-06 18:11 --------- d-----w C:\Documents and Settings\ALEKSANDAR\Application Data\uTorrent
2007-10-04 17:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\HipSoft
2007-09-27 05:18 --------- d-----w C:\Documents and Settings\ALEKSANDAR\Application Data\ArcSoft
2007-09-27 05:13 --------- d-----w C:\Program Files\ArcSoft
2007-09-22 11:32 --------- d-----w C:\Program Files\Audacity
2006-03-18 21:37 560 ----a-w C:\Program Files\Global.sw
2005-07-30 20:20 524,300 ----a-w C:\Documents and Settings\ALEKSANDAR\Application Data\position.bin
2005-02-25 19:00 573,440 ----a-w C:\Documents and Settings\ALEKSANDAR\Application Data\arasan.exe
2005-02-25 18:21 1,179,648 ----a-w C:\Documents and Settings\ALEKSANDAR\Application Data\book.bin
2005-02-25 18:14 1,118,208 ----a-w C:\Documents and Settings\ALEKSANDAR\Application Data\arasanx.exe
.
((((((((((((((((((((((((((((( snapshot@2007-11-21_23.56.25.33 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-21 21:12:35 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2007-11-22 05:13:00 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2007-11-21 21:12:35 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-11-22 05:13:00 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-11-21 21:12:35 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-11-22 05:13:00 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-29 02:41]
"TASKMGRU"="" []
"MSIMN32"="" []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.exe" [2001-08-23 13:00 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2003-09-05 15:59 C:\WINDOWS\system32\nwiz.exe]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-07-28 14:43]
"DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" [2004-08-22 17:05]
"Anti-Blaxx Manager"="C:\Program Files\Anti-Blaxx\Anti-Blaxx.exe" [2005-05-18 16:08]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-06-16 05:03]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-06-16 05:03]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" [2006-11-09 15:07]
"SysMetrix"="C:\Program Files\SysMetrix\SysMetrix.exe" []
"Desktop Service"="C:\Program Files\Free-Soft\Virtual Desktop\DesktopLoader.exe" []
"AGRSMMSG"="AGRSMMSG.exe" [2005-06-30 06:16 C:\WINDOWS\AGRSMMSG.exe]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-11-10 15:59]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 00:19:50]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-12-24 14:57:38]
VIA RAID TOOL.lnk - C:\Program Files\VIA\RAID\raid_tool.exe [2004-07-21 09:14:21]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeviceDiscovery]
2003-05-21 17:37 229437 --a------ C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
2003-10-23 18:51 233472 --a------ C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2003-06-25 10:24 49152 --a------ C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ins3DT]
E:\INSTALL4\INS3DT.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spyware Doctor]
C:\PROGRA~1\SPYWAR~1\swdoctor.exe /Q
R0 MrFilter;EasyWrite Driver;C:\WINDOWS\System32\drivers\MrFilter.sys
R0 viasraid;viasraid;C:\WINDOWS\System32\drivers\viasraid.sys
R2 Pctspk;PCTEL Speaker Phone;C:\WINDOWS\system32\pctspk.exe
S2 Ca533av;Icatch(IV) Video Camera Device;C:\WINDOWS\System32\Drivers\Ca533av.sys
S3 FreshIO;FreshIO;\??\C:\Program Files\FreshDevices\FreshDiagnose\FreshIO.sys
S3 jnv4_mib;jnv4_mib;\??\C:\DOCUME~1\ALEKSA~1\LOCALS~1\Temp\jnv4_mib.sys
S3 k600bus;Sony Ericsson 600i driver (WDM);C:\WINDOWS\System32\DRIVERS\k600bus.sys
S3 k600mdfl;Sony Ericsson 600i USB WMC Modem Filter;C:\WINDOWS\System32\DRIVERS\k600mdfl.sys
S3 k600mdm;Sony Ericsson 600i USB WMC Modem Drivers;C:\WINDOWS\System32\DRIVERS\k600mdm.sys
S3 k600mgmt;Sony Ericsson 600i USB WMC Device Management Drivers;C:\WINDOWS\System32\DRIVERS\k600mgmt.sys
S3 k600obex;Sony Ericsson 600i USB WMC OBEX Interface Drivers;C:\WINDOWS\System32\DRIVERS\k600obex.sys
S3 Ptserlp;PCTEL Serial Device Driver for PCI;C:\WINDOWS\System32\DRIVERS\ptserlp.sys
S3 RegGuard;RegGuard;\??\C:\WINDOWS\System32\Drivers\regguard.sys
S3 USBCamera;Icatch(IV) Still Camera Device;C:\WINDOWS\System32\Drivers\Bulk533.sys
.
Contents of the 'Scheduled Tasks' folder
"2007-11-03 22:59:11 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-11-22 05:13:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************
catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-22 16:11:50
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
.
Completion time: 2007-11-22 16:13:44 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-21 23:57
C:\ComboFix3.txt ... 2007-11-17 18:45
.
--- E O F ---
... and here is my HJT LOG
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:16:13, on 11/22/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Anti-Blaxx\Anti-Blaxx.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\Trend Micro\HijackThis\Scanner.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = cache.eunet.yu:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.eunet.yu;*.eunet.yu;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdmcks.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Anti-Blaxx Manager] C:\Program Files\Anti-Blaxx\Anti-Blaxx.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [SysMetrix] C:\Program Files\SysMetrix\SysMetrix.exe
O4 - HKLM\..\Run: [Desktop Service] C:\Program Files\Free-Soft\Virtual Desktop\DesktopLoader.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: Sid Registration.lnk = F:\ATR1.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Download with Go!Zilla - file://C:\Program Files\Go!Zilla\download-with-gozilla.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O13 - WWW. Prefix: http://
O15 - Trusted Zone: www.vetup.minpolj.sr.gov.yu
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {62BC5DB2-0044-4040-B366-D628F3CFD551} (PowerTeam HTML Printing Behavior) - http://www.vetup.minpolj.sr.gov.yu/VetUp/include/reportengine/PrinterBvr.cab
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
--
End of file - 6401 bytes
By the way, last night I tried to scan My computer with Kaspersky Online Scanner. It took more then 6 hours to scan around 28% of files on my local discs, so I couldn't finish what I have started.
Maybe this wouldn't help you at all but anyway I'm posting the part of this log (those 28%)
Wednesday, November 21, 2007 23:01:05
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 21/11/2007
Kaspersky Anti-Virus database records: 462774
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
A:\
C:\
D:\
E:\
F:\
G:\
H:\
Scan Statistics
Total number of scanned objects 88431
Number of viruses found 8
Number of infected objects 59
Number of suspicious objects 0
Duration of the scan process 06:05:40
Infected Object Name Virus Name Last Action
C:\Documents and Settings\ALEKSANDAR\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\ALEKSANDAR\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\ALEKSANDAR\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\ALEKSANDAR\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\ALEKSANDAR\Local Settings\History\History.IE5\MSHist012007112120071122\index.dat Object is locked skipped
C:\Documents and Settings\ALEKSANDAR\Local Settings\Temp\Free Download Manager\tic9.tmp Object is locked skipped
C:\Documents and Settings\ALEKSANDAR\Local Settings\Temp\~DFAA0E.tmp Object is locked skipped
C:\Documents and Settings\ALEKSANDAR\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\ALEKSANDAR\My Documents\My Movies\DiVX\Original Sin\Install\Player\RadLight 3.03 R5.2\RadLight3.exe/data0036/SaveNow.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ag skipped
C:\Documents and Settings\ALEKSANDAR\My Documents\My Movies\DiVX\Original Sin\Install\Player\RadLight 3.03 R5.2\RadLight3.exe/data0036/Uninst.exe Infected: not-a-virus:AdWare.Win32.SaveNow.aw skipped
C:\Documents and Settings\ALEKSANDAR\My Documents\My Movies\DiVX\Original Sin\Install\Player\RadLight 3.03 R5.2\RadLight3.exe/data0036 Infected: not-a-virus:AdWare.Win32.SaveNow.aw skipped
C:\Documents and Settings\ALEKSANDAR\My Documents\My Movies\DiVX\Original Sin\Install\Player\RadLight 3.03 R5.2\RadLight3.exe/data0037 Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\Documents and Settings\ALEKSANDAR\My Documents\My Movies\DiVX\Original Sin\Install\Player\RadLight 3.03 R5.2\RadLight3.exe Inno: infected - 4 skipped
C:\Documents and Settings\ALEKSANDAR\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\ALEKSANDAR\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Downloads\baby_balloons.exe/file7 Infected: not-a-virus:AdTool.Win32.WhenU.a skipped
C:\Downloads\baby_balloons.exe Inno: infected - 1 skipped
C:\Downloads\brgcg203.exe/run.exe/stream/data0006 Infected: Trojan-Downloader.Win32.Zlob.aan skipped
C:\Downloads\brgcg203.exe/run.exe/stream Infected: Trojan-Downloader.Win32.Zlob.aan skipped
C:\Downloads\brgcg203.exe/run.exe Infected: Trojan-Downloader.Win32.Zlob.aan skipped
C:\Downloads\brgcg203.exe ZIP: infected - 3 skipped
C:\Downloads\Cake_Mania_v1[1].0_Cracked_WORKING-TNT\run.exe/stream/data0006 Infected: Trojan-Downloader.Win32.Zlob.aum skipped
C:\Downloads\Cake_Mania_v1[1].0_Cracked_WORKING-TNT\run.exe/stream Infected: Trojan-Downloader.Win32.Zlob.aum skipped
C:\Downloads\Cake_Mania_v1[1].0_Cracked_WORKING-TNT\run.exe NSIS: infected - 2 skipped
C:\Downloads\Cake_Mania_v1[1].0_Cracked_WORKING-TNT\run.exe UPX: infected - 2 skipped
C:\Downloads\Cake_Mania_v1[1].0_Cracked_WORKING-TNT\run.exe PE_Patch.UPX: infected - 2 skipped
C:\Downloads\Chameleon_Gems_v1[1].07_Cracked-TNT\run.exe/stream/data0006 Infected: Trojan-Downloader.Win32.Zlob.aum skipped
C:\Downloads\Chameleon_Gems_v1[1].07_Cracked-TNT\run.exe/stream Infected: Trojan-Downloader.Win32.Zlob.aum skipped
C:\Downloads\Chameleon_Gems_v1[1].07_Cracked-TNT\run.exe NSIS: infected - 2 skipped
C:\Downloads\Chameleon_Gems_v1[1].07_Cracked-TNT\run.exe UPX: infected - 2 skipped
C:\Downloads\Chameleon_Gems_v1[1].07_Cracked-TNT\run.exe PE_Patch.UPX: infected - 2 skipped
C:\Downloads\cherry_cook.exe/file12 Infected: not-a-virus:AdTool.Win32.WhenU.a skipped
C:\Downloads\cherry_cook.exe Inno: infected - 1 skipped
C:\Downloads\Cubis Gold 2 (GameHouse) by Knetus.exe/run.exe/stream/data0006 Infected: Trojan-Downloader.Win32.Zlob.aan skipped
C:\Downloads\Cubis Gold 2 (GameHouse) by Knetus.exe/run.exe/stream Infected: Trojan-Downloader.Win32.Zlob.aan skipped
C:\Downloads\Cubis Gold 2 (GameHouse) by Knetus.exe/run.exe Infected: Trojan-Downloader.Win32.Zlob.aan skipped
C:\Downloads\Cubis Gold 2 (GameHouse) by Knetus.exe ZIP: infected - 3 skipped
C:\Downloads\Cubis Gold 2 v1.03 Crack.exe/run.exe/stream/data0006 Infected: Trojan-Downloader.Win32.Zlob.aan skipped
C:\Downloads\Cubis Gold 2 v1.03 Crack.exe/run.exe/stream Infected: Trojan-Downloader.Win32.Zlob.aan skipped
C:\Downloads\Cubis Gold 2 v1.03 Crack.exe/run.exe Infected: Trojan-Downloader.Win32.Zlob.aan skipped
C:\Downloads\Cubis Gold 2 v1.03 Crack.exe ZIP: infected - 3 skipped
C:\Downloads\Delicious_Deluxe_v1[1].0_Cracked-TNT\run.exe/stream/data0006 Infected: Trojan-Downloader.Win32.Zlob.aum skipped
C:\Downloads\Delicious_Deluxe_v1[1].0_Cracked-TNT\run.exe/stream Infected: Trojan-Downloader.Win32.Zlob.aum skipped
C:\Downloads\Delicious_Deluxe_v1[1].0_Cracked-TNT\run.exe NSIS: infected - 2 skipped
C:\Downloads\Delicious_Deluxe_v1[1].0_Cracked-TNT\run.exe UPX: infected - 2 skipped
C:\Downloads\Delicious_Deluxe_v1[1].0_Cracked-TNT\run.exe PE_Patch.UPX: infected - 2 skipped
C:\Downloads\eastern_mahjong.exe/file7 Infected: not-a-virus:AdTool.Win32.WhenU.a skipped
C:\Downloads\eastern_mahjong.exe Inno: infected - 1 skipped
C:\Downloads\Gamehouse.CUBIS.GOLD.2.v1.03_CRK-FFF.exe/run.exe/stream/data0006 Infected: Trojan-Downloader.Win32.Zlob.aan skipped
C:\Downloads\Gamehouse.CUBIS.GOLD.2.v1.03_CRK-FFF.exe/run.exe/stream Infected: Trojan-Downloader.Win32.Zlob.aan skipped
C:\Downloads\Gamehouse.CUBIS.GOLD.2.v1.03_CRK-FFF.exe/run.exe Infected: Trojan-Downloader.Win32.Zlob.aan skipped
C:\Downloads\Gamehouse.CUBIS.GOLD.2.v1.03_CRK-FFF.exe ZIP: infected - 3 skipped
C:\Downloads\GameHouse.Mystery.Case.Files.Huntsville.v1.2_CRKDLL-FFF.exe/run.exe Infected: Trojan-Downloader.Win32.Zlob.vg skipped
C:\Downloads\GameHouse.Mystery.Case.Files.Huntsville.v1.2_CRKDLL-FFF.exe ZIP: infected - 1 skipped
C:\Downloads\help_santa.exe/file07 Infected: not-a-virus:AdTool.Win32.WhenU.a skipped
C:\Downloads\help_santa.exe Inno: infected - 1 skipped
C:\Downloads\Karu (GameHouse) by Knetus.exe/run.exe Infected: Trojan-Downloader.Win32.Zlob.vg skipped
C:\Downloads\Karu (GameHouse) by Knetus.exe ZIP: infected - 1 skipped
C:\Downloads\snd-atlantisquest1.0.cracked.exe.exe/run.exe Infected: Trojan-Downloader.Win32.Zlob.vg skipped
C:\Downloads\snd-atlantisquest1.0.cracked.exe.exe ZIP: infected - 1 skipped
C:\Downloads\snd-teddyfactory1.0.cracked.exe.exe/run.exe/data0007 Infected: Trojan-Downloader.Win32.Zlob.xp skipped
C:\Downloads\snd-teddyfactory1.0.cracked.exe.exe/run.exe/data0008 Infected: Trojan-Downloader.Win32.Zlob.xp skipped
C:\Downloads\snd-teddyfactory1.0.cracked.exe.exe/run.exe Infected: Trojan-Downloader.Win32.Zlob.xp skipped
C:\Downloads\snd-teddyfactory1.0.cracked.exe.exe ZIP: infected - 3 skipped
C:\Downloads\Talismania_Deluxe_v1[1].0.173700_Cracked-TNT\run.exe/stream/data0006 Infected: Trojan-Downloader.Win32.Zlob.aum skipped
C:\Downloads\Talismania_Deluxe_v1[1].0.173700_Cracked-TNT\run.exe/stream Infected: Trojan-Downloader.Win32.Zlob.aum skipped
C:\Downloads\Talismania_Deluxe_v1[1].0.173700_Cracked-TNT\run.exe NSIS: infected - 2 skipped
C:\Downloads\Talismania_Deluxe_v1[1].0.173700_Cracked-TNT\run.exe UPX: infected - 2 skipped
C:\Downloads\Talismania_Deluxe_v1[1].0.173700_Cracked-TNT\run.exe PE_Patch.UPX: infected - 2 skipped
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\logs\starwind.2007-11-21.16-31-16.log Object is locked skipped
Scan was interrupted by user!
I'm looking forward for your next post... Bye! ;)
These two have to go.
Open Notepad and copy all the text inside the quote box by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad
File::
C:\WINDOWS\system32\epxlbsij.ini
C:\WINDOWS\system32\egyxevag.ini
Save this as CFScript to your desktop.
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://i24.photobucket.com/albums/c30/ken545/CFScript.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
Please download SuperAntiSpyware (http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE)
Install the program
Run SuperAntiSpyware and click: Check for updates
Once the update is finished, on the main screen, click: Scan your computer
Check: Perform Complete Scan
Click Next to start the scan.
Superantispyware scans the computer, and when finished, lists all the infections found.
Make sure everything found has a check next to it, and press: Next
Then, click Finish
It is possible that the program asks to reboot in order to delete some files.
Obtain the SuperAntiSpyware log as follows:
Click: Preferences
Click the Statistics/Logs tab
Under Scanner Logs, double-click SuperAntiSpyware Scan Log
It opens in your default text editor (such as Notepad)
Please provide the SuperAntiSpyware log in your reply, as well as a new HijackThis log.
Need to see the new Combofix log and the SAS log please
And here we go...
COMBOFIX LOG
ComboFix 07-11-19.3 - ALEKSANDAR 2007-11-22 23:50:19.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.240 [GMT 1:00]
Running from: C:\Documents and Settings\ALEKSANDAR\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\ALEKSANDAR\Desktop\CFScript.txt
* Created a new restore point
FILE
C:\WINDOWS\system32\egyxevag.ini
C:\WINDOWS\system32\epxlbsij.ini
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\egyxevag.ini
C:\WINDOWS\system32\epxlbsij.ini
.
((((((((((((((((((((((((( Files Created from 2007-10-22 to 2007-11-22 )))))))))))))))))))))))))))))))
.
2007-11-22 23:09 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-11-22 23:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-22 23:09 <DIR> d-------- C:\Documents and Settings\ALEKSANDAR\Application Data\SUPERAntiSpyware.com
2007-11-21 16:37 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-17 17:01 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2007-11-16 22:00 <DIR> d-------- C:\Program Files\Hattrick Coach Professional new
2007-11-14 17:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-10 15:59 502,208 --a------ C:\WINDOWS\system32\drivers\amon.sys
2007-11-02 19:39 <DIR> d-------- C:\Program Files\Clickster
2007-10-28 21:05 <DIR> d-------- C:\Program Files\Amiglobe 2006
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-22 22:09 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-11-22 19:03 --------- d-----w C:\Documents and Settings\ALEKSANDAR\Application Data\Free Download Manager
2007-11-22 15:56 --------- d-----w C:\Program Files\SokkerViewer j
2007-11-21 13:49 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-21 13:49 --------- d-----w C:\Program Files\Paradox Interactive
2007-11-20 19:54 --------- d-----w C:\Program Files\HT Ratings
2007-11-16 19:28 --------- d-----w C:\Documents and Settings\ALEKSANDAR\Application Data\GameHouse
2007-11-16 19:27 --------- d-----w C:\Program Files\GameHouse
2007-11-15 01:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-10 14:59 270,336 ----a-w C:\WINDOWS\system32\imon.dll
2007-11-06 17:54 --------- d-----w C:\Program Files\HattrickOk
2007-11-03 14:07 --------- d-----w C:\Program Files\SHISEN
2007-11-02 16:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\MumboJumbo
2007-10-23 17:57 --------- d-----w C:\Program Files\Gham
2007-10-20 11:43 --------- d-----w C:\Documents and Settings\ALEKSANDAR\Application Data\Super-Cow
2007-10-15 14:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\SecretsOfOlympus
2007-10-14 10:09 --------- d-----w C:\Documents and Settings\ALEKSANDAR\Application Data\vlc
2007-10-14 10:07 --------- d-----w C:\Program Files\VideoLAN
2007-10-13 23:02 --------- d-----w C:\Program Files\QuickTime Alternative
2007-10-13 23:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-10-13 21:18 --------- d-----w C:\Program Files\Apple Software Update
2007-10-13 21:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2007-10-13 19:50 --------- d-----w C:\Program Files\Player
2007-10-13 19:37 --------- d-----w C:\Program Files\3GP Player
2007-10-13 11:21 --------- d-----w C:\Documents and Settings\ALEKSANDAR\Application Data\iWin
2007-10-08 19:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\PlayFirst
2007-10-08 19:28 --------- d-----w C:\Documents and Settings\ALEKSANDAR\Application Data\PlayFirst
2007-10-08 17:30 --------- d-----w C:\Documents and Settings\ALEKSANDAR\Application Data\gemsweeperextractedgfx
2007-10-08 17:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\My Games
2007-10-07 19:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\GameHouse
2007-10-06 18:11 --------- d-----w C:\Documents and Settings\ALEKSANDAR\Application Data\uTorrent
2007-10-04 17:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\HipSoft
2007-09-27 05:18 --------- d-----w C:\Documents and Settings\ALEKSANDAR\Application Data\ArcSoft
2007-09-27 05:13 --------- d-----w C:\Program Files\ArcSoft
2007-09-22 11:32 --------- d-----w C:\Program Files\Audacity
2006-03-18 21:37 560 ----a-w C:\Program Files\Global.sw
2005-07-30 20:20 524,300 ----a-w C:\Documents and Settings\ALEKSANDAR\Application Data\position.bin
2005-02-25 19:00 573,440 ----a-w C:\Documents and Settings\ALEKSANDAR\Application Data\arasan.exe
2005-02-25 18:21 1,179,648 ----a-w C:\Documents and Settings\ALEKSANDAR\Application Data\book.bin
2005-02-25 18:14 1,118,208 ----a-w C:\Documents and Settings\ALEKSANDAR\Application Data\arasanx.exe
.
((((((((((((((((((((((((((((( snapshot@2007-11-21_23.56.25.33 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-22 22:09:48 29,696 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF11.exe
+ 2007-11-22 22:09:48 18,944 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2007-11-22 22:09:48 65,024 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
- 2007-11-21 21:12:35 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2007-11-22 21:13:00 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2007-11-21 21:12:35 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-11-22 21:13:00 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-11-21 21:12:35 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-11-22 21:13:00 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-29 02:41]
"TASKMGRU"="" []
"MSIMN32"="" []
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.exe" [2001-08-23 13:00 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2003-09-05 15:59 C:\WINDOWS\system32\nwiz.exe]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-07-28 14:43]
"DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" [2004-08-22 17:05]
"Anti-Blaxx Manager"="C:\Program Files\Anti-Blaxx\Anti-Blaxx.exe" [2005-05-18 16:08]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-06-16 05:03]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-06-16 05:03]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" [2006-11-09 15:07]
"SysMetrix"="C:\Program Files\SysMetrix\SysMetrix.exe" []
"Desktop Service"="C:\Program Files\Free-Soft\Virtual Desktop\DesktopLoader.exe" []
"AGRSMMSG"="AGRSMMSG.exe" [2005-06-30 06:16 C:\WINDOWS\AGRSMMSG.exe]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-11-10 15:59]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 00:19:50]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-12-24 14:57:38]
VIA RAID TOOL.lnk - C:\Program Files\VIA\RAID\raid_tool.exe [2004-07-21 09:14:21]
[hklm\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeviceDiscovery]
2003-05-21 17:37 229437 --a------ C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
2003-10-23 18:51 233472 --a------ C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2003-06-25 10:24 49152 --a------ C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ins3DT]
E:\INSTALL4\INS3DT.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spyware Doctor]
C:\PROGRA~1\SPYWAR~1\swdoctor.exe /Q
R0 MrFilter;EasyWrite Driver;C:\WINDOWS\System32\drivers\MrFilter.sys
R0 viasraid;viasraid;C:\WINDOWS\System32\drivers\viasraid.sys
R2 Pctspk;PCTEL Speaker Phone;C:\WINDOWS\system32\pctspk.exe
S2 Ca533av;Icatch(IV) Video Camera Device;C:\WINDOWS\System32\Drivers\Ca533av.sys
S3 FreshIO;FreshIO;\??\C:\Program Files\FreshDevices\FreshDiagnose\FreshIO.sys
S3 jnv4_mib;jnv4_mib;\??\C:\DOCUME~1\ALEKSA~1\LOCALS~1\Temp\jnv4_mib.sys
S3 k600bus;Sony Ericsson 600i driver (WDM);C:\WINDOWS\System32\DRIVERS\k600bus.sys
S3 k600mdfl;Sony Ericsson 600i USB WMC Modem Filter;C:\WINDOWS\System32\DRIVERS\k600mdfl.sys
S3 k600mdm;Sony Ericsson 600i USB WMC Modem Drivers;C:\WINDOWS\System32\DRIVERS\k600mdm.sys
S3 k600mgmt;Sony Ericsson 600i USB WMC Device Management Drivers;C:\WINDOWS\System32\DRIVERS\k600mgmt.sys
S3 k600obex;Sony Ericsson 600i USB WMC OBEX Interface Drivers;C:\WINDOWS\System32\DRIVERS\k600obex.sys
S3 Ptserlp;PCTEL Serial Device Driver for PCI;C:\WINDOWS\System32\DRIVERS\ptserlp.sys
S3 RegGuard;RegGuard;\??\C:\WINDOWS\System32\Drivers\regguard.sys
S3 USBCamera;Icatch(IV) Still Camera Device;C:\WINDOWS\System32\Drivers\Bulk533.sys
.
Contents of the 'Scheduled Tasks' folder
"2007-11-03 22:59:11 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-11-22 21:13:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************
catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-22 23:54:38
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
.
Completion time: 2007-11-22 23:55:48
C:\ComboFix2.txt ... 2007-11-22 16:13
C:\ComboFix3.txt ... 2007-11-21 23:57
.
--- E O F ---
HJT LOG
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:57:46, on 11/22/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Anti-Blaxx\Anti-Blaxx.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\WINDOWS\System32\cmd.exe
C:\ComboFix\vfind.cfexe
C:\WINDOWS\System32\cmd.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\Scanner.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = cache.eunet.yu:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.eunet.yu;*.eunet.yu;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdmcks.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Anti-Blaxx Manager] C:\Program Files\Anti-Blaxx\Anti-Blaxx.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [SysMetrix] C:\Program Files\SysMetrix\SysMetrix.exe
O4 - HKLM\..\Run: [Desktop Service] C:\Program Files\Free-Soft\Virtual Desktop\DesktopLoader.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Sid Registration.lnk = F:\ATR1.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Download with Go!Zilla - file://C:\Program Files\Go!Zilla\download-with-gozilla.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O13 - WWW. Prefix: http://
O15 - Trusted Zone: www.vetup.minpolj.sr.gov.yu
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {62BC5DB2-0044-4040-B366-D628F3CFD551} (PowerTeam HTML Printing Behavior) - http://www.vetup.minpolj.sr.gov.yu/VetUp/include/reportengine/PrinterBvr.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
--
End of file - 6719 bytes
...
SUPER ANTISPYWARE SCAN LOG
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 11/23/2007 at 01:30 AM
Application Version : 3.9.1008
Core Rules Database Version : 3259
Trace Rules Database Version: 1270
Scan type : Complete Scan
Total Scan Time : 01:31:21
Memory items scanned : 331
Memory threats detected : 0
Registry items scanned : 5804
Registry threats detected : 14
File items scanned : 70011
File threats detected : 100
Unclassified.AnalyzeIE Module
HKLM\Software\Classes\CLSID\{1A1488CB-8028-49ba-AD19-18D13CDC650F}
HKCR\CLSID\{1A1488CB-8028-49BA-AD19-18D13CDC650F}
HKCR\CLSID\{1A1488CB-8028-49BA-AD19-18D13CDC650F}
HKCR\CLSID\{1A1488CB-8028-49BA-AD19-18D13CDC650F}\InprocServer32
HKCR\CLSID\{1A1488CB-8028-49BA-AD19-18D13CDC650F}\InprocServer32#ThreadingModel
HKCR\CLSID\{1A1488CB-8028-49BA-AD19-18D13CDC650F}\ProgID
HKCR\CLSID\{1A1488CB-8028-49BA-AD19-18D13CDC650F}\Programmable
HKCR\CLSID\{1A1488CB-8028-49BA-AD19-18D13CDC650F}\TypeLib
HKCR\CLSID\{1A1488CB-8028-49BA-AD19-18D13CDC650F}\VersionIndependentProgID
BLANK
Adware.Tracking Cookie
C:\Documents and Settings\ALEKSANDAR\Cookies\aleksandar@cgi-bin[5].txt
C:\Documents and Settings\ALEKSANDAR\Cookies\aleksandar@image.masterstats[1].txt
C:\Documents and Settings\ALEKSANDAR\Cookies\aleksandar@www.ultime-porno[1].txt
C:\Documents and Settings\ALEKSANDAR\Cookies\aleksandar@ads2.pogodak.co[1].txt
C:\Documents and Settings\ALEKSANDAR\Cookies\aleksandar@www.lesssex[1].txt
C:\Documents and Settings\ALEKSANDAR\Cookies\aleksandar@cz3.clickzs[2].txt
C:\Documents and Settings\ALEKSANDAR\Cookies\aleksandar@www.newpornpics[2].txt
C:\Documents and Settings\ALEKSANDAR\Cookies\aleksandar@www.adultxpix[2].txt
C:\Documents and Settings\ALEKSANDAR\Cookies\aleksandar@2o7[2].txt
C:\Documents and Settings\ALEKSANDAR\Cookies\aleksandar@ipoint.targetpoint[1].txt
C:\Documents and Settings\ALEKSANDAR\Cookies\aleksandar@sites[2].txt
C:\Documents and Settings\ALEKSANDAR\Cookies\aleksandar@perfectmovie[1].txt
C:\Documents and Settings\ALEKSANDAR\Cookies\aleksandar@cgi-bin[2].txt
C:\Documents and Settings\ALEKSANDAR\Cookies\aleksandar@sexymature[1].txt
C:\Documents and Settings\ALEKSANDAR\Cookies\aleksandar@top.porn-comics[1].txt
C:\Documents and Settings\ALEKSANDAR\Cookies\aleksandar@itxt.vibrantmedia[1].txt
C:\Documents and Settings\ALEKSANDAR\Cookies\aleksandar@vecernji[1].txt
C:\Documents and Settings\ALEKSANDAR\Cookies\aleksandar@tacoda[2].txt
C:\Documents and Settings\ALEKSANDAR\Cookies\aleksandar@ad.httpool[1].txt
C:\Documents and Settings\ALEKSANDAR\Cookies\aleksandar@yadro[1].txt
C:\Documents and Settings\ALEKSANDAR\Cookies\aleksandar@ads.gamesbannernet[4].txt
C:\Documents and Settings\ALEKSANDAR\Cookies\aleksandar@cz6.clickzs[2].txt
C:\Documents and Settings\ALEKSANDAR\Cookies\aleksandar@cz5.clickzs[3].txt
C:\Documents and Settings\ALEKSANDAR\Cookies\aleksandar@www.bestpornstardb[1].txt
C:\Documents and Settings\ALEKSANDAR\Cookies\aleksandar@www.elitesecurity[1].txt
C:\Documents and Settings\ALEKSANDAR\Cookies\aleksandar@amlocalhost.trymedia[2].txt
C:\Documents and Settings\ALEKSANDAR\Cookies\aleksandar@cgi-bin[4].txt
C:\Documents and Settings\ALEKSANDAR\Cookies\aleksandar@cgi-bin[3].txt
C:\Documents and Settings\ALEKSANDAR\Cookies\aleksandar@statcounter[2].txt
C:\Documents and Settings\ALEKSANDAR\Cookies\aleksandar@teens-getfucked[1].txt
C:\Documents and Settings\ALEKSANDAR\Cookies\aleksandar@xxxflavour[2].txt
C:\Documents and Settings\ALEKSANDAR\Cookies\aleksandar@xiti[1].txt
C:\Documents and Settings\ALEKSANDAR\Cookies\aleksandar@babeporno[2].txt
C:\Documents and Settings\ALEKSANDAR\Cookies\aleksandar@elitesecurity[1].txt
C:\Documents and Settings\ALEKSANDAR\Cookies\aleksandar@a[1].txt
C:\Documents and Settings\ALEKSANDAR\Cookies\aleksandar@youlovegayporn[2].txt
C:\Documents and Settings\ALEKSANDAR\Cookies\aleksandar@cgi-bin[6].txt
C:\Documents and Settings\ALEKSANDAR\Cookies\aleksandar@sex-blust[2].txt
C:\Documents and Settings\ALEKSANDAR\Cookies\aleksandar@005.free-counter.co[2].txt
C:\Documents and Settings\ALEKSANDAR\Cookies\aleksandar@adultxpix[2].txt
C:\Documents and Settings\ALEKSANDAR\Cookies\aleksandar@st[19].txt
C:\Documents and Settings\ALEKSANDAR\Cookies\aleksandar@system[1].txt
C:\Documents and Settings\ALEKSANDAR\Cookies\aleksandar@xxxcreatures[2].txt
C:\Documents and Settings\ALEKSANDAR\Cookies\aleksandar@glorious-pornstars[2].txt
C:\Documents and Settings\ALEKSANDAR\Cookies\aleksandar@1072407087[1].txt
C:\Documents and Settings\ALEKSANDAR\Cookies\aleksandar@usenext[1].txt
C:\Documents and Settings\ALEKSANDAR\Cookies\aleksandar@www.teen-snatches[2].txt
C:\Documents and Settings\ALEKSANDAR\Cookies\aleksandar@cgi-bin[8].txt
C:\Documents and Settings\ALEKSANDAR\Cookies\aleksandar@eas.apm.emediate[1].txt
C:\Documents and Settings\ALEKSANDAR\Cookies\aleksandar@adultadworld[1].txt
C:\Documents and Settings\ALEKSANDAR\Cookies\aleksandar@clicksor[2].txt
C:\Documents and Settings\ALEKSANDAR\Cookies\aleksandar@audit.median[1].txt
C:\Documents and Settings\ALEKSANDAR\Cookies\aleksandar@stats.ilsemedia[1].txt
C:\Documents and Settings\ALEKSANDAR\Cookies\aleksandar@sexysportschicks[1].txt
C:\Documents and Settings\ALEKSANDAR\Cookies\aleksandar@ads2.sportglobal[2].txt
C:\Documents and Settings\ALEKSANDAR\Cookies\aleksandar@adopt.specificclick[1].txt
C:\Documents and Settings\ALEKSANDAR\Cookies\aleksandar@www.momsonsex[1].txt
C:\Documents and Settings\ALEKSANDAR\Cookies\aleksandar@clickaider[2].txt
C:\Documents and Settings\ALEKSANDAR\Cookies\aleksandar@www.screensavers[1].txt
C:\Documents and Settings\ALEKSANDAR\Cookies\aleksandar@i[2].txt
C:\Documents and Settings\ALEKSANDAR\Cookies\aleksandar@pixel.ilsemedia[1].txt
C:\Documents and Settings\ALEKSANDAR\Cookies\aleksandar@atwola[1].txt
C:\Documents and Settings\ALEKSANDAR\Cookies\aleksandar@advertising[2].txt
C:\Documents and Settings\ALEKSANDAR\Cookies\aleksandar@toplist[1].txt
C:\Documents and Settings\ALEKSANDAR\Cookies\aleksandar@cgi-bin[7].txt
C:\Documents and Settings\ALEKSANDAR\Cookies\aleksandar@try.screensavers[1].txt
C:\Documents and Settings\ALEKSANDAR\Cookies\aleksandar@adultdvddaily[1].txt
C:\Documents and Settings\ALEKSANDAR\Cookies\aleksandar@xxxvideomature[1].txt
C:\Documents and Settings\ALEKSANDAR\Cookies\aleksandar@ad1.clickhype[1].txt
C:\Documents and Settings\ALEKSANDAR\Cookies\aleksandar@sexyshare[1].txt
C:\Documents and Settings\ALEKSANDAR\Cookies\aleksandar@cz4.clickzs[2].txt
C:\Documents and Settings\ALEKSANDAR\Cookies\aleksandar@i.screensavers[1].txt
C:\Documents and Settings\ALEKSANDAR\Cookies\aleksandar@nudecelebrityporn[2].txt
C:\Documents and Settings\ALEKSANDAR\Cookies\aleksandar@sexstoriespost[2].txt
C:\Documents and Settings\ALEKSANDAR\Cookies\aleksandar@tracking.quisma[2].txt
C:\Documents and Settings\ALEKSANDAR\Cookies\aleksandar@r-kimedia.co[1].txt
C:\Documents and Settings\ALEKSANDAR\Cookies\aleksandar@hit.stat[2].txt
C:\Documents and Settings\ALEKSANDAR\Cookies\aleksandar@media.mtvnservices[1].txt
C:\Documents and Settings\ALEKSANDAR\Cookies\aleksandar@www.windowsmedia[2].txt
C:\Documents and Settings\ALEKSANDAR\Cookies\aleksandar@www.burstbeacon[1].txt
C:\Documents and Settings\ALEKSANDAR\Cookies\aleksandar@ads.mediamayhemcorp[2].txt
C:\Documents and Settings\ALEKSANDAR\Cookies\aleksandar@track.webgains[1].txt
C:\Documents and Settings\ALEKSANDAR\Cookies\aleksandar@windowsmedia[2].txt
C:\Documents and Settings\ALEKSANDAR\Cookies\aleksandar@ad[1].txt
C:\Documents and Settings\ALEKSANDAR\Cookies\aleksandar@ads.softure[1].txt
C:\Documents and Settings\ALEKSANDAR\Cookies\aleksandar@findpornstar[2].txt
C:\Documents and Settings\ALEKSANDAR\Cookies\aleksandar@azjmp[2].txt
C:\Documents and Settings\ALEKSANDAR\Cookies\aleksandar@ads.realtechnetwork[1].txt
C:\Documents and Settings\ALEKSANDAR\Cookies\aleksandar@smileycentral[2].txt
C:\Documents and Settings\ALEKSANDAR\Cookies\aleksandar@ad.yieldmanager[2].txt
C:\Documents and Settings\ALEKSANDAR\Cookies\aleksandar@ad.yieldmanager[3].txt
C:\Documents and Settings\ALEKSANDAR\Cookies\aleksandar@banners[1].txt
C:\Documents and Settings\ALEKSANDAR\Cookies\aleksandar@banners[2].txt
C:\Documents and Settings\ALEKSANDAR\Cookies\aleksandar@counter[1].txt
C:\Documents and Settings\ALEKSANDAR\Cookies\aleksandar@crack-list@yahoogroups[1].txt
C:\Documents and Settings\ALEKSANDAR\Cookies\aleksandar@ehg-kasperskylab.hitbox[2].txt
C:\Documents and Settings\ALEKSANDAR\Cookies\aleksandar@ehg-kasperskylab.hitbox[3].txt
C:\Documents and Settings\ALEKSANDAR\Cookies\aleksandar@hitbox[1].txt
Registry Cleaner Trial
HKCR\Install.Install
HKCR\Install.Install\CLSID
HKCR\Install.Install\CurVer
HKCR\Install.Install.1
HKCR\Install.Install.1\CLSID
Adware.ClickSpring/Yazzle
C:\DOCUMENTS AND SETTINGS\ALEKSANDAR\MY DOCUMENTS\DOWNLOADS\GAMEHOUSE SUDOKU FULL\GAMEHOUSE SUDOKU FULL\SUDOKUINSTALL.EXE
HJT LOG (after scanning with Super Antispyware)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 04:21:01, on 11/23/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Anti-Blaxx\Anti-Blaxx.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\Trend Micro\HijackThis\Scanner.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = cache.eunet.yu:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.eunet.yu;*.eunet.yu;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdmcks.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Anti-Blaxx Manager] C:\Program Files\Anti-Blaxx\Anti-Blaxx.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [SysMetrix] C:\Program Files\SysMetrix\SysMetrix.exe
O4 - HKLM\..\Run: [Desktop Service] C:\Program Files\Free-Soft\Virtual Desktop\DesktopLoader.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Sid Registration.lnk = F:\ATR1.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Download with Go!Zilla - file://C:\Program Files\Go!Zilla\download-with-gozilla.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O13 - WWW. Prefix: http://
O15 - Trusted Zone: www.vetup.minpolj.sr.gov.yu
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {62BC5DB2-0044-4040-B366-D628F3CFD551} (PowerTeam HTML Printing Behavior) - http://www.vetup.minpolj.sr.gov.yu/VetUp/include/reportengine/PrinterBvr.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
--
End of file - 6636 bytes
An update for you after looking over your logs.
We do not support the use of illegal Pirated/Warez/Cracked software.
Helping a person who insists on using such software, could be construed in the eyes of the law to be aiding and abetting a crime. Therefore you will be asked to remove any cracked programs and in the case of your operating system, to obtain a valid licensed copy.
If a helper does assist you in the cleanup, it will be on good faith that you install a licensed OS on the machine immediately thereafter, and will not appear in this forum again without such.
Thank you for your understanding, and assisting in keeping the net a safer place for everyone.
C:\Downloads <-- Delete everything in this folder. Most of it is infected. Then run kaspersky virus scanner again and post the log.
Finnaly!!! (Just look at the duration of the scanning process)
KASPERSKY ONLINE SCANNER REPORT
Sunday, November 25, 2007 02:29:09
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 24/11/2007
Kaspersky Anti-Virus database records: 464872
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
A:\
C:\
D:\
E:\
F:\
G:\
H:\
Scan Statistics
Total number of scanned objects 353929
Number of viruses found 21
Number of infected objects 103
Number of suspicious objects 0
Duration of the scan process 12:46:39
Infected Object Name Virus Name Last Action
C:\Documents and Settings\ALEKSANDAR\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SUPERANTISPYWARE.LOG Object is locked skipped
C:\Documents and Settings\ALEKSANDAR\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\ALEKSANDAR\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\ALEKSANDAR\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\ALEKSANDAR\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\ALEKSANDAR\Local Settings\History\History.IE5\MSHist012007112420071125\index.dat Object is locked skipped
C:\Documents and Settings\ALEKSANDAR\Local Settings\Temp\Free Download Manager\tic25.tmp Object is locked skipped
C:\Documents and Settings\ALEKSANDAR\Local Settings\Temp\~DFA65C.tmp Object is locked skipped
C:\Documents and Settings\ALEKSANDAR\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\ALEKSANDAR\My Documents\My Movies\DiVX\Original Sin\Install\Player\RadLight 3.03 R5.2\RadLight3.exe/data0036/SaveNow.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ag skipped
C:\Documents and Settings\ALEKSANDAR\My Documents\My Movies\DiVX\Original Sin\Install\Player\RadLight 3.03 R5.2\RadLight3.exe/data0036/Uninst.exe Infected: not-a-virus:AdWare.Win32.SaveNow.aw skipped
C:\Documents and Settings\ALEKSANDAR\My Documents\My Movies\DiVX\Original Sin\Install\Player\RadLight 3.03 R5.2\RadLight3.exe/data0036 Infected: not-a-virus:AdWare.Win32.SaveNow.aw skipped
C:\Documents and Settings\ALEKSANDAR\My Documents\My Movies\DiVX\Original Sin\Install\Player\RadLight 3.03 R5.2\RadLight3.exe/data0037 Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\Documents and Settings\ALEKSANDAR\My Documents\My Movies\DiVX\Original Sin\Install\Player\RadLight 3.03 R5.2\RadLight3.exe Inno: infected - 4 skipped
C:\Documents and Settings\ALEKSANDAR\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\ALEKSANDAR\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\logs\starwind.2007-11-24.04-42-59.log Object is locked skipped
C:\Program Files\ESET\cache\CACHE.NDB Object is locked skipped
C:\Program Files\ESET\infected\0SITPUDA.NQF Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped
C:\Program Files\ESET\infected\EUEHMKAA.NQF Infected: Trojan-Proxy.Win32.Wopla.ac skipped
C:\Program Files\ESET\infected\FQ0ZZCBA.NQF Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped
C:\Program Files\ESET\infected\H540WHBA.NQF Infected: Trojan.Win32.Obfuscated.kp skipped
C:\Program Files\ESET\infected\L04KMZDA.NQF Infected: Trojan.Win32.Obfuscated.kp skipped
C:\Program Files\ESET\infected\N55Q0UCA.NQF Infected: Trojan.Win32.Obfuscated.kp skipped
C:\Program Files\ESET\infected\PG2LNUAA.NQF Infected: Trojan.Win32.Obfuscated.kp skipped
C:\Program Files\ESET\infected\RZJYCJAA.NQF Infected: not-a-virus:AdWare.Win32.Virtumonde.aqj skipped
C:\Program Files\ESET\infected\UG4K01CA.NQF/stream/data0006 Infected: Trojan-Downloader.Win32.Zlob.ava skipped
C:\Program Files\ESET\infected\UG4K01CA.NQF/stream Infected: Trojan-Downloader.Win32.Zlob.ava skipped
C:\Program Files\ESET\infected\UG4K01CA.NQF NSIS: infected - 2 skipped
C:\Program Files\ESET\infected\UG4K01CA.NQF UPX: infected - 2 skipped
C:\Program Files\ESET\infected\UG4K01CA.NQF PE_Patch.UPX: infected - 2 skipped
C:\Program Files\ESET\infected\UG4K01CA.NQF PE-Crypt.XorPE: infected - 2 skipped
C:\Program Files\ESET\infected\V0KWPZBA.NQF Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\Program Files\ESET\infected\ZDH50ACA.NQF Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped
C:\Program Files\ESET\infected\ZEKZF4CA.NQF Infected: Trojan.Win32.Obfuscated.kp skipped
C:\Program Files\ESET\logs\virlog.dat Object is locked skipped
C:\Program Files\ESET\logs\warnlog.dat Object is locked skipped
C:\Razno\baby_balloons.exe/file7 Infected: not-a-virus:AdTool.Win32.WhenU.a skipped
C:\Razno\baby_balloons.exe Inno: infected - 1 skipped
C:\Razno\brgcg203.exe/run.exe/stream/data0006 Infected: Trojan-Downloader.Win32.Zlob.aan skipped
C:\Razno\brgcg203.exe/run.exe/stream Infected: Trojan-Downloader.Win32.Zlob.aan skipped
C:\Razno\brgcg203.exe/run.exe Infected: Trojan-Downloader.Win32.Zlob.aan skipped
C:\Razno\brgcg203.exe ZIP: infected - 3 skipped
C:\Razno\cherry_cook.exe/file12 Infected: not-a-virus:AdTool.Win32.WhenU.a skipped
C:\Razno\cherry_cook.exe Inno: infected - 1 skipped
C:\Razno\eastern_mahjong.exe/file7 Infected: not-a-virus:AdTool.Win32.WhenU.a skipped
C:\Razno\eastern_mahjong.exe Inno: infected - 1 skipped
C:\Razno\help_santa.exe/file07 Infected: not-a-virus:AdTool.Win32.WhenU.a skipped
C:\Razno\help_santa.exe Inno: infected - 1 skipped
C:\System Volume Information\_restore{1F2EDC4E-595B-4B18-835C-73B1C50D2C2C}\RP1067\A0510677.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aqj skipped
C:\System Volume Information\_restore{1F2EDC4E-595B-4B18-835C-73B1C50D2C2C}\RP1067\A0510685.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aqj skipped
C:\System Volume Information\_restore{1F2EDC4E-595B-4B18-835C-73B1C50D2C2C}\RP1067\A0510686.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aqj skipped
C:\System Volume Information\_restore{1F2EDC4E-595B-4B18-835C-73B1C50D2C2C}\RP1069\A0513808.exe/run.exe/data0007 Infected: Trojan-Downloader.Win32.Zlob.xp skipped
C:\System Volume Information\_restore{1F2EDC4E-595B-4B18-835C-73B1C50D2C2C}\RP1069\A0513808.exe/run.exe/data0008 Infected: Trojan-Downloader.Win32.Zlob.xp skipped
C:\System Volume Information\_restore{1F2EDC4E-595B-4B18-835C-73B1C50D2C2C}\RP1069\A0513808.exe/run.exe Infected: Trojan-Downloader.Win32.Zlob.xp skipped
C:\System Volume Information\_restore{1F2EDC4E-595B-4B18-835C-73B1C50D2C2C}\RP1069\A0513808.exe ZIP: infected - 3 skipped
C:\System Volume Information\_restore{1F2EDC4E-595B-4B18-835C-73B1C50D2C2C}\RP1069\A0513809.exe/run.exe Infected: Trojan-Downloader.Win32.Zlob.vg skipped
C:\System Volume Information\_restore{1F2EDC4E-595B-4B18-835C-73B1C50D2C2C}\RP1069\A0513809.exe ZIP: infected - 1 skipped
C:\System Volume Information\_restore{1F2EDC4E-595B-4B18-835C-73B1C50D2C2C}\RP1069\A0513811.exe/run.exe Infected: Trojan-Downloader.Win32.Zlob.vg skipped
C:\System Volume Information\_restore{1F2EDC4E-595B-4B18-835C-73B1C50D2C2C}\RP1069\A0513811.exe ZIP: infected - 1 skipped
C:\System Volume Information\_restore{1F2EDC4E-595B-4B18-835C-73B1C50D2C2C}\RP1069\A0513812.exe/run.exe Infected: Trojan-Downloader.Win32.Zlob.vg skipped
C:\System Volume Information\_restore{1F2EDC4E-595B-4B18-835C-73B1C50D2C2C}\RP1069\A0513812.exe ZIP: infected - 1 skipped
C:\System Volume Information\_restore{1F2EDC4E-595B-4B18-835C-73B1C50D2C2C}\RP1069\A0513813.exe/run.exe/stream/data0006 Infected: Trojan-Downloader.Win32.Zlob.aan skipped
C:\System Volume Information\_restore{1F2EDC4E-595B-4B18-835C-73B1C50D2C2C}\RP1069\A0513813.exe/run.exe/stream Infected: Trojan-Downloader.Win32.Zlob.aan skipped
C:\System Volume Information\_restore{1F2EDC4E-595B-4B18-835C-73B1C50D2C2C}\RP1069\A0513813.exe/run.exe Infected: Trojan-Downloader.Win32.Zlob.aan skipped
C:\System Volume Information\_restore{1F2EDC4E-595B-4B18-835C-73B1C50D2C2C}\RP1069\A0513813.exe ZIP: infected - 3 skipped
C:\System Volume Information\_restore{1F2EDC4E-595B-4B18-835C-73B1C50D2C2C}\RP1069\A0513814.exe/run.exe/stream/data0006 Infected: Trojan-Downloader.Win32.Zlob.aan skipped
C:\System Volume Information\_restore{1F2EDC4E-595B-4B18-835C-73B1C50D2C2C}\RP1069\A0513814.exe/run.exe/stream Infected: Trojan-Downloader.Win32.Zlob.aan skipped
C:\System Volume Information\_restore{1F2EDC4E-595B-4B18-835C-73B1C50D2C2C}\RP1069\A0513814.exe/run.exe Infected: Trojan-Downloader.Win32.Zlob.aan skipped
C:\System Volume Information\_restore{1F2EDC4E-595B-4B18-835C-73B1C50D2C2C}\RP1069\A0513814.exe ZIP: infected - 3 skipped
C:\System Volume Information\_restore{1F2EDC4E-595B-4B18-835C-73B1C50D2C2C}\RP1069\A0513815.exe/run.exe/stream/data0006 Infected: Trojan-Downloader.Win32.Zlob.aan skipped
C:\System Volume Information\_restore{1F2EDC4E-595B-4B18-835C-73B1C50D2C2C}\RP1069\A0513815.exe/run.exe/stream Infected: Trojan-Downloader.Win32.Zlob.aan skipped
C:\System Volume Information\_restore{1F2EDC4E-595B-4B18-835C-73B1C50D2C2C}\RP1069\A0513815.exe/run.exe Infected: Trojan-Downloader.Win32.Zlob.aan skipped
C:\System Volume Information\_restore{1F2EDC4E-595B-4B18-835C-73B1C50D2C2C}\RP1069\A0513815.exe ZIP: infected - 3 skipped
C:\System Volume Information\_restore{1F2EDC4E-595B-4B18-835C-73B1C50D2C2C}\RP1069\A0513818.exe/run.exe Infected: Trojan-Downloader.Win32.Zlob.vg skipped
C:\System Volume Information\_restore{1F2EDC4E-595B-4B18-835C-73B1C50D2C2C}\RP1069\A0513818.exe ZIP: infected - 1 skipped
C:\System Volume Information\_restore{1F2EDC4E-595B-4B18-835C-73B1C50D2C2C}\RP1069\A0513855.exe/stream/data0006 Infected: Trojan-Downloader.Win32.Zlob.aum skipped
C:\System Volume Information\_restore{1F2EDC4E-595B-4B18-835C-73B1C50D2C2C}\RP1069\A0513855.exe/stream Infected: Trojan-Downloader.Win32.Zlob.aum skipped
C:\System Volume Information\_restore{1F2EDC4E-595B-4B18-835C-73B1C50D2C2C}\RP1069\A0513855.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{1F2EDC4E-595B-4B18-835C-73B1C50D2C2C}\RP1069\A0513855.exe UPX: infected - 2 skipped
C:\System Volume Information\_restore{1F2EDC4E-595B-4B18-835C-73B1C50D2C2C}\RP1069\A0513855.exe PE_Patch.UPX: infected - 2 skipped
C:\System Volume Information\_restore{1F2EDC4E-595B-4B18-835C-73B1C50D2C2C}\RP1069\A0513860.exe/stream/data0006 Infected: Trojan-Downloader.Win32.Zlob.aum skipped
C:\System Volume Information\_restore{1F2EDC4E-595B-4B18-835C-73B1C50D2C2C}\RP1069\A0513860.exe/stream Infected: Trojan-Downloader.Win32.Zlob.aum skipped
C:\System Volume Information\_restore{1F2EDC4E-595B-4B18-835C-73B1C50D2C2C}\RP1069\A0513860.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{1F2EDC4E-595B-4B18-835C-73B1C50D2C2C}\RP1069\A0513860.exe UPX: infected - 2 skipped
C:\System Volume Information\_restore{1F2EDC4E-595B-4B18-835C-73B1C50D2C2C}\RP1069\A0513860.exe PE_Patch.UPX: infected - 2 skipped
C:\System Volume Information\_restore{1F2EDC4E-595B-4B18-835C-73B1C50D2C2C}\RP1069\A0513869.exe/stream/data0006 Infected: Trojan-Downloader.Win32.Zlob.aum skipped
C:\System Volume Information\_restore{1F2EDC4E-595B-4B18-835C-73B1C50D2C2C}\RP1069\A0513869.exe/stream Infected: Trojan-Downloader.Win32.Zlob.aum skipped
C:\System Volume Information\_restore{1F2EDC4E-595B-4B18-835C-73B1C50D2C2C}\RP1069\A0513869.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{1F2EDC4E-595B-4B18-835C-73B1C50D2C2C}\RP1069\A0513869.exe UPX: infected - 2 skipped
C:\System Volume Information\_restore{1F2EDC4E-595B-4B18-835C-73B1C50D2C2C}\RP1069\A0513869.exe PE_Patch.UPX: infected - 2 skipped
C:\System Volume Information\_restore{1F2EDC4E-595B-4B18-835C-73B1C50D2C2C}\RP1069\A0513962.exe/stream/data0006 Infected: Trojan-Downloader.Win32.Zlob.aum skipped
C:\System Volume Information\_restore{1F2EDC4E-595B-4B18-835C-73B1C50D2C2C}\RP1069\A0513962.exe/stream Infected: Trojan-Downloader.Win32.Zlob.aum skipped
C:\System Volume Information\_restore{1F2EDC4E-595B-4B18-835C-73B1C50D2C2C}\RP1069\A0513962.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{1F2EDC4E-595B-4B18-835C-73B1C50D2C2C}\RP1069\A0513962.exe UPX: infected - 2 skipped
C:\System Volume Information\_restore{1F2EDC4E-595B-4B18-835C-73B1C50D2C2C}\RP1069\A0513962.exe PE_Patch.UPX: infected - 2 skipped
C:\System Volume Information\_restore{1F2EDC4E-595B-4B18-835C-73B1C50D2C2C}\RP1069\change.log Object is locked skipped
C:\WINDOWS\Debug\oakley.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\ModemLog_Agere Systems PCI Soft Modem.txt Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\My Fun\freeripmp3.exe/file35 Infected: not-a-virus:AdTool.Win32.MyWebSearch.ak skipped
D:\My Fun\freeripmp3.exe Inno: infected - 1 skipped
D:\My Fun\Razno\maturestown_com - free galleries2.htm Object is locked skipped
D:\My Fun\ZodiacInst.exe/ss20030521.exe/NHInstall.exe Infected: not-a-virus:AdWare.Win32.NavExcel.d skipped
D:\My Fun\ZodiacInst.exe/ss20030521.exe/v2.0.3.cab/NHUninstaller.exe Infected: not-a-virus:AdWare.Win32.NavExcel skipped
D:\My Fun\ZodiacInst.exe/ss20030521.exe/v2.0.3.cab/NHUpdater.exe Infected: not-a-virus:AdWare.Win32.NavExcel.b skipped
D:\My Fun\ZodiacInst.exe/ss20030521.exe/v2.0.3.cab/NHelper.dll Infected: not-a-virus:AdWare.Win32.NavExcel.d skipped
D:\My Fun\ZodiacInst.exe/ss20030521.exe/v2.0.3.cab Infected: not-a-virus:AdWare.Win32.NavExcel.d skipped
D:\My Fun\ZodiacInst.exe/ss20030521.exe Infected: not-a-virus:AdWare.Win32.NavExcel.d skipped
D:\My Fun\ZodiacInst.exe/SAVE-SYNCm-WHSE_searchbar.min.googleInst.exe/Sync.exe Infected: not-a-virus:AdWare.Win32.SaveNow.v skipped
D:\My Fun\ZodiacInst.exe/SAVE-SYNCm-WHSE_searchbar.min.googleInst.exe/Uninst.exe Infected: not-a-virus:AdWare.Win32.SaveNow.v skipped
D:\My Fun\ZodiacInst.exe/SAVE-SYNCm-WHSE_searchbar.min.googleInst.exe Infected: not-a-virus:AdWare.Win32.SaveNow.v skipped
D:\My Fun\ZodiacInst.exe CreateInstall: infected - 9 skipped
D:\System Volume Information\_restore{1F2EDC4E-595B-4B18-835C-73B1C50D2C2C}\RP1069\A0513797.exe/stream/data0006 Infected: Trojan-Downloader.Win32.Zlob.ava skipped
D:\System Volume Information\_restore{1F2EDC4E-595B-4B18-835C-73B1C50D2C2C}\RP1069\A0513797.exe/stream Infected: Trojan-Downloader.Win32.Zlob.ava skipped
D:\System Volume Information\_restore{1F2EDC4E-595B-4B18-835C-73B1C50D2C2C}\RP1069\A0513797.exe NSIS: infected - 2 skipped
D:\System Volume Information\_restore{1F2EDC4E-595B-4B18-835C-73B1C50D2C2C}\RP1069\A0513797.exe UPX: infected - 2 skipped
D:\System Volume Information\_restore{1F2EDC4E-595B-4B18-835C-73B1C50D2C2C}\RP1069\A0513797.exe PE_Patch.UPX: infected - 2 skipped
D:\System Volume Information\_restore{1F2EDC4E-595B-4B18-835C-73B1C50D2C2C}\RP1069\A0513987.exe/WISE0030.BIN Infected: not-a-virus:RiskTool.Win32.CloseApp.a skipped
D:\System Volume Information\_restore{1F2EDC4E-595B-4B18-835C-73B1C50D2C2C}\RP1069\A0513987.exe/WISE0053.BIN/WISE0005.BIN Infected: not-a-virus:RiskTool.Win32.CloseApp.a skipped
D:\System Volume Information\_restore{1F2EDC4E-595B-4B18-835C-73B1C50D2C2C}\RP1069\A0513987.exe/WISE0053.BIN Infected: not-a-virus:RiskTool.Win32.CloseApp.a skipped
D:\System Volume Information\_restore{1F2EDC4E-595B-4B18-835C-73B1C50D2C2C}\RP1069\A0513987.exe WiseSFX: infected - 3 skipped
D:\System Volume Information\_restore{1F2EDC4E-595B-4B18-835C-73B1C50D2C2C}\RP1069\A0513993.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
D:\System Volume Information\_restore{1F2EDC4E-595B-4B18-835C-73B1C50D2C2C}\RP1069\change.log Object is locked skipped
Scan process completed.
Sometimes these games come bundled with adware, if you keep downloading them the way you have your going to keep infecting yourself, even though your HJT log looks clean, I would like you to run these two scans to be sure all is well
First go into your ESET virus program to the Quarantine folder and remove it all.
This wont take long
Please download SmitfraudFix (http://siri.urz.free.fr/Fix/SmitfraudFix.zip)
Extract the content (a folder named SmitfraudFix) to your Desktop.
Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.
This should not take longer than an hour
Please download and install AVG Anti-Spyware Free (http://free.grisoft.com/doc/download-free-anti-spyware/us/frt/0) to your desktop.
Once you have downloaded AVG Anti-Spyware 7.5, locate the icon on the desktop and double-click it to launch the set up program.
Once the setup is complete you will need run AVG and update the definition files.
On the main screen select the icon Update then select the Update now link.
Next select the Start Update button, the update will start and a progress bar will show the updates being installed.
Once the update has completed select the Scanner icon at the top of the screen, then select the Settings tab.
Once in the Settings screen click on Recommended actions and then select Quarantine <-- Dont forget this
Under Reports
Select Automatically generate report after every scan
Un-Select Only if threats were found <-- Don't forget this
Select the Scanner icon at the top and then the Scan tab then click on Complete System Scan.
AVG will now begin the scanning process, be patient this may take a little time.
Once the scan is complete do the following:
If you have any infections you will prompted, then select Apply all actions
Next select the Reports icon at the top.
Select the Save report as button in the lower left hand of the screen and save it to a text file on your system <--Don't forget this
make sure to remember where you saved that file, this is important, I need to see that log.
Close AVG Anti-Spyware Free
IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning process:
Post both reports along with a new HJT log please
SMITFRAUDFIX LOG
SmitFraudFix v2.254
Scan done at 20:08:39.84, 11/26/2007
Run from C:\Documents and Settings\ALEKSANDAR\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» Process
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Anti-Blaxx\Anti-Blaxx.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\WINDOWS\System32\cmd.exe
»»»»»»»»»»»»»»»»»»»»»»»» hosts
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\ALEKSANDAR
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\ALEKSANDAR\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\ALEKSA~1\FAVORI~1
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» Rustock
»»»»»»»»»»»»»»»»»»»»»»»» DNS
Description: WAN (PPP/SLIP) Interface
DNS Server Search Order: 194.247.192.33
DNS Server Search Order: 194.247.192.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{D515463C-AD78-4558-AAAD-6973E8741F5B}: NameServer=194.247.192.33 194.247.192.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{D515463C-AD78-4558-AAAD-6973E8741F5B}: NameServer=194.247.192.33 194.247.192.1
»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
AVG LOG
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 22:57:16 11/26/2007
+ Scan result:
C:\Program Files\Trend Micro\HijackThis\backups\backup-20071121-231614-822.inf -> Adware.MediaTickets : Cleaned.
C:\System Volume Information\_restore{1F2EDC4E-595B-4B18-835C-73B1C50D2C2C}\RP1069\A0513855.exe -> Downloader.Zlob.aum : Cleaned.
C:\System Volume Information\_restore{1F2EDC4E-595B-4B18-835C-73B1C50D2C2C}\RP1069\A0513860.exe -> Downloader.Zlob.aum : Cleaned.
C:\System Volume Information\_restore{1F2EDC4E-595B-4B18-835C-73B1C50D2C2C}\RP1069\A0513869.exe -> Downloader.Zlob.aum : Cleaned.
C:\System Volume Information\_restore{1F2EDC4E-595B-4B18-835C-73B1C50D2C2C}\RP1069\A0513962.exe -> Downloader.Zlob.aum : Cleaned.
D:\System Volume Information\_restore{1F2EDC4E-595B-4B18-835C-73B1C50D2C2C}\RP1069\A0513797.exe -> Downloader.Zlob.ava : Cleaned.
C:\Program Files\SHISEN\SHISEN.EXE -> Heuristic.Win32.Dialer : Cleaned.
D:\My Fun\Total Commander v.6.52\tc6Uni_crk.exe -> Logger.Agent : Cleaned.
:mozilla.7:C:\Documents and Settings\ALEKSANDAR\Application Data\Mozilla\Firefox\Profiles\2kg3rl2s.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\ALEKSANDAR\Cookies\aleksandar@2.adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\ALEKSANDAR\Cookies\aleksandar@adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.131:C:\Documents and Settings\ALEKSANDAR\Application Data\Mozilla\Firefox\Profiles\2kg3rl2s.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned.
:mozilla.132:C:\Documents and Settings\ALEKSANDAR\Application Data\Mozilla\Firefox\Profiles\2kg3rl2s.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned.
C:\Documents and Settings\ALEKSANDAR\Cookies\aleksandar@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.28:C:\Documents and Settings\ALEKSANDAR\Application Data\Mozilla\Firefox\Profiles\2kg3rl2s.default\cookies.txt -> TrackingCookie.Connextra : Cleaned.
C:\Documents and Settings\ALEKSANDAR\Cookies\aleksandar@connextra[2].txt -> TrackingCookie.Connextra : Cleaned.
C:\Documents and Settings\ALEKSANDAR\Cookies\aleksandar@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\ALEKSANDAR\Cookies\aleksandar@i12[1].txt -> TrackingCookie.I12 : Cleaned.
C:\Documents and Settings\ALEKSANDAR\Cookies\aleksandar@max.i12[2].txt -> TrackingCookie.I12 : Cleaned.
:mozilla.49:C:\Documents and Settings\ALEKSANDAR\Application Data\Mozilla\Firefox\Profiles\2kg3rl2s.default\cookies.txt -> TrackingCookie.Imrworldwide : Cleaned.
:mozilla.50:C:\Documents and Settings\ALEKSANDAR\Application Data\Mozilla\Firefox\Profiles\2kg3rl2s.default\cookies.txt -> TrackingCookie.Imrworldwide : Cleaned.
C:\Documents and Settings\ALEKSANDAR\Cookies\aleksandar@intelli-direct[1].txt -> TrackingCookie.Intelli-direct : Cleaned.
:mozilla.77:C:\Documents and Settings\ALEKSANDAR\Application Data\Mozilla\Firefox\Profiles\2kg3rl2s.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.78:C:\Documents and Settings\ALEKSANDAR\Application Data\Mozilla\Firefox\Profiles\2kg3rl2s.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\ALEKSANDAR\Cookies\aleksandar@realguide.real[1].txt -> TrackingCookie.Real : Cleaned.
:mozilla.27:C:\Documents and Settings\ALEKSANDAR\Application Data\Mozilla\Firefox\Profiles\2kg3rl2s.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.90:C:\Documents and Settings\ALEKSANDAR\Application Data\Mozilla\Firefox\Profiles\2kg3rl2s.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.91:C:\Documents and Settings\ALEKSANDAR\Application Data\Mozilla\Firefox\Profiles\2kg3rl2s.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.92:C:\Documents and Settings\ALEKSANDAR\Application Data\Mozilla\Firefox\Profiles\2kg3rl2s.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.93:C:\Documents and Settings\ALEKSANDAR\Application Data\Mozilla\Firefox\Profiles\2kg3rl2s.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.94:C:\Documents and Settings\ALEKSANDAR\Application Data\Mozilla\Firefox\Profiles\2kg3rl2s.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\ALEKSANDAR\Cookies\aleksandar@statcounter[1].txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.100:C:\Documents and Settings\ALEKSANDAR\Application Data\Mozilla\Firefox\Profiles\2kg3rl2s.default\cookies.txt -> TrackingCookie.Trafic : Cleaned.
C:\Documents and Settings\ALEKSANDAR\Cookies\aleksandar@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\ALEKSANDAR\Cookies\aleksandar@m.webtrends[1].txt -> TrackingCookie.Webtrends : Cleaned.
:mozilla.125:C:\Documents and Settings\ALEKSANDAR\Application Data\Mozilla\Firefox\Profiles\2kg3rl2s.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.126:C:\Documents and Settings\ALEKSANDAR\Application Data\Mozilla\Firefox\Profiles\2kg3rl2s.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.127:C:\Documents and Settings\ALEKSANDAR\Application Data\Mozilla\Firefox\Profiles\2kg3rl2s.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.128:C:\Documents and Settings\ALEKSANDAR\Application Data\Mozilla\Firefox\Profiles\2kg3rl2s.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\ALEKSANDAR\My Documents\Downloads\Water Bugs\PopCap Games DRM Protection Remover 0.1.exe -> Trojan.Small : Cleaned.
C:\Program Files\PopCap Games\Water Bugs\PopCap Games DRM Protection Remover 0.1.exe -> Trojan.Small : Cleaned.
D:\Downloads 2\Water bugs\PopCap Games DRM Protection Remover 0.1.exe -> Trojan.Small : Cleaned.
::Report end
HJT LOG
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:59:44, on 11/26/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Anti-Blaxx\Anti-Blaxx.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\Scanner.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = cache.eunet.yu:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.eunet.yu;*.eunet.yu;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdmcks.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Anti-Blaxx Manager] C:\Program Files\Anti-Blaxx\Anti-Blaxx.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [SysMetrix] C:\Program Files\SysMetrix\SysMetrix.exe
O4 - HKLM\..\Run: [Desktop Service] C:\Program Files\Free-Soft\Virtual Desktop\DesktopLoader.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Sid Registration.lnk = F:\ATR1.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Download with Go!Zilla - file://C:\Program Files\Go!Zilla\download-with-gozilla.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O13 - WWW. Prefix: http://
O15 - Trusted Zone: www.vetup.minpolj.sr.gov.yu
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {62BC5DB2-0044-4040-B366-D628F3CFD551} (PowerTeam HTML Printing Behavior) - http://www.vetup.minpolj.sr.gov.yu/VetUp/include/reportengine/PrinterBvr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D515463C-AD78-4558-AAAD-6973E8741F5B}: NameServer = 194.247.192.33 194.247.192.1
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
--
End of file - 6999 bytes
Your log looks fine :bigthumb:
Download CCleaner from here (http://www.ccleaner.com/) to clean temp files from your computer.
Double click on the file to start the installation of the program.
Select your language and click OK, then next.
Read the license agreement and click I Agree.
Click next to use the default install location. Click Install then finish to complete installation.
Double click the CCleaner shortcut on the desktop to start the program.
On the "Windows" tab, under "Internet Explorer," uncheck "Cookies" if you do not want them deleted. (If deleted, you will likely need to reenter your passwords at all sites where a cookie is used to recognize you when you visit).
If you use either the Firefox or Mozilla browsers, the box to uncheck for "Cookies" is on the Applications tab, under Firefox/Mozilla.
Click on the "Options" icon at the left side of the window, then click on "Advanced."
deselect "Only delete files in Windows Temp folders older than 48 hours."
Click on the "Cleaner" icon on the left side of the window, then click Run Cleaner to run the program.
Caution: It is not recommended that you use the "Issues" feature unless you are very familiar with the registry as it has been known to find legitimate items.
After CCleaner has completed its process, click Exit.
*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders. If you have anything in a temp folder, back it up or move it to a permanent folder prior to running CCleaner!
Your Java is out of date and leaving your system vulnerable.
Go to your Add-Remove Programs in the Control Panel and uninstall any previous versions of Java (J2SE Runtime Environment)
It should have an icon next to it:
http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.jpg
Select it and click Remove.
Reboot your system.
Then go to the Sun Microsystems (http://www.java.com/en/download/manual.jsp) and install the update
Java Runtime Environment Version 6 Update 3 <--This is what you need to download and install.
If you chose the online installation, it will prompt you to run the program.
If you chose the offline installation, you will be prompted to save the file and you can run it from wherever you saved it.
Then after install you can verify your installation here Sun Java Verify (http://www.java.com/en/download/manual.jsp)
I like to to do the offline installation and save the setup file in case I may need it in the future
How are things running now??
I have completed everything you said. During installation of newest version of Java I was informed that for that version I should have Windows SP2, which I don't. Installation was successful, but could I have some problem with this because of lack of SP2.
Is now the right time to install SP2 since we, hopefully, cleaned all the threats from my computer, or should I do something else before?
My latest HJT log looks like this:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:45:27, on 11/27/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Anti-Blaxx\Anti-Blaxx.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\Scanner.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = cache.eunet.yu:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.eunet.yu;*.eunet.yu;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdmcks.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Anti-Blaxx Manager] C:\Program Files\Anti-Blaxx\Anti-Blaxx.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SysMetrix] C:\Program Files\SysMetrix\SysMetrix.exe
O4 - HKLM\..\Run: [Desktop Service] C:\Program Files\Free-Soft\Virtual Desktop\DesktopLoader.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Sid Registration.lnk = F:\ATR1.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Download with Go!Zilla - file://C:\Program Files\Go!Zilla\download-with-gozilla.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O13 - WWW. Prefix: http://
O15 - Trusted Zone: www.vetup.minpolj.sr.gov.yu
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {62BC5DB2-0044-4040-B366-D628F3CFD551} (PowerTeam HTML Printing Behavior) - http://www.vetup.minpolj.sr.gov.yu/VetUp/include/reportengine/PrinterBvr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D515463C-AD78-4558-AAAD-6973E8741F5B}: NameServer = 194.247.192.33 194.247.192.1
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
--
End of file - 6964 bytes
Your ready for SP2,
Run a cleaner.
Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
This program is for XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
Go to Start> All Programs> Assessories > System Tools> Defragmenter and select your C: drive and run the tool.
Open IE and go to Tools> Windows Updates and go for it, you can also download it here.
http://www.microsoft.com/windowsxp/sp2/default.mspx
How did I get infected in the first place ? Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
TonyKlein CastleCops (http://www.castlecops.com/postlite7736-.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
Geeks To Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)
Here are some free programs to install, don't leave home without them
Spybot Search and Destroy 1.5 (http://www.safer-networking.org/en/download/)
Check for Updates/ Immunize and run a Full System Scan on a regular basis.
Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) It will prevent most spyware from ever being installed.
Spyware Guard (http://www.javacoolsoftware.com/spywareguard.html) It offers realtime protection from spyware installation attempts.
Win Patrol (http://www.winpatrol.com/download.html) This program will warn you when any changes are being made to your system and give
you the option to deny the change.
IE-Spyad (http://forums.windowsforum.org/index.php?showtopic=6640)
IE-Spyad places over 4000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads
(cookies etc) from the sites listed, although you will still be able to connect to the sites.
Firefox 2.0 (http://www.mozilla.org/products/firefox/) It has more features and is a lot more secure than IE. It is a very easy and
painless download and install, it will no way interfere with IE, you can use them both.
Zone Alarm (http://www.pcworld.com/downloads/file_description/0,fid,7228,00.asp) Here is a free Firewall from Zone Labs, I
wouldn't access the internet without it.
Glad we could help.
Safe Surfn
Ken
Thanks a lot!!!
And goodbye!
:bigthumb::bigthumb::bigthumb: