PDA

View Full Version : MediaTicket? Please help!



pacosaff
2007-12-02, 22:15
Norton has found this malware but cannot delete. It gives its location as C:\WINDOWS\Downloaded program files\MediaTicketsInstaller.INF. But I can't find it there or anywhere else. Please help me to get rid of this malware which is messing up my computer. Thanks

Mr_JAk3
2007-12-04, 21:32
Hello pacosaff and welcome to the Forums :)


Please post a HijackThis log to here.

Download HJTInstall.exe (http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe) to your Desktop.
Doubleclick HJTInstall.exe to install it.
By default it will install to C:\Program Files\Trend Micro\HijackThis .
Click on Install.
It will create a HijackThis icon on the desktop.
Once installed, it will launch Hijackthis.
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
Copy/Paste the log to your next reply please.

Don't use the Analyse This button, its findings are dangerous if misinterpreted.
DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

pacosaff
2007-12-05, 00:35
Thanks for your welcome Mr_Jak3 and for your help..

Here's the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:32:30, on 04/12/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alias\Maya6.0\docs\Wrapper.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\System32\sesinetd.exe
C:\WINDOWS\System32\hserver.exe
C:\Program Files\Alias\Maya6.0\docs\jre\bin\java.exe
C:\WINDOWS\System32\PSIService.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\WINDOWS\System32\UAService7.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\BHODemon 2\BHODemon.exe
C:\Program Files\ICONDESK\IconDesk.exe
C:\WINDOWS\Integrator.exe
C:\Program Files\stickies\stickies.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
C:\WINDOWS\System32\svchost.exe
C:\Paul's Repair Kit\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.meshcomputers.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: FlpLauncher Class - {4401FDC3-7996-4774-8D2B-C1AE9CD6CC25} - C:\Program Files\E-Book Systems\FlipPublisher\FpLaunch.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\Program Files\FlashGet\Jccatch.dll
O2 - BHO: (no name) - {A53F96EB-0452-09AD-2E26-0CC2BD21149C} - (no file)
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: LEC - {1DBAB667-A486-421e-AFE4-CF07DD0088E5} - C:\Program Files\Power Translator\Applications\LEC IE Translation Extension.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKCU\..\Run: [Saue] "C:\DOCUME~1\Pacosaff\MYDOCU~1\CROSOF~1.NET\chkdsk.exe" -vt yazb
O4 - HKCU\..\Run: [Baaobvek] "C:\Program Files\s?stem\r?ndll32.exe"
O4 - HKCU\..\Run: [Spol] http://www.toya.net.pl/~spol/site/index.htm
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] c:\program files\symantec\liveupdate\alunotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: AntiCrash.lnk = C:\Program Files\Dachshund Software\AntiCrash\AntiCrash.exe
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O4 - Startup: ICONDESK.lnk = C:\Program Files\ICONDESK\IconDesk.exe
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Startup: Registration-INSDVD.lnk = C:\Program Files\Pinnacle\InstantCDDVD\SharedFiles\Pixie\RegTool.exe
O4 - Startup: Stickies.lnk = C:\Program Files\stickies\stickies.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Download with Star Downloader - C:\Program Files\Star Downloader\sdie.htm
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.meshcomputers.com
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/files/win/djvuplugin/en_US/DjVuControl_en_US.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/installers/pinstall/pinstall.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1196194709687
O20 - Winlogon Notify: urqpnol - urqpnol.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Alias Documentation Server (aliasdocserver) - Unknown owner - C:\Program Files\Alias\Maya6.0\docs\Wrapper.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: CADopia License Manager - Macrovision Corporation - C:\PROGRA~1\Cadopia\INTELL~1\LicenseManager\lmgrd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Houdini License Server (HoudiniLicenseServer) - Side Effects Software Inc. - C:\WINDOWS\System32\sesinetd.exe
O23 - Service: Houdini License Client (HoudiniServer) - Side Effects Software Inc. - C:\WINDOWS\System32\hserver.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LEC TranslateDotNet Server - Language Engineering Corporation, LLC - C:\Program Files\Power Translator\LogoMedia TranslateDotNet Server.exe
O23 - Service: License Management Service ESD - Unknown owner - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Flexlm (lmgrd) - Macrovision Corporation - C:\Program Files\Cadopia\IntelliCAD 4\LicenseManager\lmgrd.exe
O23 - Service: MBackMonitor - Unknown owner - C:\Program Files\McAfee\MBK\MBackMonitor.exe (file missing)
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\System32\PSIService.exe
O23 - Service: Sentinel Keys Server (SentinelKeysServer) - SafeNet, Inc. - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe
O23 - Service: Sentinel Protection Server (SentinelProtectionServer) - SafeNet, Inc - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\System32\UAService7.exe
O23 - Service: Windows Tracks Washer Registry Service (WTWService) - Unknown owner - C:\Program Files\Internet Tracks Washer\washservice.exe
O24 - Desktop Component 0: Aqua Real - 7db39a0d-580f-4be9-9195-8bfcd226f6c2

--
End of file - 12472 bytes

Mr_JAk3
2007-12-06, 16:02
Hi :)

You're infected.

Have you uninstalled Norton/Symantec?

1. Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

pacosaff
2007-12-06, 23:03
Thanks for the reply. Should I uninstall Norton?
Here's the ComboFix log:

ComboFix 07-12-02.6 - Pacosaff 2007-12-06 19:21:08.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.138 [GMT 0:00]
Running from: H:\Paul's Repair Kit\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Pacosaff\Application Data\dach100.dll
C:\Temp\abW9
C:\Temp\abW9\tPho.log
C:\WINDOWS\system32\rMa01yy

.
((((((((((((((((((((((((( Files Created from 2007-11-06 to 2007-12-06 )))))))))))))))))))))))))))))))
.

2007-12-03 08:55 . 2007-12-03 08:56 918,045 --ah----- C:\DH Temp.tmp
2007-12-02 20:36 . 2007-12-02 20:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-02 14:14 . 2002-08-29 12:00 102,448 --a------ C:\WINDOWS\system32\wshom.ocx
2007-12-02 14:14 . 2002-08-29 12:00 102,448 --a--c--- C:\WINDOWS\system32\dllcache\wshom.ocx
2007-11-30 23:57 . 2007-11-30 23:57 317,616 --a------ C:\WINDOWS\system32\drivers\srtspl.sys
2007-11-30 23:57 . 2007-11-30 23:57 279,088 --a------ C:\WINDOWS\system32\drivers\srtsp.sys
2007-11-30 23:57 . 2007-11-30 23:57 43,696 --a------ C:\WINDOWS\system32\drivers\srtspx.sys
2007-11-30 23:57 . 2007-11-30 23:57 10,549 --a------ C:\WINDOWS\system32\drivers\srtspx.cat
2007-11-30 23:57 . 2007-11-30 23:57 10,549 --a------ C:\WINDOWS\system32\drivers\srtspl.cat
2007-11-30 23:57 . 2007-11-30 23:57 10,545 --a------ C:\WINDOWS\system32\drivers\srtsp.cat
2007-11-30 23:57 . 2007-11-30 23:57 1,430 --a------ C:\WINDOWS\system32\drivers\srtspl.inf
2007-11-30 23:57 . 2007-11-30 23:57 1,421 --a------ C:\WINDOWS\system32\drivers\srtspx.inf
2007-11-30 23:57 . 2007-11-30 23:57 1,415 --a------ C:\WINDOWS\system32\drivers\srtsp.inf
2007-11-29 00:27 . 2007-05-29 13:55 22,112 -ra------ C:\WINDOWS\system32\drivers\COH_Mon.sys
2007-11-29 00:27 . 2007-05-29 13:55 10,592 -ra------ C:\WINDOWS\system32\drivers\COH_Mon.cat
2007-11-29 00:27 . 2007-05-29 13:55 705 -ra------ C:\WINDOWS\system32\drivers\COH_Mon.inf
2007-11-28 23:56 . 2007-03-21 20:39 1,060,864 --a------ C:\WINDOWS\system32\MFC71.DLL
2007-11-28 23:56 . 2007-03-21 20:33 503,808 --a------ C:\WINDOWS\system32\MSVCP71.DLL
2007-11-28 23:56 . 2007-03-21 20:33 348,160 --a------ C:\WINDOWS\system32\MSVCR71.DLL
2007-11-28 23:51 . 2007-07-17 12:21 186,256 --a------ C:\WINDOWS\system32\SymNPPWA.dll
2007-11-28 23:10 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-11-28 23:10 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2007-11-26 23:58 . 2007-11-26 23:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2007-11-26 23:04 . 2007-11-26 23:04 16 --a------ C:\WINDOWS\system32\coh.cache
2007-11-26 19:42 . 2007-11-29 19:01 <DIR> d-------- C:\Program Files\Norton 360
2007-11-26 19:40 . 2007-12-05 08:57 10,740 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-11-26 19:40 . 2007-12-05 08:57 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-11-26 19:39 . 2007-12-05 08:57 <DIR> d-------- C:\Program Files\Symantec
2007-11-26 19:39 . 2007-12-02 23:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2007-11-26 19:38 . 2007-11-30 08:22 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2007-11-22 22:41 . 2007-12-06 19:19 <DIR> d-------- C:\Paul's Repair Kit
2007-11-20 08:13 . 2007-11-20 08:13 <DIR> d-------- C:\WINDOWS\system32\re3
2007-11-11 23:21 . 2007-11-11 23:21 <DIR> d-------- C:\Documents and Settings\Pacosaff\Application Data\AquaSoft
2007-11-11 23:19 . 2007-11-11 23:19 <DIR> d--h----- C:\Documents and Settings\All Users\Application Data\{080C77D8-6A24-4B5E-89CF-240D0E56A59E}
2007-11-11 23:18 . 2007-11-11 23:18 <DIR> d-------- C:\Program Files\AquaSoft
2007-11-06 22:14 . 2007-11-06 22:24 <DIR> d-------- C:\Documents and Settings\Pacosaff\Application Data\MilkShape 3D 1.x.x
2007-11-06 22:13 . 2007-11-06 22:14 <DIR> d-------- C:\Program Files\MilkShape 3D 1.8.2
2007-11-06 08:18 . 2007-11-19 23:50 <DIR> d-------- C:\Program Files\3D-brush-2

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-05 08:57 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-12-02 21:08 --------- d-----w C:\Program Files\PTGui
2007-12-02 20:36 --------- d-----w C:\Program Files\Lavasoft
2007-12-02 20:33 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-02 11:28 20 ----a-w C:\sccfg.sys
2007-12-02 10:38 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-02 10:37 --------- d-----w C:\Program Files\Fake Webcam
2007-12-01 08:49 --------- d-----w C:\Program Files\FlashGet
2007-11-29 00:51 --------- d-----w C:\Documents and Settings\Pacosaff\Application Data\uTorrent
2007-11-28 00:08 --------- d-----w C:\Documents and Settings\Pacosaff\Application Data\Symantec
2007-11-17 21:31 --------- d-----w C:\Program Files\GameHouse
2007-11-17 15:08 --------- d-----w C:\Program Files\PopCap Games
2007-11-15 23:45 --------- d-----w C:\Program Files\Ubisoft
2007-11-14 20:37 --------- d-----w C:\Documents and Settings\Pacosaff\Application Data\LimeWire
2007-11-05 23:31 --------- d-----w C:\Program Files\Torrent Harvester
2007-11-05 23:01 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-30 20:51 --------- d-----w C:\Program Files\SecondLife
2007-10-29 19:03 --------- d-----w C:\Program Files\Pixarra
2007-10-27 14:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Digital Anarchy
2007-10-20 13:47 --------- d-----w C:\Program Files\Act-3D
2007-10-18 18:13 --------- d-----w C:\Program Files\Dark Egypt
2007-10-14 19:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-10-14 19:49 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2007-10-14 19:46 --------- d-----w C:\Program Files\Common Files\Adobe
2007-10-14 09:12 --------- d-----w C:\Program Files\FXhome VisionLab Studio
2007-10-12 08:08 --------- d-----w C:\Documents and Settings\Pacosaff\Application Data\MediaMan
2007-01-11 00:08 0 ----a-w C:\Documents and Settings\All Users\Application Data\PKP_DLbz.DAT
2006-09-23 14:57 81,920 ----a-w C:\Documents and Settings\Pacosaff\Application Data\ezpinst.exe
2006-09-23 14:57 47,360 ----a-w C:\Documents and Settings\Pacosaff\Application Data\pcouffin.sys
2005-07-02 16:12 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2007-01-10 22:39 88 --sh--r C:\WINDOWS\system32\668E944800.sys
2007-01-10 22:44 3,454 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A53F96EB-0452-09AD-2E26-0CC2BD21149C}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Saue"="C:\DOCUME~1\Pacosaff\MYDOCU~1\CROSOF~1.NET\chkdsk.exe" []
"Baaobvek"="C:\Program Files\s?stem\r?ndll32.exe" []
"Spol"="http://www.toya.net.pl/~spol/site/index.htm" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-11-19 11:33]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe" [2006-10-12 03:10]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 05:59]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2002-08-29 12:00]
"NvMediaCenter"="RUNDLL32.exe" [2002-08-29 12:00 C:\WINDOWS\system32\rundll32.exe]
"ALUAlert"="c:\program files\symantec\liveupdate\alunotify.exe" [2007-09-12 18:27]

C:\Documents and Settings\Pacosaff\Start Menu\Programs\Startup\
AntiCrash.lnk - C:\Program Files\Dachshund Software\AntiCrash\AntiCrash.exe [2002-12-17 12:00:44]
BHODemon 2.0.lnk - C:\Program Files\BHODemon 2\BHODemon.exe [2005-06-19 11:59:30]
ICONDESK.lnk - C:\Program Files\ICONDESK\IconDesk.exe [2001-12-02 22:22:03]
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [2006-09-29 21:22:37]
Registration-INSDVD.lnk - C:\Program Files\Pinnacle\InstantCDDVD\SharedFiles\Pixie\RegTool.exe [2002-09-26 12:18:00]
Stickies.lnk - C:\Program Files\stickies\stickies.exe [2003-06-19 20:06:39]
Yahoo! Widget Engine.lnk - C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe [2005-12-19 11:59:28]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
InterVideo WinCinema Manager.lnk - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe [2003-10-23 15:31:21]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2004-07-14 21:16:45]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"Ghp`amfUbrhLds"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoInstrumentation"= 0 (0x0)
"Mn@iboddPubswLfov"= 0 (0x0)
"Mn@mlrf"= 0 (0x0)
"MnOndNeg"= 0 (0x0)
"MnQtm"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"= shdocvw.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqpnol]
urqpnol.dll

R0 gxc108b;gxc108b;C:\WINDOWS\System32\DRIVERS\gxc108b.sys
R0 gxc108p;gxc108p;C:\WINDOWS\System32\Drivers\gxc108p.sys
R0 sonyhcb;Sony Digital Imaging Base;C:\WINDOWS\System32\DRIVERS\sonyhcb.sys
R0 VOBID;VOBID;C:\WINDOWS\System32\DRIVERS\vobid.sys
R1 gcvcd;gcvcd;C:\WINDOWS\System32\drivers\gcvcd.sys
R1 sdpiosys;sdpiosys;C:\WINDOWS\System32\drivers\sdpiosys.sys
R1 vobcom;vobcom;C:\WINDOWS\System32\drivers\vobcom.sys
R1 vobiw;vobiw;C:\WINDOWS\System32\drivers\vobiw.sys
R2 aliasdocserver;Alias Documentation Server;"C:\Program Files\Alias\Maya6.0\docs\Wrapper.exe" -s "C:\Program Files\Alias\Maya6.0\docs/Wrapper.conf"
R2 CamthWDM;WebcamMax, WDM Video Capture;C:\WINDOWS\System32\DRIVERS\CamthWDM.sys
R2 CatnHat;CatnHat;C:\WINDOWS\System32\drivers\CatnHat.sys
R2 nvcap;nVidia WDM Video Capture (universal);C:\WINDOWS\System32\DRIVERS\nvcap.sys
R2 nvTUNEP;nVidia WDM TVTuner;C:\WINDOWS\System32\DRIVERS\nvtunep.sys
R2 nvtvSND;nVidia WDM TVAudio Crossbar;C:\WINDOWS\System32\DRIVERS\nvtvsnd.sys
R2 NVXBAR;nVidia WDM A/V Crossbar;C:\WINDOWS\System32\DRIVERS\NVxbar.sys
R2 SentinelKeysServer;Sentinel Keys Server;"C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe"
R3 cdrdrv;Cdrdrv;C:\WINDOWS\System32\Drivers\Cdrdrv.sys
S0 ElbyVCD;ElbyVCD;C:\WINDOWS\System32\DRIVERS\ElbyVCD.sys
S2 CADopia License Manager;CADopia License Manager;C:\PROGRA~1\Cadopia\INTELL~1\LicenseManager\lmgrd.exe
S2 lmgrd;Flexlm;C:\Program Files\Cadopia\IntelliCAD 4\LicenseManager\lmgrd.exe
S2 windrvNT;windrvNT;\??\C:\WINDOWS\System32\windrvNT.sys
S3 aaudstum;aaudstum;\??\C:\DOCUME~1\Pacosaff\LOCALS~1\Temp\aaudstum.sys
S3 Aliasiilace;Aliasiilace;C:\WINDOWS\System32\drivers\drmkaud.sys
S3 C-Dilla;C-Dilla;\??\C:\WINDOWS\System32\drivers\CDANT.SYS
S3 ICAM5USB;Intel(r) PC Camera CS110;C:\WINDOWS\System32\Drivers\ICAM5D2.sys
S3 pmxscan;USB USB FlatBed Scanner Driver;C:\WINDOWS\System32\DRIVERS\usbscan.sys
S3 sonyhcs;Sony Digital Imaging Video;C:\WINDOWS\System32\DRIVERS\sonyhcs.sys
S3 USBVSP;USBVSP;C:\WINDOWS\System32\drivers\Usbvsp.sys

*Newly Created Service* - COMHOST
.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-06 19:41:08
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-12-06 19:43:57 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-25 10:04
.
--- E O F ---

Mr_JAk3
2007-12-08, 14:02
Hi :)

Don't uninstall Norton if you're using it. I just asked because it didn't seem to be running correctly on the last HijackThis log.

We'll continue

Open notepad and copy/paste the text in the quotebox below into it:



Driver::
aaudstum

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A53F96EB-0452-09AD-2E26-0CC2BD21149C}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Saue"=-
"Baaobvek"=-
"Spol"=-

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"Ghp`amfUbrhLds"=-

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoInstrumentation"=-
"Mn@iboddPubswLfov"=-
"Mn@mlrf"=-
"MnOndNeg"=-
"MnQtm"=-

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqpnol]




Save this as "CFScript"

http://img.photobucket.com/albums/v666/sUBs/CFScript.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

pacosaff
2007-12-09, 02:22
OK...here's the new ComboFix log:

ComboFix 07-12-02.6 - Pacosaff 2007-12-08 23:51:58.6 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.141 [GMT 0:00]
Running from: C:\Documents and Settings\Pacosaff\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Pacosaff\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Pacosaff\Application Data\dach100.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_AAUDSTUM
-------\aaudstum


((((((((((((((((((((((((( Files Created from 2007-11-09 to 2007-12-09 )))))))))))))))))))))))))))))))
.

2007-12-02 20:36 . 2007-12-02 20:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-02 14:14 . 2002-08-29 12:00 102,448 --a------ C:\WINDOWS\system32\wshom.ocx
2007-12-02 14:14 . 2002-08-29 12:00 102,448 --a--c--- C:\WINDOWS\system32\dllcache\wshom.ocx
2007-11-30 23:57 . 2007-11-30 23:57 317,616 --a------ C:\WINDOWS\system32\drivers\srtspl.sys
2007-11-30 23:57 . 2007-11-30 23:57 279,088 --a------ C:\WINDOWS\system32\drivers\srtsp.sys
2007-11-30 23:57 . 2007-11-30 23:57 43,696 --a------ C:\WINDOWS\system32\drivers\srtspx.sys
2007-11-30 23:57 . 2007-11-30 23:57 10,549 --a------ C:\WINDOWS\system32\drivers\srtspx.cat
2007-11-30 23:57 . 2007-11-30 23:57 10,549 --a------ C:\WINDOWS\system32\drivers\srtspl.cat
2007-11-30 23:57 . 2007-11-30 23:57 10,545 --a------ C:\WINDOWS\system32\drivers\srtsp.cat
2007-11-30 23:57 . 2007-11-30 23:57 1,430 --a------ C:\WINDOWS\system32\drivers\srtspl.inf
2007-11-30 23:57 . 2007-11-30 23:57 1,421 --a------ C:\WINDOWS\system32\drivers\srtspx.inf
2007-11-30 23:57 . 2007-11-30 23:57 1,415 --a------ C:\WINDOWS\system32\drivers\srtsp.inf
2007-11-29 00:27 . 2007-05-29 13:55 22,112 -ra------ C:\WINDOWS\system32\drivers\COH_Mon.sys
2007-11-29 00:27 . 2007-05-29 13:55 10,592 -ra------ C:\WINDOWS\system32\drivers\COH_Mon.cat
2007-11-29 00:27 . 2007-05-29 13:55 705 -ra------ C:\WINDOWS\system32\drivers\COH_Mon.inf
2007-11-28 23:56 . 2007-03-21 20:39 1,060,864 --a------ C:\WINDOWS\system32\MFC71.DLL
2007-11-28 23:56 . 2007-03-21 20:33 503,808 --a------ C:\WINDOWS\system32\MSVCP71.DLL
2007-11-28 23:56 . 2007-03-21 20:33 348,160 --a------ C:\WINDOWS\system32\MSVCR71.DLL
2007-11-28 23:51 . 2007-07-17 12:21 186,256 --a------ C:\WINDOWS\system32\SymNPPWA.dll
2007-11-28 23:10 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-11-28 23:10 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2007-11-26 23:58 . 2007-11-26 23:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2007-11-26 23:04 . 2007-11-26 23:04 16 --a------ C:\WINDOWS\system32\coh.cache
2007-11-26 19:42 . 2007-11-29 19:01 <DIR> d-------- C:\Program Files\Norton 360
2007-11-26 19:40 . 2007-12-05 08:57 10,740 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-11-26 19:40 . 2007-12-05 08:57 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-11-26 19:39 . 2007-12-05 08:57 <DIR> d-------- C:\Program Files\Symantec
2007-11-26 19:39 . 2007-12-07 08:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2007-11-26 19:38 . 2007-11-30 08:22 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2007-11-22 22:41 . 2007-12-08 23:48 <DIR> d-------- C:\Paul's Repair Kit
2007-11-20 08:13 . 2007-11-20 08:13 <DIR> d-------- C:\WINDOWS\system32\re3
2007-11-11 23:21 . 2007-11-11 23:21 <DIR> d-------- C:\Documents and Settings\Pacosaff\Application Data\AquaSoft
2007-11-11 23:19 . 2007-11-11 23:19 <DIR> d--h----- C:\Documents and Settings\All Users\Application Data\{080C77D8-6A24-4B5E-89CF-240D0E56A59E}
2007-11-11 23:18 . 2007-11-11 23:18 <DIR> d-------- C:\Program Files\AquaSoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-05 08:57 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-12-02 21:08 --------- d-----w C:\Program Files\PTGui
2007-12-02 20:36 --------- d-----w C:\Program Files\Lavasoft
2007-12-02 20:33 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-02 11:28 20 ----a-w C:\sccfg.sys
2007-12-02 10:38 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-02 10:37 --------- d-----w C:\Program Files\Fake Webcam
2007-12-01 08:49 --------- d-----w C:\Program Files\FlashGet
2007-11-29 00:51 --------- d-----w C:\Documents and Settings\Pacosaff\Application Data\uTorrent
2007-11-28 00:08 --------- d-----w C:\Documents and Settings\Pacosaff\Application Data\Symantec
2007-11-19 23:50 --------- d-----w C:\Program Files\3D-brush-2
2007-11-17 21:31 --------- d-----w C:\Program Files\GameHouse
2007-11-17 15:08 --------- d-----w C:\Program Files\PopCap Games
2007-11-15 23:45 --------- d-----w C:\Program Files\Ubisoft
2007-11-14 20:37 --------- d-----w C:\Documents and Settings\Pacosaff\Application Data\LimeWire
2007-11-06 22:24 --------- d-----w C:\Documents and Settings\Pacosaff\Application Data\MilkShape 3D 1.x.x
2007-11-06 22:14 --------- d-----w C:\Program Files\MilkShape 3D 1.8.2
2007-11-05 23:31 --------- d-----w C:\Program Files\Torrent Harvester
2007-11-05 23:01 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-30 20:51 --------- d-----w C:\Program Files\SecondLife
2007-10-29 19:03 --------- d-----w C:\Program Files\Pixarra
2007-10-27 14:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Digital Anarchy
2007-10-20 13:47 --------- d-----w C:\Program Files\Act-3D
2007-10-18 18:13 --------- d-----w C:\Program Files\Dark Egypt
2007-10-14 19:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-10-14 19:49 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2007-10-14 19:46 --------- d-----w C:\Program Files\Common Files\Adobe
2007-10-14 09:12 --------- d-----w C:\Program Files\FXhome VisionLab Studio
2007-10-12 08:08 --------- d-----w C:\Documents and Settings\Pacosaff\Application Data\MediaMan
2007-01-11 00:08 0 ----a-w C:\Documents and Settings\All Users\Application Data\PKP_DLbz.DAT
2006-09-23 14:57 81,920 ----a-w C:\Documents and Settings\Pacosaff\Application Data\ezpinst.exe
2006-09-23 14:57 47,360 ----a-w C:\Documents and Settings\Pacosaff\Application Data\pcouffin.sys
2005-07-02 16:12 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2007-01-10 22:39 88 --sh--r C:\WINDOWS\system32\668E944800.sys
2007-01-10 22:44 3,454 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2007-12-06_19.42.52.71 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-03-13 10:57:10 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
- 2007-12-05 08:50:29 16,384 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2007-12-08 08:50:32 16,384 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2007-12-05 08:50:29 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-12-08 08:50:32 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-12-05 08:50:29 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-12-08 08:50:32 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-12-09 00:14:56 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_6cc.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-11-19 11:33]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe" [2006-10-12 03:10]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 05:59]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2002-08-29 12:00]
"NvMediaCenter"="RUNDLL32.exe" [2002-08-29 12:00 C:\WINDOWS\system32\rundll32.exe]
"ALUAlert"="c:\program files\symantec\liveupdate\alunotify.exe" [2007-09-12 18:27]

C:\Documents and Settings\Pacosaff\Start Menu\Programs\Startup\
AntiCrash.lnk - C:\Program Files\Dachshund Software\AntiCrash\AntiCrash.exe [2002-12-17 12:00:44]
BHODemon 2.0.lnk - C:\Program Files\BHODemon 2\BHODemon.exe [2005-06-19 11:59:30]
ICONDESK.lnk - C:\Program Files\ICONDESK\IconDesk.exe [2001-12-02 22:22:03]
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [2006-09-29 21:22:37]
Registration-INSDVD.lnk - C:\Program Files\Pinnacle\InstantCDDVD\SharedFiles\Pixie\RegTool.exe [2002-09-26 12:18:00]
Stickies.lnk - C:\Program Files\stickies\stickies.exe [2003-06-19 20:06:39]
Yahoo! Widget Engine.lnk - C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe [2005-12-19 11:59:28]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
InterVideo WinCinema Manager.lnk - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe [2003-10-23 15:31:21]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2004-07-14 21:16:45]

R0 gxc108b;gxc108b;C:\WINDOWS\System32\DRIVERS\gxc108b.sys
R0 gxc108p;gxc108p;C:\WINDOWS\System32\Drivers\gxc108p.sys
R0 sonyhcb;Sony Digital Imaging Base;C:\WINDOWS\System32\DRIVERS\sonyhcb.sys
R0 VOBID;VOBID;C:\WINDOWS\System32\DRIVERS\vobid.sys
R1 gcvcd;gcvcd;C:\WINDOWS\System32\drivers\gcvcd.sys
R1 sdpiosys;sdpiosys;C:\WINDOWS\System32\drivers\sdpiosys.sys
R1 vobcom;vobcom;C:\WINDOWS\System32\drivers\vobcom.sys
R1 vobiw;vobiw;C:\WINDOWS\System32\drivers\vobiw.sys
R2 aliasdocserver;Alias Documentation Server;"C:\Program Files\Alias\Maya6.0\docs\Wrapper.exe" -s "C:\Program Files\Alias\Maya6.0\docs/Wrapper.conf"
R2 CamthWDM;WebcamMax, WDM Video Capture;C:\WINDOWS\System32\DRIVERS\CamthWDM.sys
R2 CatnHat;CatnHat;C:\WINDOWS\System32\drivers\CatnHat.sys
R2 nvcap;nVidia WDM Video Capture (universal);C:\WINDOWS\System32\DRIVERS\nvcap.sys
R2 nvTUNEP;nVidia WDM TVTuner;C:\WINDOWS\System32\DRIVERS\nvtunep.sys
R2 nvtvSND;nVidia WDM TVAudio Crossbar;C:\WINDOWS\System32\DRIVERS\nvtvsnd.sys
R2 NVXBAR;nVidia WDM A/V Crossbar;C:\WINDOWS\System32\DRIVERS\NVxbar.sys
R2 SentinelKeysServer;Sentinel Keys Server;"C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe"
R3 cdrdrv;Cdrdrv;C:\WINDOWS\System32\Drivers\Cdrdrv.sys
S0 ElbyVCD;ElbyVCD;C:\WINDOWS\System32\DRIVERS\ElbyVCD.sys
S2 CADopia License Manager;CADopia License Manager;C:\PROGRA~1\Cadopia\INTELL~1\LicenseManager\lmgrd.exe
S2 lmgrd;Flexlm;C:\Program Files\Cadopia\IntelliCAD 4\LicenseManager\lmgrd.exe
S2 windrvNT;windrvNT;\??\C:\WINDOWS\System32\windrvNT.sys
S3 Aliasiilace;Aliasiilace;C:\WINDOWS\System32\drivers\drmkaud.sys
S3 C-Dilla;C-Dilla;\??\C:\WINDOWS\System32\drivers\CDANT.SYS
S3 ICAM5USB;Intel(r) PC Camera CS110;C:\WINDOWS\System32\Drivers\ICAM5D2.sys
S3 pmxscan;USB USB FlatBed Scanner Driver;C:\WINDOWS\System32\DRIVERS\usbscan.sys
S3 sonyhcs;Sony Digital Imaging Video;C:\WINDOWS\System32\DRIVERS\sonyhcs.sys
S3 USBVSP;USBVSP;C:\WINDOWS\System32\drivers\Usbvsp.sys

*Newly Created Service* - COMHOST
.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-09 00:15:44
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-12-09 0:18:25 - machine was rebooted
C:\ComboFix2.txt ... 2007-12-06 19:43
C:\ComboFix3.txt ... 2007-11-25 10:04
.
--- E O F ---

pacosaff
2007-12-09, 02:25
And the new HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:20:56, on 09/12/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alias\Maya6.0\docs\Wrapper.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\System32\sesinetd.exe
C:\WINDOWS\System32\hserver.exe
C:\WINDOWS\System32\PSIService.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe
C:\Program Files\Alias\Maya6.0\docs\jre\bin\java.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\WINDOWS\System32\UAService7.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\BHODemon 2\BHODemon.exe
C:\Program Files\ICONDESK\IconDesk.exe
C:\WINDOWS\Integrator.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\stickies\stickies.exe
C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
C:\WINDOWS\System32\svchost.exe
C:\Paul's Repair Kit\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.meshcomputers.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: FlpLauncher Class - {4401FDC3-7996-4774-8D2B-C1AE9CD6CC25} - C:\Program Files\E-Book Systems\FlipPublisher\FpLaunch.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\Program Files\FlashGet\Jccatch.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: LEC - {1DBAB667-A486-421e-AFE4-CF07DD0088E5} - C:\Program Files\Power Translator\Applications\LEC IE Translation Extension.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] c:\program files\symantec\liveupdate\alunotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: AntiCrash.lnk = C:\Program Files\Dachshund Software\AntiCrash\AntiCrash.exe
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O4 - Startup: ICONDESK.lnk = C:\Program Files\ICONDESK\IconDesk.exe
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Startup: Registration-INSDVD.lnk = C:\Program Files\Pinnacle\InstantCDDVD\SharedFiles\Pixie\RegTool.exe
O4 - Startup: Stickies.lnk = C:\Program Files\stickies\stickies.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Download with Star Downloader - C:\Program Files\Star Downloader\sdie.htm
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.meshcomputers.com
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/files/win/djvuplugin/en_US/DjVuControl_en_US.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/installers/pinstall/pinstall.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1196194709687
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Alias Documentation Server (aliasdocserver) - Unknown owner - C:\Program Files\Alias\Maya6.0\docs\Wrapper.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: CADopia License Manager - Macrovision Corporation - C:\PROGRA~1\Cadopia\INTELL~1\LicenseManager\lmgrd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Houdini License Server (HoudiniLicenseServer) - Side Effects Software Inc. - C:\WINDOWS\System32\sesinetd.exe
O23 - Service: Houdini License Client (HoudiniServer) - Side Effects Software Inc. - C:\WINDOWS\System32\hserver.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LEC TranslateDotNet Server - Language Engineering Corporation, LLC - C:\Program Files\Power Translator\LogoMedia TranslateDotNet Server.exe
O23 - Service: License Management Service ESD - Unknown owner - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Flexlm (lmgrd) - Macrovision Corporation - C:\Program Files\Cadopia\IntelliCAD 4\LicenseManager\lmgrd.exe
O23 - Service: MBackMonitor - Unknown owner - C:\Program Files\McAfee\MBK\MBackMonitor.exe (file missing)
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\System32\PSIService.exe
O23 - Service: Sentinel Keys Server (SentinelKeysServer) - SafeNet, Inc. - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe
O23 - Service: Sentinel Protection Server (SentinelProtectionServer) - SafeNet, Inc - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\System32\UAService7.exe
O23 - Service: Windows Tracks Washer Registry Service (WTWService) - Unknown owner - C:\Program Files\Internet Tracks Washer\washservice.exe
O24 - Desktop Component 0: Aqua Real - 7db39a0d-580f-4be9-9195-8bfcd226f6c2

--
End of file - 12114 bytes

Many thanks for all your time :2thumb:

Mr_JAk3
2007-12-09, 12:43
Hi again, we'll continue :)

You should print these instructions or save these to a text file. Follow these instructions carefully.

Download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
Do NOT run yet.

==================

Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O24 - Desktop Component 0: Aqua Real - 7db39a0d-580f-4be9-9195-8bfcd226f6c2

Run ATF Cleaner Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Download Dr.Web CureIt to the desktop -> ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Restart your computer to the safe mode:
Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.
Run a scan with Dr.Web CureIt Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, you should now mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.

When the scan has finished, look if you can click next icon next to the files found http://users.telenet.be/bluepatchy/miekiemoes/images/check.gif
If so, click it and then click the next icon right below and select Move incurable
After the scan, in the menu, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot the computer in Normal Mode,
Post the Cure-it report and a fresh HijackThis log

pacosaff
2007-12-10, 10:51
WOW! After a 12 hour scan, i had to try 3 times before Windows would load. Such a relief!

Here are the new logs:

Dr. Web cure-it:

shutdown.exe;C:\Documents and Settings\Pacosaff\My Documents\Windows XP Inside Out\Windows XP Inside Out\Author Extras;Tool.ShutDown.10;;
PATCH.0XE;C:\Download\GFX-Background[1].Remover.v1.0.for.Adobe.Photoshop.Cracked-SSG.rar.Photoshop.Cracked-SSG\Background.Remover.v1.0.fo;Win32.HLLW.MyBot;Deleted.;
Deep Paint 3D v2.0.exe;C:\Downloads;Win95.SK;Incurable.Moved.;
CncRt32.exe;C:\MMFusion\Programs\data\Runtime;BackDoor.JustFun;Deleted.;
patch.exe;C:\Program Files\Alteros 3D;Win32.HLLW.MyBot;Deleted.;
Tut_support.exe;C:\Program Files\AnswersThatWork\Troubleshooter;Modification of BackDoor.Generic.1219;Moved.;
UltimateTroubleshooter.exe;C:\Program Files\AnswersThatWork\Troubleshooter;Probably BACKDOOR.Trojan;;
agtpch32.dll;C:\Program Files\Common Files\Atomica Shared;Trojan.Peflog.origin;Incurable.Moved.;
agtpchnt.dll;C:\Program Files\Common Files\Atomica Shared;Trojan.Peflog.origin;Incurable.Moved.;
RealBar.dll;C:\Program Files\Common Files\Real\Toolbar;Adware.MegaSearch.origin;;
htdvdauthor.dll;C:\Program Files\honestech VHS to DVD 2.0;Adware.Cinmus.origin;;
mirc.exe;C:\Program Files\mIRC;Program.mIRC.616;;
iwapi.chm\DLLGeneral.html;C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\InstantWrite SDK\InstantWrite\InstantWrite SDK\iwapi.chm;Modification of BAT.Wed.4730;;
iwapi.chm;C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\InstantWrite SDK\InstantWrite\InstantWrite SDK;Archive contains infected objects;Moved.;
FileTransfert.dll;C:\Program Files\ubi.com\Core;Trojan.Inject.origin;Incurable.Moved.;
zetacaspol.exe;C:\Program Files\zeta producer Desktop 7 ENU\Applications;Win32.HLLW.Folder.origin;Incurable.Moved.;
A0000139.exe;C:\System Volume Information\_restore{62FFCE82-38A2-480D-AAD1-DDDEAF923286}\RP4;Win95.SK;Incurable.Moved.;
A0000140.exe;C:\System Volume Information\_restore{62FFCE82-38A2-480D-AAD1-DDDEAF923286}\RP4;BackDoor.JustFun;Deleted.;
A0000141.exe;C:\System Volume Information\_restore{62FFCE82-38A2-480D-AAD1-DDDEAF923286}\RP4;Win32.HLLW.MyBot;Deleted.;
A0000142.exe;C:\System Volume Information\_restore{62FFCE82-38A2-480D-AAD1-DDDEAF923286}\RP4;Modification of BackDoor.Generic.1219;Moved.;
A0000143.dll;C:\System Volume Information\_restore{62FFCE82-38A2-480D-AAD1-DDDEAF923286}\RP4;Trojan.Peflog.origin;Incurable.Moved.;
A0000144.dll;C:\System Volume Information\_restore{62FFCE82-38A2-480D-AAD1-DDDEAF923286}\RP4;Trojan.Peflog.origin;Incurable.Moved.;
A0000145.dll;C:\System Volume Information\_restore{62FFCE82-38A2-480D-AAD1-DDDEAF923286}\RP4;Trojan.Inject.origin;Incurable.Moved.;
A0000146.exe;C:\System Volume Information\_restore{62FFCE82-38A2-480D-AAD1-DDDEAF923286}\RP4;Win32.HLLW.Folder.origin;Incurable.Moved.;
PATCH.0XE;C:\unzipped\ssg-br10\crack;Win32.HLLW.MyBot;Deleted.;


And the new HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:45:56, on 10/12/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alias\Maya6.0\docs\Wrapper.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Alias\Maya6.0\docs\jre\bin\java.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\System32\sesinetd.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hserver.exe
C:\WINDOWS\System32\PSIService.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\WINDOWS\System32\UAService7.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\BHODemon 2\BHODemon.exe
C:\WINDOWS\Integrator.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Paul's Repair Kit\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.meshcomputers.com
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: FlpLauncher Class - {4401FDC3-7996-4774-8D2B-C1AE9CD6CC25} - C:\Program Files\E-Book Systems\FlipPublisher\FpLaunch.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\Program Files\FlashGet\Jccatch.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O3 - Toolbar: LEC - {1DBAB667-A486-421e-AFE4-CF07DD0088E5} - C:\Program Files\Power Translator\Applications\LEC IE Translation Extension.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] c:\program files\symantec\liveupdate\alunotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: AntiCrash.lnk = C:\Program Files\Dachshund Software\AntiCrash\AntiCrash.exe
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O4 - Startup: ICONDESK.lnk = C:\Program Files\ICONDESK\IconDesk.exe
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Startup: Registration-INSDVD.lnk = C:\Program Files\Pinnacle\InstantCDDVD\SharedFiles\Pixie\RegTool.exe
O4 - Startup: Stickies.lnk = C:\Program Files\stickies\stickies.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Download with Star Downloader - C:\Program Files\Star Downloader\sdie.htm
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.meshcomputers.com
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/files/win/djvuplugin/en_US/DjVuControl_en_US.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/installers/pinstall/pinstall.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1196194709687
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Alias Documentation Server (aliasdocserver) - Unknown owner - C:\Program Files\Alias\Maya6.0\docs\Wrapper.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: CADopia License Manager - Macrovision Corporation - C:\PROGRA~1\Cadopia\INTELL~1\LicenseManager\lmgrd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Houdini License Server (HoudiniLicenseServer) - Side Effects Software Inc. - C:\WINDOWS\System32\sesinetd.exe
O23 - Service: Houdini License Client (HoudiniServer) - Side Effects Software Inc. - C:\WINDOWS\System32\hserver.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LEC TranslateDotNet Server - Language Engineering Corporation, LLC - C:\Program Files\Power Translator\LogoMedia TranslateDotNet Server.exe
O23 - Service: License Management Service ESD - Unknown owner - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Flexlm (lmgrd) - Macrovision Corporation - C:\Program Files\Cadopia\IntelliCAD 4\LicenseManager\lmgrd.exe
O23 - Service: MBackMonitor - Unknown owner - C:\Program Files\McAfee\MBK\MBackMonitor.exe (file missing)
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\System32\PSIService.exe
O23 - Service: Sentinel Keys Server (SentinelKeysServer) - SafeNet, Inc. - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe
O23 - Service: Sentinel Protection Server (SentinelProtectionServer) - SafeNet, Inc - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\System32\UAService7.exe
O23 - Service: Windows Tracks Washer Registry Service (WTWService) - Unknown owner - C:\Program Files\Internet Tracks Washer\washservice.exe

--
End of file - 10489 bytes


How are we doing? Many thanks again

Mr_JAk3
2007-12-10, 20:33
Hi again :)

DrWeb quarantined some good files too but we'll restore those.

Looks pretty good. How is the computer running? :bigthumb:

pacosaff
2007-12-10, 21:46
So far, so good :2thumb: Do you think it's clean? What's next?

Mr_JAk3
2007-12-11, 21:35
We'll it looks pretty good but we may run one more scanner just to be sure :)

Please do an online scan with Kaspersky WebScanner (http://www.kaspersky.com/virusscanner)

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT

Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)

Scan Options:
Scan Archives
Scan Mail Bases

Click OK
Now under select a target to scan:Select My Computer

This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.

pacosaff
2007-12-13, 09:38
Okay..here are the logs from Kaspersky. The first one is for the "critical areas" and the second for My Computer. What do you think?

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, December 12, 2007 7:27:55 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 12/12/2007
Kaspersky Anti-Virus database records: 480659
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - Critical Areas:
C:\WINDOWS
C:\DOCUME~1\Pacosaff\LOCALS~1\Temp\

Scan Statistics:
Total number of scanned objects: 20849
Number of viruses found: 1
Number of infected objects: 1
Number of suspicious objects: 0
Duration of the scan process: 00:23:53

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\icont.exe Infected: not-a-virus:AdWare.Win32.AdURL.c skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd3997.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\InstaFinder_inst245.exe Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\Temp\gnserv.dat Object is locked skipped
C:\WINDOWS\Temp\hsperfdata_SYSTEM\1656 Object is locked skipped
C:\WINDOWS\Temp\JETA7CD.tmp Object is locked skipped
C:\WINDOWS\Temp\JETAAAC.tmp Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_554.dat Object is locked skipped
C:\WINDOWS\Temp\spnserv.dat Object is locked skipped
C:\WINDOWS\Temp\spserv.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\DOCUME~1\Pacosaff\LOCALS~1\Temp\WERC2C.tmp.dir00\appcompat.txt Object is locked skipped
C:\DOCUME~1\Pacosaff\LOCALS~1\Temp\~DFA07C.tmp Object is locked skipped

Scan process completed.

pacosaff
2007-12-13, 09:39
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, December 13, 2007 7:38:49 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 12/12/2007
Kaspersky Anti-Virus database records: 480659
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 545820
Number of viruses found: 11
Number of infected objects: 37
Number of suspicious objects: 5
Duration of the scan process: 08:48:14

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBConfig.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDebug.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDetect.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBNotify.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBRefr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg2.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetDev.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetLoc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetUsr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBStHash.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBValid.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPPolicy.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStart.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStop.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtErEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\3A705421.TMP Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\A78E9B53.TMP Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtMoEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtNvEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtScEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtTxFEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtViEvt.log Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\85IB0LUJ\index[2].jsp Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Pacosaff\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Pacosaff\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Pacosaff\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Pacosaff\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Pacosaff\Local Settings\History\History.IE5\MSHist012007121220071213\index.dat Object is locked skipped
C:\Documents and Settings\Pacosaff\Local Settings\Temp\~DFA07C.tmp Object is locked skipped
C:\Documents and Settings\Pacosaff\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Pacosaff\My Documents\Downloads\CamFrog Video Chat Full.exe/data.rar/wr-1-701.exe Infected: Trojan-Downloader.Win32.Small.fuq skipped
C:\Documents and Settings\Pacosaff\My Documents\Downloads\CamFrog Video Chat Full.exe/data.rar/is68321.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.ks skipped
C:\Documents and Settings\Pacosaff\My Documents\Downloads\CamFrog Video Chat Full.exe/data.rar/load.exe Infected: Virus.Win32.Virut.r skipped
C:\Documents and Settings\Pacosaff\My Documents\Downloads\CamFrog Video Chat Full.exe/data.rar Infected: Virus.Win32.Virut.r skipped
C:\Documents and Settings\Pacosaff\My Documents\Downloads\CamFrog Video Chat Full.exe RarSFX: infected - 4 skipped
C:\Documents and Settings\Pacosaff\ntuser.dat Object is locked skipped
C:\Documents and Settings\Pacosaff\ntuser.dat.LOG Object is locked skipped
C:\Download\br.zip/br/ssg-br10.zip/crack.rar/patch.exe Infected: Email-Worm.Win32.Small.a skipped
C:\Download\br.zip/br/ssg-br10.zip/crack.rar Infected: Email-Worm.Win32.Small.a skipped
C:\Download\br.zip/br/ssg-br10.zip Infected: Email-Worm.Win32.Small.a skipped
C:\Download\br.zip ZIP: infected - 3 skipped
C:\Download\GFX-Background[1].Remover.v1.0.for.Adobe.Photoshop.Cracked-SSG.rar.Photoshop.Cracked-SSG\Background.Remover.v1.0.for.Adobe.Photoshop.Cracked-SSG\ssg-br10\crack.rar/patch.exe Infected: Email-Worm.Win32.Small.a skipped
C:\Download\GFX-Background[1].Remover.v1.0.for.Adobe.Photoshop.Cracked-SSG.rar.Photoshop.Cracked-SSG\Background.Remover.v1.0.for.Adobe.Photoshop.Cracked-SSG\ssg-br10\crack.rar RAR: infected - 1 skipped
C:\Download\GFX-Background[1].Remover.v1.0.for.Adobe.Photoshop.Cracked-SSG.rar.Photoshop.Cracked-SSG\Background.Remover.v1.0.for.Adobe.Photoshop.Cracked-SSG\ssg-br10.zip/crack.rar/patch.exe Infected: Email-Worm.Win32.Small.a skipped
C:\Download\GFX-Background[1].Remover.v1.0.for.Adobe.Photoshop.Cracked-SSG.rar.Photoshop.Cracked-SSG\Background.Remover.v1.0.for.Adobe.Photoshop.Cracked-SSG\ssg-br10.zip/crack.rar Infected: Email-Worm.Win32.Small.a skipped
C:\Download\GFX-Background[1].Remover.v1.0.for.Adobe.Photoshop.Cracked-SSG.rar.Photoshop.Cracked-SSG\Background.Remover.v1.0.for.Adobe.Photoshop.Cracked-SSG\ssg-br10.zip ZIP: infected - 2 skipped
C:\Download\GFX-Background[1].Remover.v1.0.for.Adobe.Photoshop.Cracked-SSG.rar.Photoshop.Cracked-SSG.rar/Background.Remover.v1.0.for.Adobe.Photoshop.Cracked-SSG/ssg-br10.zip/crack.rar/patch.exe Infected: Email-Worm.Win32.Small.a skipped
C:\Download\GFX-Background[1].Remover.v1.0.for.Adobe.Photoshop.Cracked-SSG.rar.Photoshop.Cracked-SSG.rar/Background.Remover.v1.0.for.Adobe.Photoshop.Cracked-SSG/ssg-br10.zip/crack.rar Infected: Email-Worm.Win32.Small.a skipped
C:\Download\GFX-Background[1].Remover.v1.0.for.Adobe.Photoshop.Cracked-SSG.rar.Photoshop.Cracked-SSG.rar/Background.Remover.v1.0.for.Adobe.Photoshop.Cracked-SSG/ssg-br10.zip Infected: Email-Worm.Win32.Small.a skipped
C:\Download\GFX-Background[1].Remover.v1.0.for.Adobe.Photoshop.Cracked-SSG.rar.Photoshop.Cracked-SSG.rar RAR: infected - 3 skipped
C:\Download\HappyEO[1].piano.v3.08.z3x\HappyEO.v3.08.z3x\happyeo3se_setup.exe/WISE0018.BIN Infected: not-a-virus:Monitor.Win32.KeyPressHooker skipped
C:\Download\HappyEO[1].piano.v3.08.z3x\HappyEO.v3.08.z3x\happyeo3se_setup.exe WiseSFX: infected - 1 skipped
C:\Download\LiangZhu.Software.Sketch.Studio.v2.5.rar/keygen.exe Suspicious: Packed.Win32.CryptExe skipped
C:\Download\LiangZhu.Software.Sketch.Studio.v2.5.rar RAR: suspicious - 1 skipped
C:\Download\nx00266\River.Past.Screen.Recorder.Pro.v7.4.1.WinAll.Incl.Keygen-NeoX\nx00266a.zip/neox.part1.rar/keygen.exe Suspicious: Packed.Win32.CryptExe skipped
C:\Download\nx00266\River.Past.Screen.Recorder.Pro.v7.4.1.WinAll.Incl.Keygen-NeoX\nx00266a.zip/neox.part1.rar Suspicious: Packed.Win32.CryptExe skipped
C:\Download\nx00266\River.Past.Screen.Recorder.Pro.v7.4.1.WinAll.Incl.Keygen-NeoX\nx00266a.zip ZIP: suspicious - 2 skipped
C:\Download\Rhinoceros[1].Nurbs.Modeling.v4.Beta.Build.2006.11.15.rar/Rhinoceros.Nurbs.Modeling.v4.Beta.Build.2006.11.15-ENGiNE/e-rnm4bu.zip/e-rnm4b.rar/Rhino_3_Emul.exe Infected: Trojan.Win32.Agent.uu skipped
C:\Download\Rhinoceros[1].Nurbs.Modeling.v4.Beta.Build.2006.11.15.rar/Rhinoceros.Nurbs.Modeling.v4.Beta.Build.2006.11.15-ENGiNE/e-rnm4bu.zip/e-rnm4b.rar Infected: Trojan.Win32.Agent.uu skipped
C:\Download\Rhinoceros[1].Nurbs.Modeling.v4.Beta.Build.2006.11.15.rar/Rhinoceros.Nurbs.Modeling.v4.Beta.Build.2006.11.15-ENGiNE/e-rnm4bu.zip Infected: Trojan.Win32.Agent.uu skipped
C:\Download\Rhinoceros[1].Nurbs.Modeling.v4.Beta.Build.2006.11.15.rar RAR: infected - 3 skipped
C:\Download\Sno13535.rar/snoopercrack.zip/snpr.exe Infected: not-a-virus:Monitor.Win32.SoundSnooper.b skipped
C:\Download\Sno13535.rar/snoopercrack.zip Infected: not-a-virus:Monitor.Win32.SoundSnooper.b skipped
C:\Download\Sno13535.rar/snooper_setup.exe/file1 Infected: not-a-virus:Monitor.Win32.SoundSnooper.b skipped
C:\Download\Sno13535.rar/snooper_setup.exe Infected: not-a-virus:Monitor.Win32.SoundSnooper.b skipped
C:\Download\Sno13535.rar RAR: infected - 4 skipped
C:\Downloads\K-Lite Downloads\norton anti virus crack 2004.exe Object is locked skipped
C:\Program Files\BHODemon 2\_BHODemon_PACOSAFF3.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped
C:\Program Files\Norton 360\Log\AutoProtect.log Object is locked skipped
C:\Program Files\Norton 360\Log\AVContext.log Object is locked skipped
C:\Program Files\Norton 360\Log\AVManual.log Object is locked skipped
C:\Program Files\Norton 360\Log\Backup.log Object is locked skipped
C:\Program Files\Norton 360\Log\CUInternetPageViewHistory.log Object is locked skipped
C:\Program Files\Norton 360\Log\CUInternetSearchHistory.log Object is locked skipped
C:\Program Files\Norton 360\Log\CUInternetTempFiles.log Object is locked skipped
C:\Program Files\Norton 360\Log\CUWindowsTempFiles.log Object is locked skipped
C:\Program Files\Norton 360\Log\EmailScan.log Object is locked skipped
C:\Program Files\Norton 360\Log\InternetSecurity.log Object is locked skipped
C:\Program Files\Norton 360\Log\ISIntrusionPrevented.log Object is locked skipped
C:\Program Files\Norton 360\Log\ISIOTraffic.log Object is locked skipped
C:\Program Files\Norton 360\Log\ISNewNetwork.log Object is locked skipped
C:\Program Files\Norton 360\Log\LiveUpdate.log Object is locked skipped
C:\Program Files\Norton 360\Log\NCO.log Object is locked skipped
C:\Program Files\Norton 360\Log\VABrowserSettings.log Object is locked skipped
C:\Program Files\Norton 360\Log\VAIPAddresses.log Object is locked skipped
C:\Program Files\Norton 360\Log\VAWeakPasswords.log Object is locked skipped
C:\Program Files\Norton 360\Log\WDFScanner.log Object is locked skipped
C:\Program Files\Windows Media Player\PROFSYFSYWUERT.0TML Infected: Trojan-Clicker.HTML.IFrame.dn skipped
C:\RECYCLER\NPROTECT\00000418(2).LNK Object is locked skipped
C:\RECYCLER\NPROTECT\Premium.cfg Object is locked skipped
C:\System Volume Information\_restore{62FFCE82-38A2-480D-AAD1-DDDEAF923286}\RP4\A0000150.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
C:\System Volume Information\_restore{62FFCE82-38A2-480D-AAD1-DDDEAF923286}\RP7\change.log Object is locked skipped
C:\unzipped\br\br\ssg-br10.zip/crack.rar/patch.exe Infected: Email-Worm.Win32.Small.a skipped
C:\unzipped\br\br\ssg-br10.zip/crack.rar Infected: Email-Worm.Win32.Small.a skipped
C:\unzipped\br\br\ssg-br10.zip ZIP: infected - 2 skipped
C:\unzipped\ssg-br10\crack.rar/patch.exe Infected: Email-Worm.Win32.Small.a skipped
C:\unzipped\ssg-br10\crack.rar RAR: infected - 1 skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\icont.exe Infected: not-a-virus:AdWare.Win32.AdURL.c skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd3997.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\InstaFinder_inst245.exe Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\Temp\gnserv.dat Object is locked skipped
C:\WINDOWS\Temp\hsperfdata_SYSTEM\1656 Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_554.dat Object is locked skipped
C:\WINDOWS\Temp\spnserv.dat Object is locked skipped
C:\WINDOWS\Temp\spserv.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.


Many thanks :greeting:

Mr_JAk3
2007-12-13, 21:06
Hi :)

Ok delete these files:
C:\WINDOWS\icont.exe
C:\Documents and Settings\Pacosaff\My Documents\Downloads\CamFrog Video Chat Full.exe
C:\Download\br.zip


C:\Download\GFX-Background[1].Remover.v1.0.for.Adobe.Photoshop.Cracked-SSG.rar.Photoshop.Cracked-SSG\Background.Remover.v1.0.for.Adobe.Photoshop.Cracked-SSG\ssg-br10\crack.rar/patch.exe Infected: Email-Worm.Win32.Small.a skipped
C:\Download\GFX-Background[1].Remover.v1.0.for.Adobe.Photoshop.Cracked-SSG.rar.Photoshop.Cracked-SSG\Background.Remover.v1.0.for.Adobe.Photoshop.Cracked-SSG\ssg-br10\crack.rar RAR: infected - 1 skipped
C:\Download\GFX-Background[1].Remover.v1.0.for.Adobe.Photoshop.Cracked-SSG.rar.Photoshop.Cracked-SSG\Background.Remover.v1.0.for.Adobe.Photoshop.Cracked-SSG\ssg-br10.zip/crack.rar/patch.exe Infected: Email-Worm.Win32.Small.a skipped
C:\Download\GFX-Background[1].Remover.v1.0.for.Adobe.Photoshop.Cracked-SSG.rar.Photoshop.Cracked-SSG\Background.Remover.v1.0.for.Adobe.Photoshop.Cracked-SSG\ssg-br10.zip/crack.rar Infected: Email-Worm.Win32.Small.a skipped
C:\Download\GFX-Background[1].Remover.v1.0.for.Adobe.Photoshop.Cracked-SSG.rar.Photoshop.Cracked-SSG\Background.Remover.v1.0.for.Adobe.Photoshop.Cracked-SSG\ssg-br10.zip ZIP: infected - 2 skipped
C:\Download\GFX-Background[1].Remover.v1.0.for.Adobe.Photoshop.Cracked-SSG.rar.Photoshop.Cracked-SSG.rar/Background.Remover.v1.0.for.Adobe.Photoshop.Cracked-SSG/ssg-br10.zip/crack.rar/patch.exe Infected: Email-Worm.Win32.Small.a skipped
C:\Download\GFX-Background[1].Remover.v1.0.for.Adobe.Photoshop.Cracked-SSG.rar.Photoshop.Cracked-SSG.rar/Background.Remover.v1.0.for.Adobe.Photoshop.Cracked-SSG/ssg-br10.zip/crack.rar Infected: Email-Worm.Win32.Small.a skipped
C:\Download\GFX-Background[1].Remover.v1.0.for.Adobe.Photoshop.Cracked-SSG.rar.Photoshop.Cracked-SSG.rar/Background.Remover.v1.0.for.Adobe.Photoshop.Cracked-SSG/ssg-br10.zip Infected: Email-Worm.Win32.Small.a skipped
C:\Download\GFX-Background[1].Remover.v1.0.for.Adobe.Photoshop.Cracked-SSG.rar.Photoshop.Cracked-SSG.rar RAR: infected - 3 skipped
C:\Download\HappyEO[1].piano.v3.08.z3x\HappyEO.v3.08.z3x\happyeo3se_setup.exe/WISE0018.BIN Infected: not-a-virus:Monitor.Win32.KeyPressHooker skipped
C:\Download\HappyEO[1].piano.v3.08.z3x\HappyEO.v3.08.z3x\happyeo3se_setup.exe WiseSFX: infected - 1 skipped
C:\Download\LiangZhu.Software.Sketch.Studio.v2.5.rar/keygen.exe Suspicious: Packed.Win32.CryptExe skipped
C:\Download\LiangZhu.Software.Sketch.Studio.v2.5.rar RAR: suspicious - 1 skipped
C:\Download\nx00266\River.Past.Screen.Recorder.Pro.v7.4.1.WinAll.Incl.Keygen-NeoX\nx00266a.zip/neox.part1.rar/keygen.exe Suspicious: Packed.Win32.CryptExe skipped
C:\Download\nx00266\River.Past.Screen.Recorder.Pro.v7.4.1.WinAll.Incl.Keygen-NeoX\nx00266a.zip/neox.part1.rar Suspicious: Packed.Win32.CryptExe skipped
C:\Download\nx00266\River.Past.Screen.Recorder.Pro.v7.4.1.WinAll.Incl.Keygen-NeoX\nx00266a.zip ZIP: suspicious - 2 skipped
C:\Download\Rhinoceros[1].Nurbs.Modeling.v4.Beta.Build.2006.11.15.rar/Rhinoceros.Nurbs.Modeling.v4.Beta.Build.2006.11.15-ENGiNE/e-rnm4bu.zip/e-rnm4b.rar/Rhino_3_Emul.exe Infected: Trojan.Win32.Agent.uu skipped
C:\Download\Rhinoceros[1].Nurbs.Modeling.v4.Beta.Build.2006.11.15.rar/Rhinoceros.Nurbs.Modeling.v4.Beta.Build.2006.11.15-ENGiNE/e-rnm4bu.zip/e-rnm4b.rar Infected: Trojan.Win32.Agent.uu skipped
C:\Download\Rhinoceros[1].Nurbs.Modeling.v4.Beta.Build.2006.11.15.rar/Rhinoceros.Nurbs.Modeling.v4.Beta.Build.2006.11.15-ENGiNE/e-rnm4bu.zip Infected: Trojan.Win32.Agent.uu skipped
C:\Download\Rhinoceros[1].Nurbs.Modeling.v4.Beta.Build.2006.11.15.rar RAR: infected - 3 skipped
C:\Download\Sno13535.rar/snoopercrack.zip/snpr.exe Infected: not-a-virus:Monitor.Win32.SoundSnooper.b skipped
C:\Download\Sno13535.rar/snoopercrack.zip Infected: not-a-virus:Monitor.Win32.SoundSnooper.b skipped
C:\Download\Sno13535.rar/snooper_setup.exe/file1 Infected: not-a-virus:Monitor.Win32.SoundSnooper.b skipped
C:\Download\Sno13535.rar/snooper_setup.exe Infected: not-a-virus:Monitor.Win32.SoundSnooper.b skipped
C:\Download\Sno13535.rar RAR: infected - 4 skipped
C:\Downloads\K-Lite Downloads\norton anti virus crack 2004.exe Object is locked skipped
C:\unzipped\br\br\ssg-br10.zip/crack.rar/patch.exe Infected: Email-Worm.Win32.Small.a skipped
C:\unzipped\br\br\ssg-br10.zip/crack.rar Infected: Email-Worm.Win32.Small.a skipped
C:\unzipped\br\br\ssg-br10.zip ZIP: infected - 2 skipped
C:\unzipped\ssg-br10\crack.rar/patch.exe Infected: Email-Worm.Win32.Small.a skipped
C:\unzipped\ssg-br10\crack.rar RAR: infected - 1 skippedCracks, keygens etc are illegal and as you can see - those get you infected. I'd strongly advice you to remove all these.

Post a one more HijackThis log.

pacosaff
2007-12-14, 01:48
OK....I have deleted everything in the list. A couple of things would not delete...write protected? Yes, you are quite right. Unfortunately, many of these things were downloaded by an incautious relative and I have been trying to get rid of them whenever possible. I don't want them around. Anyway, here's the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:46:24, on 13/12/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alias\Maya6.0\docs\Wrapper.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\System32\sesinetd.exe
C:\WINDOWS\System32\hserver.exe
C:\WINDOWS\System32\PSIService.exe
C:\Program Files\Alias\Maya6.0\docs\jre\bin\java.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\WINDOWS\System32\UAService7.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\BHODemon 2\BHODemon.exe
C:\WINDOWS\Integrator.exe
C:\Program Files\ICONDESK\IconDesk.exe
C:\WINDOWS\System32\svchost.exe
C:\Paul's Repair Kit\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.meshcomputers.com
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: FlpLauncher Class - {4401FDC3-7996-4774-8D2B-C1AE9CD6CC25} - C:\Program Files\E-Book Systems\FlipPublisher\FpLaunch.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\Program Files\FlashGet\Jccatch.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O3 - Toolbar: LEC - {1DBAB667-A486-421e-AFE4-CF07DD0088E5} - C:\Program Files\Power Translator\Applications\LEC IE Translation Extension.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] c:\program files\symantec\liveupdate\alunotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: AntiCrash.lnk = C:\Program Files\Dachshund Software\AntiCrash\AntiCrash.exe
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O4 - Startup: ICONDESK.lnk = C:\Program Files\ICONDESK\IconDesk.exe
O4 - Startup: Registration-INSDVD.lnk = C:\Program Files\Pinnacle\InstantCDDVD\SharedFiles\Pixie\RegTool.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.meshcomputers.com
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/files/win/djvuplugin/en_US/DjVuControl_en_US.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/installers/pinstall/pinstall.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1196194709687
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Alias Documentation Server (aliasdocserver) - Unknown owner - C:\Program Files\Alias\Maya6.0\docs\Wrapper.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: CADopia License Manager - Macrovision Corporation - C:\PROGRA~1\Cadopia\INTELL~1\LicenseManager\lmgrd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Houdini License Server (HoudiniLicenseServer) - Side Effects Software Inc. - C:\WINDOWS\System32\sesinetd.exe
O23 - Service: Houdini License Client (HoudiniServer) - Side Effects Software Inc. - C:\WINDOWS\System32\hserver.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LEC TranslateDotNet Server - Language Engineering Corporation, LLC - C:\Program Files\Power Translator\LogoMedia TranslateDotNet Server.exe
O23 - Service: License Management Service ESD - Unknown owner - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Flexlm (lmgrd) - Macrovision Corporation - C:\Program Files\Cadopia\IntelliCAD 4\LicenseManager\lmgrd.exe
O23 - Service: MBackMonitor - Unknown owner - C:\Program Files\McAfee\MBK\MBackMonitor.exe (file missing)
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\System32\PSIService.exe
O23 - Service: Sentinel Keys Server (SentinelKeysServer) - SafeNet, Inc. - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe
O23 - Service: Sentinel Protection Server (SentinelProtectionServer) - SafeNet, Inc - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\System32\UAService7.exe
O23 - Service: Windows Tracks Washer Registry Service (WTWService) - Unknown owner - C:\Program Files\Internet Tracks Washer\washservice.exe

--
End of file - 10418 bytes

How are we doing? By the way, I'm told I should download SP2. Do you have comments on that? Should I just go ahead and do it? Thanks again. :bigthumb: :2thumb:

Mr_JAk3
2007-12-15, 13:24
Hi again, it is looking clean now :)

SP2 should not be installed to an infected pc. But since it is looking clean - the first priority is to visit Windows Update (http://windowsupdate.microsoft.com) and get your system updated
-> At first, install Win XP Service Pack 2 Update
-> Reboot and get back to the Windows Update
-> Install all remaining important updates
(NOTE: You'll propably have to reboot and get back to the update several times before all of them are installed)

You can remove the tools we used.

Then you should update your Java to the latest version (6u3) Start
Control Panel
Add/Remove Programs
Delete the old Java,
J2SE Runtime Environment 5.0 Update 9

Download the latest version of Java Runtime Environment (JRE) 6u3 (http://java.sun.com/javase/downloads/index.jsp).
Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications."
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement."
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Install it

Now you can make your hidden files hidden again.
Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Check "Hide protected operating system files"
Click Apply and then the OK and close My Computer.

=============

Now that you seem to be clean, please follow these simple steps in order to keep your computer clean and secure:
Clear your system restore (http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx)
This will clear the system restore folders from possible malware that was left behind during the cleaning process.

Use ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1)
Download and install ATF Cleaner. Clean your temporary files & folders with it regularly.

Use AVG Anti-Spyware (http://www.ewido.net/en/)
Download and install AVG Anti-Spyware. Update it and scan your computer regularly with it.

Use Spybot S&D (http://www.bleepingcomputer.com/forums/?showtutorial=43)
Download and install Spybot S&D. Update it and scan your computer regularly with it.

Install SpywareBlaster (http://www.bleepingcomputer.com/tutorials/tutorial49.html)
SpywareBlaster will prevent spyware from being installed.

Install MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm)
This prevents your computer from connecting to harmful sites.

Use Firefox browser (http://www.mozilla.org)
Firefox is faster and more secure browser than Internet Explorer.

Keep your systen up-to-date (http://windowsupdate.microsoft.com)
Visit Windows Update regularly. How to enable Automatic Updates? (http://www.bleepingcomputer.com/tutorials/tutorial35.html)

Keep your antivirus (http://forum.malwareremoval.com/viewtopic.php?p=53#53) and firewall (http://forum.malwareremoval.com/viewtopic.php?p=56#56) up-to-date
Scan your computer regularly with you antivirus software.

Read this article by TonyKlein (http://forums.spybot.info/showthread.php?t=279)
So how did I get infected in the first place?

Stand Up and Be Counted ! (http://www.malwarecomplaints.info/index.php)
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.


Stay clean and be safe ;)

pacosaff
2007-12-15, 13:57
What can I say? I'm indebted to you for all your help over the last week or two. I will take all the steps you recommend today and hopefully avoid all the pitfalls. In the meantime, may I wish you a very happy Christmas and thanks a million! :flowers::wav::santa::bigthumb::bigthumb:

Mr_JAk3
2007-12-15, 14:12
That's great news and you're very welcome :D:

Happy Christmas to you too :santa:

As the problem appears to be resolved this topic has been archived.

If you need it re-opened please send a private message (pm) to a forum staff member and provide a link to the thread; this applies only to the original topic starter.

Glad we could help :2thumb: