View Full Version : Virtumonde...i think
I was getting popup one day and thought it was quite strange....I did a scan with spybot. Virtumonde and a few others came up, i tried a few times to clean it out, but it just kept coming back. I restarted in safemode and did a scan to try and clear it out once and for all. I restarted back to normal windows and now IE wont work...
My IE is down so i cant do a scan Kaspersky, but heres the hijackthis log. Any help would be greatly appreciated. =]
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:25:45 PM, on 1/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\SSC Service Utility\ssc_serv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dhost.info/dwnatt
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SSC Service Utility] C:\Program Files\SSC Service Utility\ssc_serv.exe /s
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [9037b214] rundll32.exe "C:\WINDOWS\system32\nbfipnrd.dll",b
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA8930] command /c del "C:\WINDOWS\system32\cbxwvss.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9827] cmd /c del "C:\WINDOWS\system32\cbxwvss.dll_old"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TuneUp MemOptimizer] "C:\Program Files\TuneUp Utilities 2006\MemOptimizer.exe" autostart
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: MiniEYE-MiniREAD Launch.lnk = C:\Program Files\Infinite Mind LC\eyeQ\ARLaunch.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab40641.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://dwnatt.spaces.live.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1195259047046
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1201138216640
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://dwnatt.spaces.live.com/PhotoUpload/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab41227.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9D69AADB-177C-4A49-89D7-1A8A0891C57C}: NameServer = 203.194.56.150 203.194.27.57
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 9625 bytes
Hi ieyasu
Rename HijackThis.exe to ieyasu.exe and post back a fresh HijackThis log, please :)
thx for replying =]
though it seems i got other infections also..
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:21:44 PM, on 1/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\SSC Service Utility\ssc_serv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TuneUp Utilities 2006\MemOptimizer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Router\Router.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Infinite Mind LC\eyeQ\ARLaunch.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Trend Micro\HijackThis\ieyasu.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dhost.info/dwnatt
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\cbxwvss.dll (file missing)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: {386bbbfa-89f6-016b-3ae4-94ba2a95331a} - {a13359a2-ab49-4ea3-b610-6f98afbbb683} - C:\WINDOWS\system32\mfkoothr.dll
O2 - BHO: (no name) - {D7AE88E2-FE57-4226-B1D4-5883DF9F1DBD} - C:\WINDOWS\system32\pmnli.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SSC Service Utility] C:\Program Files\SSC Service Utility\ssc_serv.exe /s
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1044.exe 61A847B5BBF72813329F3C466188719AB689201522886B092CBD44BD8689220221DD3257
O4 - HKLM\..\Run: [9037b214] rundll32.exe "C:\WINDOWS\system32\nbfipnrd.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TuneUp MemOptimizer] "C:\Program Files\TuneUp Utilities 2006\MemOptimizer.exe" autostart
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: MiniEYE-MiniREAD Launch.lnk = C:\Program Files\Infinite Mind LC\eyeQ\ARLaunch.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab40641.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://dwnatt.spaces.live.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1195259047046
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1201138216640
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://dwnatt.spaces.live.com/PhotoUpload/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab41227.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9D69AADB-177C-4A49-89D7-1A8A0891C57C}: NameServer = 203.194.56.150 203.194.27.57
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: cbxwvss - cbxwvss.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 11024 bytes
Hi
We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer.
1. Download combofix from any of these links and save it to Desktop:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)
**Note: It is important that it is saved directly to your desktop**
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
If you have problems with Combofix usage, see here (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)
Post:
- a fresh HijackThis log
- combofix report
Hi good to report that combofix ran smoothly, however i did get a power outage after the restart and the log was being made =(, so i did a rescan and now have this new log. The hijackthis log is also below.
ComboFix 08-01-30.6 - Tuyen 2008-01-30 22:35:53.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.221 [GMT 11:00]
Running from: C:\Documents and Settings\Tuyen\Desktop\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\WINDOWS\system32\pmnli.dll
C:\Documents and Settings\Tuyen\Application Data\inst.exe
C:\Program Files\iMeshBar
C:\Program Files\iMeshBar\bar\Cache\05C9AC3A
C:\Program Files\iMeshBar\bar\Cache\05C9B66B
C:\Program Files\iMeshBar\bar\Cache\05C9BAD0.bin
C:\Program Files\iMeshBar\bar\Cache\05C9C233.bmp
C:\Program Files\iMeshBar\bar\Cache\05C9C9A5.bmp
C:\Program Files\iMeshBar\bar\Cache\files.ini
C:\Program Files\iMeshBar\bar\History\search
C:\Program Files\iMeshBar\bar\Settings\prevcfg.htm
C:\Program Files\Router
C:\Program Files\Router\Router.exe
C:\Program Files\Router\UnInstall.exe
C:\Program Files\Temporary
C:\Program Files\Temporary\kernInst.exe
C:\WINDOWS\b122.exe
C:\WINDOWS\b151.exe
C:\WINDOWS\system32\aarbvkuv.ini
C:\WINDOWS\system32\ahxpljgr.dll
C:\WINDOWS\system32\bwvjyldv.dll
C:\WINDOWS\system32\cpspwwsi.ini
C:\WINDOWS\system32\drnpifbn.ini
C:\WINDOWS\system32\efcawvw.dll
C:\WINDOWS\system32\ffyojsev.dll
C:\WINDOWS\system32\hbhpsbap.ini
C:\WINDOWS\system32\hecjtkph.ini
C:\WINDOWS\system32\hjcfppxs.dll
C:\WINDOWS\system32\hkwfijjn.dll
C:\WINDOWS\system32\hpktjceh.dll
C:\WINDOWS\system32\ilnmp.ini
C:\WINDOWS\system32\ilnmp.ini2
C:\WINDOWS\system32\iqhodewv.ini
C:\WINDOWS\system32\lwptoewo.ini
C:\WINDOWS\system32\masuiewp.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mfkoothr.dll
C:\WINDOWS\system32\mobnnapu.dll
C:\WINDOWS\system32\oibndxde.dll
C:\WINDOWS\system32\orpghynx.ini
C:\WINDOWS\system32\pmnli.dll
C:\WINDOWS\system32\ptfhrnwc.ini
C:\WINDOWS\system32\pweiusam.dll
C:\WINDOWS\system32\qdvpsoey.ini
C:\WINDOWS\system32\qomlijg.dll
C:\WINDOWS\system32\rgjlpxha.ini
C:\WINDOWS\system32\spennexp.dll
C:\WINDOWS\system32\sxppfcjh.ini
C:\WINDOWS\system32\upannbom.ini
C:\WINDOWS\system32\vesjoyff.ini
C:\WINDOWS\system32\vukvbraa.dll
C:\WINDOWS\system32\wjgrcwvg.dll
C:\WINDOWS\system32\yayyaaa.dll
C:\WINDOWS\system32\yeospvdq.dll
C:\WINDOWS\system32\yjnasrhe.dll
C:\WINDOWS\system32\ypnvjnch.dll
.
((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-30 )))))))))))))))))))))))))))))))
.
2008-01-28 19:13 . 2008-01-28 19:13 <DIR> d-------- C:\Program Files\Dot1XCfg
2008-01-24 20:25 . 2008-01-24 20:25 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-24 17:10 . 2008-01-24 22:18 209 --a------ C:\WINDOWS\wininit.ini
2008-01-23 00:46 . 2005-10-19 18:19 1,327,189 --a------ C:\WINDOWS\system32\odSupp_M.dll
2008-01-23 00:46 . 2005-11-22 20:56 630,784 --a------ C:\WINDOWS\system32\ANIWZCS2.dll
2008-01-23 00:46 . 2005-11-22 20:55 237,568 --a------ C:\WINDOWS\system32\wlanapi.dll
2008-01-23 00:46 . 2005-10-19 18:19 204,800 --a------ C:\WINDOWS\system32\aIPH.dll
2008-01-23 00:46 . 2005-11-23 10:10 163,840 --a------ C:\WINDOWS\system32\WlanApp.dll
2008-01-23 00:46 . 2005-10-19 18:19 57,407 --a------ C:\WINDOWS\system32\ANICtl.dll
2008-01-23 00:46 . 2005-10-27 08:55 49,152 --a------ C:\WINDOWS\system32\JJAKEn.dll
2008-01-23 00:46 . 2005-10-19 18:19 49,152 --a------ C:\WINDOWS\system32\AQCKGen.dll
2008-01-23 00:45 . 2008-01-23 00:46 <DIR> d-------- C:\Program Files\ANI
2008-01-23 00:45 . 2005-11-10 07:13 50,176 --a------ C:\WINDOWS\system32\ANIO64.sys
2008-01-23 00:45 . 2005-10-21 15:56 36,864 --a------ C:\WINDOWS\system32\ANIOApi.dll
2008-01-23 00:45 . 2005-11-09 15:44 24,288 --a------ C:\WINDOWS\system32\ANIO.sys
2008-01-23 00:45 . 2004-10-14 10:29 16,997 --a------ C:\WINDOWS\system32\ANIO.VXD
2008-01-23 00:45 . 2004-10-14 10:29 11,904 --a------ C:\WINDOWS\system32\anio4.sys
2008-01-22 22:02 . 2008-01-22 22:02 <DIR> d-------- C:\Program Files\D-Link
2008-01-21 19:49 . 2008-01-21 19:49 <DIR> d-------- C:\Documents and Settings\Tuyen\Application Data\DVDFab
2008-01-20 19:08 . 2008-01-20 19:08 <DIR> d-------- C:\Program Files\DVDFab Platinum 4
2008-01-18 03:05 . 2008-01-18 03:05 94,208 --a------ C:\WINDOWS\system32\drivers\ezplay.sys
2008-01-18 03:05 . 2008-01-18 03:05 94,208 --a------ C:\Documents and Settings\Tuyen\Application Data\ezplay.sys
2008-01-18 03:04 . 2008-01-21 19:48 <DIR> d-------- C:\Documents and Settings\Tuyen\Application Data\Vso
2008-01-18 03:04 . 2008-01-18 03:04 47,360 --a------ C:\Documents and Settings\Tuyen\Application Data\pcouffin.sys
2008-01-11 02:02 . 2008-01-11 02:02 <DIR> d-------- C:\Magic
2007-12-11 15:29 . 2007-12-11 15:29 <DIR> d-------- C:\WINDOWS\mm.BOT
2007-12-11 15:28 . 2007-12-11 15:28 <DIR> d-------- C:\temp
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-24 09:28 --------- d-----w C:\Program Files\SpywareBlaster
2008-01-24 05:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-24 01:14 --------- d-----w C:\Documents and Settings\Tuyen\Application Data\Azureus
2008-01-22 13:46 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-17 16:04 47,360 ----a-w C:\WINDOWS\system32\drivers\pcouffin.sys
2008-01-17 16:04 --------- d-----w C:\Program Files\VSO
2008-01-10 12:19 706,048 ----a-w C:\WINDOWS\Internet Logs\xDBC.tmp
2008-01-09 01:06 --------- d-----w C:\Program Files\TuneUp Utilities 2006
2008-01-06 10:23 --------- d-----w C:\Documents and Settings\Tuyen\Application Data\dvdcss
2008-01-04 13:31 --------- d-----w C:\Program Files\eMule
2008-01-01 11:17 --------- d-----w C:\Program Files\StuffPlug3
2007-12-27 13:40 1,531,392 ----a-w C:\WINDOWS\Internet Logs\xDBA.tmp
2007-12-27 13:39 1,531,392 ----a-w C:\WINDOWS\Internet Logs\xDBB.tmp
2007-12-21 14:43 --------- d-----w C:\Program Files\Messenger Plus! Live
2007-12-16 05:22 --------- d-----w C:\Program Files\StepMania
2007-12-11 01:23 --------- d-----w C:\Program Files\Warcraft III
2007-12-08 07:43 4,289,220 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2007-12-04 07:51 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
2007-12-04 05:10 1,524,736 ----a-w C:\WINDOWS\Internet Logs\xDB9.tmp
2007-12-03 09:41 21,840 ----atw C:\WINDOWS\system32\SIntfNT.dll
2007-12-03 09:41 17,212 ----atw C:\WINDOWS\system32\SIntf32.dll
2007-12-03 09:41 12,067 ----atw C:\WINDOWS\system32\SIntf16.dll
2007-12-02 03:57 137,216 ----a-w C:\WINDOWS\Internet Logs\xDB8.tmp
2007-11-29 13:19 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2007-11-29 12:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2007-11-28 09:00 --------- d-----w C:\Program Files\Windows Live
2007-11-28 07:04 --------- d-----w C:\Program Files\Azureus
2007-11-28 03:07 --------- d-----w C:\Documents and Settings\Tuyen\Application Data\Winamp
2007-11-28 02:49 --------- d-----w C:\Program Files\Winamp
2007-10-20 14:06 21,504 ----a-w C:\WINDOWS\Internet Logs\xDB6.tmp
2007-10-20 14:06 1,518,592 ----a-w C:\WINDOWS\Internet Logs\xDB7.tmp
2007-10-20 14:04 2,663,936 ----a-w C:\WINDOWS\Internet Logs\xDB4.tmp
2007-10-20 14:04 1,518,592 ----a-w C:\WINDOWS\Internet Logs\xDB5.tmp
2007-08-30 06:40 1,512,960 ----a-w C:\WINDOWS\Internet Logs\xDB3.tmp
2007-03-03 07:05 2,703,360 ----a-w C:\WINDOWS\Internet Logs\xDB2.tmp
2007-01-06 12:58 1,315,328 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2006-12-20 10:25 55,529 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2006_12_20_21_24_52_small.dmp.zip
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 19:56 15360]
"TuneUp MemOptimizer"="C:\Program Files\TuneUp Utilities 2006\MemOptimizer.exe" [2006-10-05 16:22 304128]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2003-08-05 16:59 57344 C:\WINDOWS\SOUNDMAN.EXE]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-03-23 16:05 339968]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 15:24 32768]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-10 05:50 155648]
"SSC Service Utility"="C:\Program Files\SSC Service Utility\ssc_serv.exe" [2006-01-27 02:59 487424]
"AGRSMMSG"="AGRSMMSG.exe" [2004-04-13 15:49 88363 C:\WINDOWS\AGRSMMSG.exe]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-07-28 09:03 75128]
"Zone Labs Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2006-06-18 17:54 968696]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 10:41 282624]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-04-27 12:25 257088]
"D-Link AirPlus G"="C:\Program Files\D-Link\AirPlus G\AirGCFG.exe" [2005-11-23 15:04 1544192]
"ANIWZCS2Service"="C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2005-10-19 18:19 49152]
"9037b214"="C:\WINDOWS\system32\nbfipnrd.dll" [ ]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 01:48:20 40048]
Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 00:01:50 734872]
EPSON Status Monitor 3 Environment Check.lnk - C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE [2000-09-18 13:04:00 121856]
MiniEYE-MiniREAD Launch.lnk - C:\Program Files\Infinite Mind LC\eyeQ\ARLaunch.exe [2006-02-16 13:51:46 323584]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"= 1 (0x1)
"AllowUnhashedWebView"= 1 (0x1)
[HKLM\~\startupfolder\C:^Documents and Settings^Tuyen^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Tuyen\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2005-06-07 18:46 57344 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
R2 UxTuneUp;TuneUp Design Expansion;C:\WINDOWS\System32\svchost.exe [2004-08-04 19:56]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2005-08-03 08:10]
S3 ss_bus;Samsung Mobile USB Device 1.0 driver (WDM);C:\WINDOWS\system32\DRIVERS\ss_bus.sys [2005-01-25 10:38]
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys [2005-01-25 10:38]
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;C:\WINDOWS\system32\DRIVERS\ss_mdm.sys [2005-01-25 10:38]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder
"2007-12-07 06:17:45 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2006\SystemOptimizer.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-30 22:40:59
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\SSC Service Utility\ssc_serv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\TuneUp Utilities 2006\MemOptimizer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Infinite Mind LC\eyeQ\ARLaunch.exe
.
**************************************************************************
.
Completion time: 2008-01-30 22:43:45 - machine was rebooted [Tuyen]
ComboFix-quarantined-files.txt 2008-01-30 11:43:42
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:49:56 PM, on 1/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\SSC Service Utility\ssc_serv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TuneUp Utilities 2006\MemOptimizer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Infinite Mind LC\eyeQ\ARLaunch.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\ieyasu.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dhost.info/dwnatt
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SSC Service Utility] C:\Program Files\SSC Service Utility\ssc_serv.exe /s
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [9037b214] rundll32.exe "C:\WINDOWS\system32\nbfipnrd.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TuneUp MemOptimizer] "C:\Program Files\TuneUp Utilities 2006\MemOptimizer.exe" autostart
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: MiniEYE-MiniREAD Launch.lnk = C:\Program Files\Infinite Mind LC\eyeQ\ARLaunch.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab40641.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://dwnatt.spaces.live.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1195259047046
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1201138216640
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://dwnatt.spaces.live.com/PhotoUpload/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab41227.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9D69AADB-177C-4A49-89D7-1A8A0891C57C}: NameServer = 203.194.56.150 203.194.27.57
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 9764 bytes
Hi
Open HijackThis, click do a system scan only and checkmark this:
O4 - HKLM\..\Run: [9037b214] rundll32.exe "C:\WINDOWS\system32\nbfipnrd.dll",b
Close all windows including browser and press fix checked.
Reboot.
Please do an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/downloads/kws/kavwebscan.html). You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings
In the scan settings make sure that the following are selected:
o Scan using the following Anti-Virus database:
+ Extended (If available otherwise Standard)
o Scan Options:
+ Scan Archives
+ Scan Mail Bases
Click OK
Now under select a target to scan select My Computer
The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button
Save the file to your desktop.
Copy and paste that information in your next post.
Note: This scanner will work with Internet Explorer Only!
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
Post:
- a fresh HijackThis log
- kaspersky report
KASPERSKY ONLINE SCANNER REPORT
Saturday, February 02, 2008 11:45:56 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 2/02/2008
Kaspersky Anti-Virus database records: 545848
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases false
Scan Target Folders
C:\
Scan Statistics
Total number of scanned objects 102657
Number of viruses found 18
Number of infected objects 114
Number of suspicious objects 12
Duration of the scan process 02:12:46
Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Tuyen\Application Data\Mozilla\Firefox\Profiles\o2mygelh.default\cert8.db Object is locked skipped
C:\Documents and Settings\Tuyen\Application Data\Mozilla\Firefox\Profiles\o2mygelh.default\flashgot.log Object is locked skipped
C:\Documents and Settings\Tuyen\Application Data\Mozilla\Firefox\Profiles\o2mygelh.default\history.dat Object is locked skipped
C:\Documents and Settings\Tuyen\Application Data\Mozilla\Firefox\Profiles\o2mygelh.default\key3.db Object is locked skipped
C:\Documents and Settings\Tuyen\Application Data\Mozilla\Firefox\Profiles\o2mygelh.default\parent.lock Object is locked skipped
C:\Documents and Settings\Tuyen\Application Data\Mozilla\Firefox\Profiles\o2mygelh.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Tuyen\Application Data\Mozilla\Firefox\Profiles\o2mygelh.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Tuyen\Application Data\Mozilla\Firefox\Profiles\o2mygelh.default\urlclassifier2.sqlite-journal Object is locked skipped
C:\Documents and Settings\Tuyen\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Tuyen\Desktop\ipod\data\back\Documents and Settings\Administrator\Desktop\desktop\New Folder\backups\backup-20050428-180908-633.dll Infected: not-a-virus:AdWare.Win32.HyperBar.b skipped
C:\Documents and Settings\Tuyen\Desktop\ipod\data\back\Documents and Settings\Administrator\Desktop\desktop\New Folder\WinXP keyChanger.exe/data.rar/xpkey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\Documents and Settings\Tuyen\Desktop\ipod\data\back\Documents and Settings\Administrator\Desktop\desktop\New Folder\WinXP keyChanger.exe/data.rar/officekey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\Documents and Settings\Tuyen\Desktop\ipod\data\back\Documents and Settings\Administrator\Desktop\desktop\New Folder\WinXP keyChanger.exe/data.rar Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\Documents and Settings\Tuyen\Desktop\ipod\data\back\Documents and Settings\Administrator\Desktop\desktop\New Folder\WinXP keyChanger.exe RarSFX: infected - 3 skipped
C:\Documents and Settings\Tuyen\Desktop\ipod\data\back\Documents and Settings\Administrator\My Documents\My Received Files\hijackthis.log Suspicious: Exploit.HTML.Mht skipped
C:\Documents and Settings\Tuyen\Desktop\ipod\data\back\Documents and Settings\Administrator\My Documents\My Received Files\hijackthis2 Suspicious: Exploit.HTML.Mht skipped
C:\Documents and Settings\Tuyen\Desktop\ipod\data\back\Documents and Settings\Administrator\My Documents\My Received Files\hijackthis3 Suspicious: Exploit.HTML.Mht skipped
C:\Documents and Settings\Tuyen\Desktop\ipod\data\back\Documents and Settings\Administrator\My Documents\My Received Files\hijackthis4 Suspicious: Exploit.HTML.Mht skipped
C:\Documents and Settings\Tuyen\Desktop\ipod\data\back\download\crax\Download_Accelerator_(DAP)_v7[1].2.zip/DAP.zip/DAP.exe Infected: not-a-virus:AdWare.Win32.Dap.a skipped
C:\Documents and Settings\Tuyen\Desktop\ipod\data\back\download\crax\Download_Accelerator_(DAP)_v7[1].2.zip/DAP.zip Infected: not-a-virus:AdWare.Win32.Dap.a skipped
C:\Documents and Settings\Tuyen\Desktop\ipod\data\back\download\crax\Download_Accelerator_(DAP)_v7[1].2.zip ZIP: infected - 2 skipped
C:\Documents and Settings\Tuyen\Desktop\ipod\data\back\download\crax\Download_Accelerator_Plus_(DAP)_v7[1].2.0.0_by_Conless.zip/DAP.exe Infected: not-a-virus:AdWare.Win32.Dap.a skipped
C:\Documents and Settings\Tuyen\Desktop\ipod\data\back\download\crax\Download_Accelerator_Plus_(DAP)_v7[1].2.0.0_by_Conless.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Tuyen\Desktop\ipod\data\back\download\crax\Download_Accelerator_Plus_(DAP)_v7[1].2.zip/DAP.exe Infected: not-a-virus:AdWare.Win32.Dap.a skipped
C:\Documents and Settings\Tuyen\Desktop\ipod\data\back\download\crax\Download_Accelerator_Plus_(DAP)_v7[1].2.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Tuyen\Desktop\ipod\data\back\download\crax\Microsoft_Windows_XP_Service_Pack_2.zip/keyfinder.exe/data.rar/officekey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\Documents and Settings\Tuyen\Desktop\ipod\data\back\download\crax\Microsoft_Windows_XP_Service_Pack_2.zip/keyfinder.exe/data.rar Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\Documents and Settings\Tuyen\Desktop\ipod\data\back\download\crax\Microsoft_Windows_XP_Service_Pack_2.zip/keyfinder.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\Documents and Settings\Tuyen\Desktop\ipod\data\back\download\crax\Microsoft_Windows_XP_Service_Pack_2.zip ZIP: infected - 3 skipped
C:\Documents and Settings\Tuyen\Desktop\ipod\data\back\download\crax\Windows_XP_Service_Pack_2_by_Unknown.zip/WinXP keyChanger.exe/data.rar/xpkey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\Documents and Settings\Tuyen\Desktop\ipod\data\back\download\crax\Windows_XP_Service_Pack_2_by_Unknown.zip/WinXP keyChanger.exe/data.rar/officekey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\Documents and Settings\Tuyen\Desktop\ipod\data\back\download\crax\Windows_XP_Service_Pack_2_by_Unknown.zip/WinXP keyChanger.exe/data.rar Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\Documents and Settings\Tuyen\Desktop\ipod\data\back\download\crax\Windows_XP_Service_Pack_2_by_Unknown.zip/WinXP keyChanger.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\Documents and Settings\Tuyen\Desktop\ipod\data\back\download\crax\Windows_XP_Service_Pack_2_by_Unknown.zip ZIP: infected - 4 skipped
C:\Documents and Settings\Tuyen\Desktop\ipod\data\download\crax\Download_Accelerator_(DAP)_v7[1].2.zip/DAP.zip/DAP.exe Infected: not-a-virus:AdWare.Win32.Dap.a skipped
C:\Documents and Settings\Tuyen\Desktop\ipod\data\download\crax\Download_Accelerator_(DAP)_v7[1].2.zip/DAP.zip Infected: not-a-virus:AdWare.Win32.Dap.a skipped
C:\Documents and Settings\Tuyen\Desktop\ipod\data\download\crax\Download_Accelerator_(DAP)_v7[1].2.zip ZIP: infected - 2 skipped
C:\Documents and Settings\Tuyen\Desktop\ipod\data\download\crax\Download_Accelerator_Plus_(DAP)_v7[1].2.0.0_by_Conless.zip/DAP.exe Infected: not-a-virus:AdWare.Win32.Dap.a skipped
C:\Documents and Settings\Tuyen\Desktop\ipod\data\download\crax\Download_Accelerator_Plus_(DAP)_v7[1].2.0.0_by_Conless.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Tuyen\Desktop\ipod\data\download\crax\Download_Accelerator_Plus_(DAP)_v7[1].2.zip/DAP.exe Infected: not-a-virus:AdWare.Win32.Dap.a skipped
C:\Documents and Settings\Tuyen\Desktop\ipod\data\download\crax\Download_Accelerator_Plus_(DAP)_v7[1].2.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Tuyen\Desktop\ipod\data\download\crax\Microsoft_Windows_XP_Service_Pack_2.zip/keyfinder.exe/data.rar/officekey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\Documents and Settings\Tuyen\Desktop\ipod\data\download\crax\Microsoft_Windows_XP_Service_Pack_2.zip/keyfinder.exe/data.rar Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\Documents and Settings\Tuyen\Desktop\ipod\data\download\crax\Microsoft_Windows_XP_Service_Pack_2.zip/keyfinder.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\Documents and Settings\Tuyen\Desktop\ipod\data\download\crax\Microsoft_Windows_XP_Service_Pack_2.zip ZIP: infected - 3 skipped
C:\Documents and Settings\Tuyen\Desktop\ipod\data\download\crax\Windows_XP_Service_Pack_2_by_Unknown.zip/WinXP keyChanger.exe/data.rar/xpkey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\Documents and Settings\Tuyen\Desktop\ipod\data\download\crax\Windows_XP_Service_Pack_2_by_Unknown.zip/WinXP keyChanger.exe/data.rar/officekey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\Documents and Settings\Tuyen\Desktop\ipod\data\download\crax\Windows_XP_Service_Pack_2_by_Unknown.zip/WinXP keyChanger.exe/data.rar Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\Documents and Settings\Tuyen\Desktop\ipod\data\download\crax\Windows_XP_Service_Pack_2_by_Unknown.zip/WinXP keyChanger.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\Documents and Settings\Tuyen\Desktop\ipod\data\download\crax\Windows_XP_Service_Pack_2_by_Unknown.zip ZIP: infected - 4 skipped
C:\Documents and Settings\Tuyen\Local Settings\Application Data\Microsoft\Messenger\ieyasu_nat@hotmail.com\SharingMetadata\Logs\Dfsr00005.log Object is locked skipped
C:\Documents and Settings\Tuyen\Local Settings\Application Data\Microsoft\Messenger\ieyasu_nat@hotmail.com\SharingMetadata\pending.dat Object is locked skipped
C:\Documents and Settings\Tuyen\Local Settings\Application Data\Microsoft\Messenger\ieyasu_nat@hotmail.com\SharingMetadata\Working\database_D690_37CD_9037_B2BB\dfsr.db Object is locked skipped
C:\Documents and Settings\Tuyen\Local Settings\Application Data\Microsoft\Messenger\ieyasu_nat@hotmail.com\SharingMetadata\Working\database_D690_37CD_9037_B2BB\fsr.log Object is locked skipped
C:\Documents and Settings\Tuyen\Local Settings\Application Data\Microsoft\Messenger\ieyasu_nat@hotmail.com\SharingMetadata\Working\database_D690_37CD_9037_B2BB\fsrtmp.log Object is locked skipped
C:\Documents and Settings\Tuyen\Local Settings\Application Data\Microsoft\Messenger\ieyasu_nat@hotmail.com\SharingMetadata\Working\database_D690_37CD_9037_B2BB\tmp.edb Object is locked skipped
C:\Documents and Settings\Tuyen\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Tuyen\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Tuyen\Local Settings\Application Data\Microsoft\Windows Live Contacts\ieyasu_nat@hotmail.com\real\members.stg Object is locked skipped
C:\Documents and Settings\Tuyen\Local Settings\Application Data\Microsoft\Windows Live Contacts\ieyasu_nat@hotmail.com\shadow\members.stg Object is locked skipped
C:\Documents and Settings\Tuyen\Local Settings\Application Data\Mozilla\Firefox\Profiles\o2mygelh.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Tuyen\Local Settings\Application Data\Mozilla\Firefox\Profiles\o2mygelh.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Tuyen\Local Settings\Application Data\Mozilla\Firefox\Profiles\o2mygelh.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Tuyen\Local Settings\Application Data\Mozilla\Firefox\Profiles\o2mygelh.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Tuyen\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Tuyen\Local Settings\Temp\Perflib_Perfdata_898.dat Object is locked skipped
C:\Documents and Settings\Tuyen\Local Settings\Temp\~DF8423.tmp Object is locked skipped
C:\Documents and Settings\Tuyen\Local Settings\Temp\~DF8435.tmp Object is locked skipped
C:\Documents and Settings\Tuyen\Local Settings\Temp\~DF9257.tmp Object is locked skipped
C:\Documents and Settings\Tuyen\Local Settings\Temp\~DF9273.tmp Object is locked skipped
C:\Documents and Settings\Tuyen\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Tuyen\My Documents\MY CHAT LOGS\February 2008\chronohunter@hotmail.com.html Object is locked skipped
C:\Documents and Settings\Tuyen\My Documents\MY CHAT LOGS\February 2008\crimson_storm_@hotmail.com.html Object is locked skipped
C:\Documents and Settings\Tuyen\My Documents\MY CHAT LOGS\February 2008\leyene@hotmail.com.html Object is locked skipped
C:\Documents and Settings\Tuyen\My Documents\My Received Files\hijackthis.log Suspicious: Exploit.HTML.Mht skipped
C:\Documents and Settings\Tuyen\My Documents\My Received Files\hijackthis2 Suspicious: Exploit.HTML.Mht skipped
C:\Documents and Settings\Tuyen\My Documents\My Received Files\hijackthis3 Suspicious: Exploit.HTML.Mht skipped
C:\Documents and Settings\Tuyen\My Documents\My Received Files\hijackthis4 Suspicious: Exploit.HTML.Mht skipped
C:\Documents and Settings\Tuyen\My Documents\My Received Files\lcapi0.log Object is locked skipped
C:\Documents and Settings\Tuyen\My Documents\My Received Files\MsnMsgr.txt Object is locked skipped
C:\Documents and Settings\Tuyen\My Documents\My Received Files\Transport0.log Object is locked skipped
C:\Documents and Settings\Tuyen\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Tuyen\ntuser.dat.LOG Object is locked skipped
C:\download\mozilla\GetDataBack.for.FAT.v3.03(2).zip/installer.exe/data0002 Infected: Trojan.Win32.VB.ami skipped
C:\download\mozilla\GetDataBack.for.FAT.v3.03(2).zip/installer.exe Infected: Trojan.Win32.VB.ami skipped
C:\download\mozilla\GetDataBack.for.FAT.v3.03(2).zip ZIP: infected - 2 skipped
C:\download\mozilla\kf151.zip/keyfinder.exe/data.rar/officekey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\download\mozilla\kf151.zip/keyfinder.exe/data.rar Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\download\mozilla\kf151.zip/keyfinder.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\download\mozilla\kf151.zip ZIP: infected - 3 skipped
C:\download\mozilla\wintask.5.012.05.pro.patch.rock.zip/run.exe Infected: Trojan-Downloader.Win32.Zlob.bon skipped
C:\download\mozilla\wintask.5.012.05.pro.patch.rock.zip ZIP: infected - 1 skipped
C:\download\riskSetup.exe/data0000.bin/data0008 Infected: not-a-virus:AdWare.Win32.AdMedia.g skipped
C:\download\riskSetup.exe/data0000.bin Infected: not-a-virus:AdWare.Win32.AdMedia.g skipped
C:\download\riskSetup.exe EmbeddedEXE: infected - 2 skipped
C:\download\WarezP2P.exe Infected: not-a-virus:Downloader.Win32.Agent.h skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\integ\avast.int Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\Program Files\Dot1XCfg\Dot1XCfg.exe Infected: Trojan-Downloader.Win32.Adload.pr skipped
C:\QooBox\Quarantine\C\Program Files\Router\Router.exe.vir Infected: Trojan-Downloader.Win32.Agent.gdi skipped
C:\QooBox\Quarantine\C\Program Files\Router\UnInstall.exe.vir Infected: Trojan-Downloader.Win32.Delf.dlk skipped
C:\QooBox\Quarantine\C\Program Files\Temporary\kernInst.exe.vir Infected: Trojan.Win32.Agent.edq skipped
C:\QooBox\Quarantine\C\WINDOWS\b122.exe.vir Infected: Trojan-Downloader.Win32.Agent.hvj skipped
C:\QooBox\Quarantine\C\WINDOWS\b151.exe.vir Infected: Trojan-Downloader.Win32.Agent.fjn skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ahxpljgr.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.edw skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\efcawvw.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cnq skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\pweiusam.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\qomlijg.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cnq skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\spennexp.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.dnp skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\wjgrcwvg.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.dnp skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\yayyaaa.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.cnq skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ypnvjnch.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.dnp skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{66D3C8C5-8A2E-46C4-B508-1F04E6B940C6}\RP3\A0000012.exe Infected: Trojan-Downloader.Win32.Agent.hvj skipped
C:\System Volume Information\_restore{66D3C8C5-8A2E-46C4-B508-1F04E6B940C6}\RP3\A0000013.exe Infected: Trojan-Downloader.Win32.Agent.fjn skipped
C:\System Volume Information\_restore{66D3C8C5-8A2E-46C4-B508-1F04E6B940C6}\RP3\A0000014.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.edw skipped
C:\System Volume Information\_restore{66D3C8C5-8A2E-46C4-B508-1F04E6B940C6}\RP3\A0000016.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.cnq skipped
C:\System Volume Information\_restore{66D3C8C5-8A2E-46C4-B508-1F04E6B940C6}\RP3\A0000024.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped
C:\System Volume Information\_restore{66D3C8C5-8A2E-46C4-B508-1F04E6B940C6}\RP3\A0000025.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.cnq skipped
C:\System Volume Information\_restore{66D3C8C5-8A2E-46C4-B508-1F04E6B940C6}\RP3\A0000026.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dnp skipped
C:\System Volume Information\_restore{66D3C8C5-8A2E-46C4-B508-1F04E6B940C6}\RP3\A0000028.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dnp skipped
C:\System Volume Information\_restore{66D3C8C5-8A2E-46C4-B508-1F04E6B940C6}\RP3\A0000029.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.cnq skipped
C:\System Volume Information\_restore{66D3C8C5-8A2E-46C4-B508-1F04E6B940C6}\RP3\A0000032.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dnp skipped
C:\System Volume Information\_restore{66D3C8C5-8A2E-46C4-B508-1F04E6B940C6}\RP3\A0000049.exe Infected: Trojan-Downloader.Win32.Agent.gdi skipped
C:\System Volume Information\_restore{66D3C8C5-8A2E-46C4-B508-1F04E6B940C6}\RP3\A0000050.exe Infected: Trojan-Downloader.Win32.Delf.dlk skipped
C:\System Volume Information\_restore{66D3C8C5-8A2E-46C4-B508-1F04E6B940C6}\RP3\A0000051.exe Infected: Trojan.Win32.Agent.edq skipped
C:\System Volume Information\_restore{66D3C8C5-8A2E-46C4-B508-1F04E6B940C6}\RP4\change.log Object is locked skipped
C:\tools\NDS\NDeSmuME\data\back\Documents and Settings\Administrator\Desktop\desktop\New Folder\backups\backup-20050428-180908-633.dll Infected: not-a-virus:AdWare.Win32.HyperBar.b skipped
C:\tools\NDS\NDeSmuME\data\back\Documents and Settings\Administrator\Desktop\desktop\New Folder\WinXP keyChanger.exe/data.rar/xpkey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\tools\NDS\NDeSmuME\data\back\Documents and Settings\Administrator\Desktop\desktop\New Folder\WinXP keyChanger.exe/data.rar/officekey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\tools\NDS\NDeSmuME\data\back\Documents and Settings\Administrator\Desktop\desktop\New Folder\WinXP keyChanger.exe/data.rar Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\tools\NDS\NDeSmuME\data\back\Documents and Settings\Administrator\Desktop\desktop\New Folder\WinXP keyChanger.exe RarSFX: infected - 3 skipped
C:\tools\NDS\NDeSmuME\data\back\Documents and Settings\Administrator\My Documents\My Received Files\hijackthis.log Suspicious: Exploit.HTML.Mht skipped
C:\tools\NDS\NDeSmuME\data\back\Documents and Settings\Administrator\My Documents\My Received Files\hijackthis2 Suspicious: Exploit.HTML.Mht skipped
C:\tools\NDS\NDeSmuME\data\back\Documents and Settings\Administrator\My Documents\My Received Files\hijackthis3 Suspicious: Exploit.HTML.Mht skipped
C:\tools\NDS\NDeSmuME\data\back\Documents and Settings\Administrator\My Documents\My Received Files\hijackthis4 Suspicious: Exploit.HTML.Mht skipped
C:\tools\NDS\NDeSmuME\data\back\download\crax\Download_Accelerator_(DAP)_v7[1].2.zip/DAP.zip/DAP.exe Infected: not-a-virus:AdWare.Win32.Dap.a skipped
C:\tools\NDS\NDeSmuME\data\back\download\crax\Download_Accelerator_(DAP)_v7[1].2.zip/DAP.zip Infected: not-a-virus:AdWare.Win32.Dap.a skipped
C:\tools\NDS\NDeSmuME\data\back\download\crax\Download_Accelerator_(DAP)_v7[1].2.zip ZIP: infected - 2 skipped
C:\tools\NDS\NDeSmuME\data\back\download\crax\Download_Accelerator_Plus_(DAP)_v7[1].2.0.0_by_Conless.zip/DAP.exe Infected: not-a-virus:AdWare.Win32.Dap.a skipped
C:\tools\NDS\NDeSmuME\data\back\download\crax\Download_Accelerator_Plus_(DAP)_v7[1].2.0.0_by_Conless.zip ZIP: infected - 1 skipped
C:\tools\NDS\NDeSmuME\data\back\download\crax\Download_Accelerator_Plus_(DAP)_v7[1].2.zip/DAP.exe Infected: not-a-virus:AdWare.Win32.Dap.a skipped
C:\tools\NDS\NDeSmuME\data\back\download\crax\Download_Accelerator_Plus_(DAP)_v7[1].2.zip ZIP: infected - 1 skipped
C:\tools\NDS\NDeSmuME\data\back\download\crax\Microsoft_Windows_XP_Service_Pack_2.zip/keyfinder.exe/data.rar/officekey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\tools\NDS\NDeSmuME\data\back\download\crax\Microsoft_Windows_XP_Service_Pack_2.zip/keyfinder.exe/data.rar Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\tools\NDS\NDeSmuME\data\back\download\crax\Microsoft_Windows_XP_Service_Pack_2.zip/keyfinder.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\tools\NDS\NDeSmuME\data\back\download\crax\Microsoft_Windows_XP_Service_Pack_2.zip ZIP: infected - 3 skipped
C:\tools\NDS\NDeSmuME\data\back\download\crax\Windows_XP_Service_Pack_2_by_Unknown.zip/WinXP keyChanger.exe/data.rar/xpkey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\tools\NDS\NDeSmuME\data\back\download\crax\Windows_XP_Service_Pack_2_by_Unknown.zip/WinXP keyChanger.exe/data.rar/officekey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\tools\NDS\NDeSmuME\data\back\download\crax\Windows_XP_Service_Pack_2_by_Unknown.zip/WinXP keyChanger.exe/data.rar Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\tools\NDS\NDeSmuME\data\back\download\crax\Windows_XP_Service_Pack_2_by_Unknown.zip/WinXP keyChanger.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\tools\NDS\NDeSmuME\data\back\download\crax\Windows_XP_Service_Pack_2_by_Unknown.zip ZIP: infected - 4 skipped
C:\tools\NDS\NDeSmuME\data\download\crax\Download_Accelerator_(DAP)_v7[1].2.zip/DAP.zip/DAP.exe Infected: not-a-virus:AdWare.Win32.Dap.a skipped
C:\tools\NDS\NDeSmuME\data\download\crax\Download_Accelerator_(DAP)_v7[1].2.zip/DAP.zip Infected: not-a-virus:AdWare.Win32.Dap.a skipped
C:\tools\NDS\NDeSmuME\data\download\crax\Download_Accelerator_(DAP)_v7[1].2.zip ZIP: infected - 2 skipped
C:\tools\NDS\NDeSmuME\data\download\crax\Download_Accelerator_Plus_(DAP)_v7[1].2.0.0_by_Conless.zip/DAP.exe Infected: not-a-virus:AdWare.Win32.Dap.a skipped
C:\tools\NDS\NDeSmuME\data\download\crax\Download_Accelerator_Plus_(DAP)_v7[1].2.0.0_by_Conless.zip ZIP: infected - 1 skipped
C:\tools\NDS\NDeSmuME\data\download\crax\Download_Accelerator_Plus_(DAP)_v7[1].2.zip/DAP.exe Infected: not-a-virus:AdWare.Win32.Dap.a skipped
C:\tools\NDS\NDeSmuME\data\download\crax\Download_Accelerator_Plus_(DAP)_v7[1].2.zip ZIP: infected - 1 skipped
C:\tools\NDS\NDeSmuME\data\download\crax\Microsoft_Windows_XP_Service_Pack_2.zip/keyfinder.exe/data.rar/officekey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\tools\NDS\NDeSmuME\data\download\crax\Microsoft_Windows_XP_Service_Pack_2.zip/keyfinder.exe/data.rar Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\tools\NDS\NDeSmuME\data\download\crax\Microsoft_Windows_XP_Service_Pack_2.zip/keyfinder.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\tools\NDS\NDeSmuME\data\download\crax\Microsoft_Windows_XP_Service_Pack_2.zip ZIP: infected - 3 skipped
C:\tools\NDS\NDeSmuME\data\download\crax\Windows_XP_Service_Pack_2_by_Unknown.zip/WinXP keyChanger.exe/data.rar/xpkey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\tools\NDS\NDeSmuME\data\download\crax\Windows_XP_Service_Pack_2_by_Unknown.zip/WinXP keyChanger.exe/data.rar/officekey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\tools\NDS\NDeSmuME\data\download\crax\Windows_XP_Service_Pack_2_by_Unknown.zip/WinXP keyChanger.exe/data.rar Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\tools\NDS\NDeSmuME\data\download\crax\Windows_XP_Service_Pack_2_by_Unknown.zip/WinXP keyChanger.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\tools\NDS\NDeSmuME\data\download\crax\Windows_XP_Service_Pack_2_by_Unknown.zip ZIP: infected - 4 skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\ModemLog_Agere Systems PCI Soft Modem.txt Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_628.dat Object is locked skipped
C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
oh joy! after some fooling around, IE works agen... ^_^
ps: sry about the late reply, work is giving me some crazy hours =(
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:37:13 AM, on 2/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\SSC Service Utility\ssc_serv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TuneUp Utilities 2006\MemOptimizer.exe
C:\Program Files\Infinite Mind LC\eyeQ\ARLaunch.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Trend Micro\HijackThis\ieyasu.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dhost.info/dwnatt
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SSC Service Utility] C:\Program Files\SSC Service Utility\ssc_serv.exe /s
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TuneUp MemOptimizer] "C:\Program Files\TuneUp Utilities 2006\MemOptimizer.exe" autostart
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: MiniEYE-MiniREAD Launch.lnk = C:\Program Files\Infinite Mind LC\eyeQ\ARLaunch.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab40641.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://dwnatt.spaces.live.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1195259047046
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1201138216640
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://dwnatt.spaces.live.com/PhotoUpload/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab41227.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9D69AADB-177C-4A49-89D7-1A8A0891C57C}: NameServer = 203.194.56.150 203.194.27.57
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 9865 bytes
Hi
Delete these:
C:\Documents and Settings\Tuyen\Desktop\ipod\data\back\download\crax
C:\tools\NDS\NDeSmuME\data\download\crax
C:\download\mozilla\GetDataBack.for.FAT.v3.03(2).zip
C:\download\mozilla\wintask.5.012.05.pro.patch.rock.zip
C:\download\riskSetup.exe
C:\Program Files\Dot1XCfg\
Empty this folder:
C:\QooBox\Quarantine\
Empty Recycle Bin.
Re-scan with kaspersky.
Post:
- a fresh HijackThis log
- kaspersky report
much appreciated and many thanks for your help so far Shaba. I apologize for the late replies, i have a few matters i need to attend to...so far i got no time to do these scans yet...but i will get back to this thread within the next week...
so mods...plez dont archieve this yet!
Many thx again shaba and sry to make you wait =]
Hi
No worries, I will keep this topic open :)