roadscum
2008-02-10, 21:27
My machine keeps downloading trojans (see logs below). Not being too clever myself, i've tried to fix things by disabling or deleting any suspicious looking registry changes, mostly using the system internals and startup tools in spybot. I recently installed software for a creative zen mp3 player. The software didn't work too well and kept locking up so i uninstalled it. Then i noticed that the hp print screen utility that came with my printer no longer worked. I ended up uninstalling the printer and now can't get it to reinstall, the installation gets so far and then locks up. I was on the point of having a go at reinstalling xp and starting again from scratch when i decided to try something i'd never considered before; being sensible and asking for advice from someone who knows what they're doing.
Kaspersky scan results, Hijack this log and Avast anti virus log excerpt are copied below. Any idea what's up anyone?
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, February 10, 2008 7:29:18 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 10/02/2008
Kaspersky Anti-Virus database records: 556064
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
I:\
Scan Statistics:
Total number of scanned objects: 77772
Number of viruses found: 1
Number of infected objects: 9
Number of suspicious objects: 0
Duration of the scan process: 02:16:21
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\LocalService\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Zaj\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Zaj\Desktop\firewall log.log Object is locked skipped
C:\Documents and Settings\Zaj\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Zaj\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Zaj\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Zaj\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Zaj\My Documents\Zaj Downers\Downed progs\BTstuff\BTYahoo!HelpInstall.exe/WISE0011.BIN Infected: not-a-virus:RiskTool.Win32.PsKill.1101 skipped
C:\Documents and Settings\Zaj\My Documents\Zaj Downers\Downed progs\BTstuff\BTYahoo!HelpInstall.exe WiseSFX: infected - 1 skipped
C:\Documents and Settings\Zaj\My Documents\Zaj Downers\Downed progs\BTstuff\BTYahoo!HelpInstall.exe WiseSFXDropper: infected - 1 skipped
C:\Documents and Settings\Zaj\ntuser.dat Object is locked skipped
C:\Documents and Settings\Zaj\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1196\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{3A2B82C5-FC4B-4DF8-8451-B468D758F7A7}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\Antivirus.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\Internet.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_5c0.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
I:\RECYCLER\S-1-5-21-3015630041-2067563744-1589590767-1006\Di1\BTstuff\BTYahoo!HelpInstall.exe/WISE0011.BIN Infected: not-a-virus:RiskTool.Win32.PsKill.1101 skipped
I:\RECYCLER\S-1-5-21-3015630041-2067563744-1589590767-1006\Di1\BTstuff\BTYahoo!HelpInstall.exe WiseSFX: infected - 1 skipped
I:\RECYCLER\S-1-5-21-3015630041-2067563744-1589590767-1006\Di1\BTstuff\BTYahoo!HelpInstall.exe WiseSFXDropper: infected - 1 skipped
I:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
I:\Zaj Downers\Downed progs\BTstuff\BTYahoo!HelpInstall.exe/WISE0011.BIN Infected: not-a-virus:RiskTool.Win32.PsKill.1101 skipped
I:\Zaj Downers\Downed progs\BTstuff\BTYahoo!HelpInstall.exe WiseSFX: infected - 1 skipped
I:\Zaj Downers\Downed progs\BTstuff\BTYahoo!HelpInstall.exe WiseSFXDropper: infected - 1 skipped
Scan process completed.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:13:15, on 10/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: symsupportutil - https://www-secure.symantec.com/region/reg_eu/techsupp/activedata/symsupportutil.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - https://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1202656271406
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.euro.dell.com/global/apps/systemprofiler/PROFILER.CAB
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} - https://rtc3.webresponse.one.microsoft.com/media/xp/TLIEFlash.CAB
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - https://www-secure.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} - https://www-secure.symantec.com/region/reg_eu/techsupp/activedata/ActiveData.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/SU/SU1.5/ocx/15034/CTPID.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
--
End of file - 7360 bytes
Excerpt of avast log:
10/02/2008 15:57:29 Zaj 1468 Sign of "Win32:Nimosw-E [Trj]" has been found in "C:\WINDOWS\ntbtlog.txt" file.
10/02/2008 15:57:22 Zaj 1468 Sign of "Win32:Nimosw-E [Trj]" has been found in "C:\Documents and Settings\Zaj\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat" file.
10/02/2008 15:57:20 Zaj 1468 Sign of "Win32:Nimosw-E [Trj]" has been found in "C:\Documents and Settings\Zaj\Local Settings\Temporary Internet Files\Content.IE5\T39EUPDW\muweb_site[1].cab" file.
10/02/2008 15:57:01 Zaj 1468 Sign of "Win32:Nimosw [Trj]" has been found in "C:\Documents and Settings\Zaj\Local Settings\Temporary Internet Files\Content.IE5\V9KH2G4P\E-wtrmrkHome[1].gif" file.
09/02/2008 17:36:43 SYSTEM 1480 An error has occured while attempting to update. Please check the logs.
09/02/2008 17:36:42 SYSTEM 1480 Function setifaceUpdatePackages() has failed. Return code is 0x00000426, dwRes is 000004C8.
05/02/2008 21:30:35 SYSTEM 1492 Sign of "Win32:Nimosw [Trj]" has been found in "C:\Documents and Settings\Zaj\Local Settings\Application Data\Mozilla\Firefox\Profiles\m6cyjm8y.default\cache\F895C87Ed01" file.
05/02/2008 21:30:34 SYSTEM 1492 Sign of "Win32:Nimosw-E [Trj]" has been found in "C:\Documents and Settings\Zaj\Local Settings\Application Data\Mozilla\Firefox\Profiles\m6cyjm8y.default\cache\F4E39761d01" file.
05/02/2008 21:30:32 SYSTEM 1492 Sign of "Win32:Nimosw [Trj]" has been found in "C:\Documents and Settings\Zaj\Local Settings\Application Data\Mozilla\Firefox\Profiles\m6cyjm8y.default\cache\F1EEE761d01" file.
05/02/2008 21:30:30 SYSTEM 1492 Sign of "Win32:Nimosw [Trj]" has been found in "C:\Documents and Settings\Zaj\Local Settings\Application Data\Mozilla\Firefox\Profiles\m6cyjm8y.default\cache\D57D08CAd01" file.
05/02/2008 21:30:29 SYSTEM 1492 Sign of "Win32:Nimosw-E [Trj]" has been found in "C:\Documents and Settings\Zaj\Local Settings\Application Data\Mozilla\Firefox\Profiles\m6cyjm8y.default\cache\D2CF5CF4d01" file.
05/02/2008 21:30:26 SYSTEM 1492 Sign of "Win32:Nimosw-E [Trj]" has been found in "C:\Documents and Settings\Zaj\Local Settings\Application Data\Mozilla\Firefox\Profiles\m6cyjm8y.default\cache\9B1E2BDBd01" file.
05/02/2008 21:30:24 SYSTEM 1492 Sign of "Win32:Nimosw-E [Trj]" has been found in "C:\Documents and Settings\Zaj\Local Settings\Application Data\Mozilla\Firefox\Profiles\m6cyjm8y.default\cache\9A13EBE4d01" file.
05/02/2008 21:30:22 SYSTEM 1492 Sign of "Win32:Nimosw-E [Trj]" has been found in "C:\Documents and Settings\Zaj\Local Settings\Application Data\Mozilla\Firefox\Profiles\m6cyjm8y.default\cache\84527941d01" file.
05/02/2008 21:30:21 SYSTEM 1492 Sign of "Win32:Nimosw [Trj]" has been found in "C:\Documents and Settings\Zaj\Local Settings\Application Data\Mozilla\Firefox\Profiles\m6cyjm8y.default\cache\782C53D6d01" file.
05/02/2008 21:30:19 SYSTEM 1492 Sign of "Win32:Nimosw-E [Trj]" has been found in "C:\Documents and Settings\Zaj\Local Settings\Application Data\Mozilla\Firefox\Profiles\m6cyjm8y.default\cache\75E6A25Ad01" file.
05/02/2008 21:30:18 SYSTEM 1492 Sign of "Win32:Nimosw-E [Trj]" has been found in "C:\Documents and Settings\Zaj\Local Settings\Application Data\Mozilla\Firefox\Profiles\m6cyjm8y.default\cache\6E14ECAEd01" file.
05/02/2008 21:30:15 SYSTEM 1492 Sign of "Win32:Nimosw-E [Trj]" has been found in "C:\Documents and Settings\Zaj\Local Settings\Application Data\Mozilla\Firefox\Profiles\m6cyjm8y.default\cache\4930513Dd01" file.
05/02/2008 21:30:02 SYSTEM 1492 Sign of "Win32:Nimosw-E [Trj]" has been found in "C:\Documents and Settings\Zaj\Local Settings\Application Data\Mozilla\Firefox\Profiles\m6cyjm8y.default\cache\37498624d01" file.
Kaspersky scan results, Hijack this log and Avast anti virus log excerpt are copied below. Any idea what's up anyone?
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, February 10, 2008 7:29:18 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 10/02/2008
Kaspersky Anti-Virus database records: 556064
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
I:\
Scan Statistics:
Total number of scanned objects: 77772
Number of viruses found: 1
Number of infected objects: 9
Number of suspicious objects: 0
Duration of the scan process: 02:16:21
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\LocalService\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Zaj\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Zaj\Desktop\firewall log.log Object is locked skipped
C:\Documents and Settings\Zaj\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Zaj\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Zaj\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Zaj\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Zaj\My Documents\Zaj Downers\Downed progs\BTstuff\BTYahoo!HelpInstall.exe/WISE0011.BIN Infected: not-a-virus:RiskTool.Win32.PsKill.1101 skipped
C:\Documents and Settings\Zaj\My Documents\Zaj Downers\Downed progs\BTstuff\BTYahoo!HelpInstall.exe WiseSFX: infected - 1 skipped
C:\Documents and Settings\Zaj\My Documents\Zaj Downers\Downed progs\BTstuff\BTYahoo!HelpInstall.exe WiseSFXDropper: infected - 1 skipped
C:\Documents and Settings\Zaj\ntuser.dat Object is locked skipped
C:\Documents and Settings\Zaj\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1196\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{3A2B82C5-FC4B-4DF8-8451-B468D758F7A7}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\Antivirus.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\Internet.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_5c0.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
I:\RECYCLER\S-1-5-21-3015630041-2067563744-1589590767-1006\Di1\BTstuff\BTYahoo!HelpInstall.exe/WISE0011.BIN Infected: not-a-virus:RiskTool.Win32.PsKill.1101 skipped
I:\RECYCLER\S-1-5-21-3015630041-2067563744-1589590767-1006\Di1\BTstuff\BTYahoo!HelpInstall.exe WiseSFX: infected - 1 skipped
I:\RECYCLER\S-1-5-21-3015630041-2067563744-1589590767-1006\Di1\BTstuff\BTYahoo!HelpInstall.exe WiseSFXDropper: infected - 1 skipped
I:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
I:\Zaj Downers\Downed progs\BTstuff\BTYahoo!HelpInstall.exe/WISE0011.BIN Infected: not-a-virus:RiskTool.Win32.PsKill.1101 skipped
I:\Zaj Downers\Downed progs\BTstuff\BTYahoo!HelpInstall.exe WiseSFX: infected - 1 skipped
I:\Zaj Downers\Downed progs\BTstuff\BTYahoo!HelpInstall.exe WiseSFXDropper: infected - 1 skipped
Scan process completed.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:13:15, on 10/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: symsupportutil - https://www-secure.symantec.com/region/reg_eu/techsupp/activedata/symsupportutil.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - https://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1202656271406
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.euro.dell.com/global/apps/systemprofiler/PROFILER.CAB
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} - https://rtc3.webresponse.one.microsoft.com/media/xp/TLIEFlash.CAB
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - https://www-secure.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} - https://www-secure.symantec.com/region/reg_eu/techsupp/activedata/ActiveData.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/SU/SU1.5/ocx/15034/CTPID.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
--
End of file - 7360 bytes
Excerpt of avast log:
10/02/2008 15:57:29 Zaj 1468 Sign of "Win32:Nimosw-E [Trj]" has been found in "C:\WINDOWS\ntbtlog.txt" file.
10/02/2008 15:57:22 Zaj 1468 Sign of "Win32:Nimosw-E [Trj]" has been found in "C:\Documents and Settings\Zaj\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat" file.
10/02/2008 15:57:20 Zaj 1468 Sign of "Win32:Nimosw-E [Trj]" has been found in "C:\Documents and Settings\Zaj\Local Settings\Temporary Internet Files\Content.IE5\T39EUPDW\muweb_site[1].cab" file.
10/02/2008 15:57:01 Zaj 1468 Sign of "Win32:Nimosw [Trj]" has been found in "C:\Documents and Settings\Zaj\Local Settings\Temporary Internet Files\Content.IE5\V9KH2G4P\E-wtrmrkHome[1].gif" file.
09/02/2008 17:36:43 SYSTEM 1480 An error has occured while attempting to update. Please check the logs.
09/02/2008 17:36:42 SYSTEM 1480 Function setifaceUpdatePackages() has failed. Return code is 0x00000426, dwRes is 000004C8.
05/02/2008 21:30:35 SYSTEM 1492 Sign of "Win32:Nimosw [Trj]" has been found in "C:\Documents and Settings\Zaj\Local Settings\Application Data\Mozilla\Firefox\Profiles\m6cyjm8y.default\cache\F895C87Ed01" file.
05/02/2008 21:30:34 SYSTEM 1492 Sign of "Win32:Nimosw-E [Trj]" has been found in "C:\Documents and Settings\Zaj\Local Settings\Application Data\Mozilla\Firefox\Profiles\m6cyjm8y.default\cache\F4E39761d01" file.
05/02/2008 21:30:32 SYSTEM 1492 Sign of "Win32:Nimosw [Trj]" has been found in "C:\Documents and Settings\Zaj\Local Settings\Application Data\Mozilla\Firefox\Profiles\m6cyjm8y.default\cache\F1EEE761d01" file.
05/02/2008 21:30:30 SYSTEM 1492 Sign of "Win32:Nimosw [Trj]" has been found in "C:\Documents and Settings\Zaj\Local Settings\Application Data\Mozilla\Firefox\Profiles\m6cyjm8y.default\cache\D57D08CAd01" file.
05/02/2008 21:30:29 SYSTEM 1492 Sign of "Win32:Nimosw-E [Trj]" has been found in "C:\Documents and Settings\Zaj\Local Settings\Application Data\Mozilla\Firefox\Profiles\m6cyjm8y.default\cache\D2CF5CF4d01" file.
05/02/2008 21:30:26 SYSTEM 1492 Sign of "Win32:Nimosw-E [Trj]" has been found in "C:\Documents and Settings\Zaj\Local Settings\Application Data\Mozilla\Firefox\Profiles\m6cyjm8y.default\cache\9B1E2BDBd01" file.
05/02/2008 21:30:24 SYSTEM 1492 Sign of "Win32:Nimosw-E [Trj]" has been found in "C:\Documents and Settings\Zaj\Local Settings\Application Data\Mozilla\Firefox\Profiles\m6cyjm8y.default\cache\9A13EBE4d01" file.
05/02/2008 21:30:22 SYSTEM 1492 Sign of "Win32:Nimosw-E [Trj]" has been found in "C:\Documents and Settings\Zaj\Local Settings\Application Data\Mozilla\Firefox\Profiles\m6cyjm8y.default\cache\84527941d01" file.
05/02/2008 21:30:21 SYSTEM 1492 Sign of "Win32:Nimosw [Trj]" has been found in "C:\Documents and Settings\Zaj\Local Settings\Application Data\Mozilla\Firefox\Profiles\m6cyjm8y.default\cache\782C53D6d01" file.
05/02/2008 21:30:19 SYSTEM 1492 Sign of "Win32:Nimosw-E [Trj]" has been found in "C:\Documents and Settings\Zaj\Local Settings\Application Data\Mozilla\Firefox\Profiles\m6cyjm8y.default\cache\75E6A25Ad01" file.
05/02/2008 21:30:18 SYSTEM 1492 Sign of "Win32:Nimosw-E [Trj]" has been found in "C:\Documents and Settings\Zaj\Local Settings\Application Data\Mozilla\Firefox\Profiles\m6cyjm8y.default\cache\6E14ECAEd01" file.
05/02/2008 21:30:15 SYSTEM 1492 Sign of "Win32:Nimosw-E [Trj]" has been found in "C:\Documents and Settings\Zaj\Local Settings\Application Data\Mozilla\Firefox\Profiles\m6cyjm8y.default\cache\4930513Dd01" file.
05/02/2008 21:30:02 SYSTEM 1492 Sign of "Win32:Nimosw-E [Trj]" has been found in "C:\Documents and Settings\Zaj\Local Settings\Application Data\Mozilla\Firefox\Profiles\m6cyjm8y.default\cache\37498624d01" file.