PDA

View Full Version : Win32/NSAnti, am i clean???



t33ss
2008-02-25, 18:51
Hai,

My com have recently been infected by the win32/NSAnti. AVG 7.5 notifies me about the virus everytime i clicked on my hard-disk drive (C:). I have tried to move the virus to the vault but still the problem persists. I can't show my hidden files and folders.

Recently, i think i have managed to kill the virus by reading on the thread "http://forums.spybot.info/showthread.php?t=22288". I've tried using combofix as said on the thread & i haven got the virus notification from AVG since & my hidden files worked. But upon further reading, i found that the virus may still be in the com even after using combofix. So i'll be glad if someone can help me to check if i've gotten rid of the virus completely. Thks!!!

Here is my logfile from Hijackthis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:49:00 AM, on 2/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKLM\..\Policies\Explorer\Run: [status] present
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6EC98949-ABC3-40FF-B8A8-A043DFDF727E}: NameServer = 192.168.1.1
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8507 bytes

Shaba
2008-02-26, 17:30
Hi t33ss

Please post combofix report next, it's here:

C:\ComboFix.txt

t33ss
2008-02-26, 18:44
ok, here it is.

Shaba
2008-02-26, 19:47
Hi

For the future, please don't attach logs but copy/paste them to your reply.

Open notepad and copy/paste the text in the quotebox below into it:


Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{066e8cc6-39e9-11dc-8fc1-001617428474}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{63f36c7a-3abe-11db-b146-001617428474}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cadbfaf8-46f6-11db-8c91-001617428474}]


Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

t33ss
2008-02-27, 16:48
Hai,


For the future, please don't attach logs but copy/paste them to your reply.

Sorry about that. :D:

Here is the log from HijackThis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:40:09 PM, on 2/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\mmc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKLM\..\Policies\Explorer\Run: [status] present
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6EC98949-ABC3-40FF-B8A8-A043DFDF727E}: NameServer = 192.168.1.1
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8651 bytes

t33ss
2008-02-27, 16:51
I've separated both logs.

Here's the log from combofix:

ComboFix 08-02-25.3 - Siang 2008-02-27 16:37:03.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1018 [GMT 8:00]
Running from: C:\Documents and Settings\Siang\Desktop\Torrent File\ComboFix.exe
Command switches used :: C:\Documents and Settings\Siang\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
The following files were disabled during the run:
C:\Program Files\TuneUp Utilities 2006\WinStylerThemeHelper.dll


((((((((((((((((((((((((( Files Created from 2008-01-27 to 2008-02-27 )))))))))))))))))))))))))))))))
.

2008-02-27 16:36 . 2008-02-27 16:36 210 --a------ C:\dirname00
2008-02-27 13:01 . 2008-02-27 13:01 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-27 13:01 . 2008-02-27 13:01 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-25 22:59 . 2008-02-25 22:59 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-23 01:17 . 2008-02-23 02:17 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-02-23 01:17 . 2008-02-23 01:17 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-02-23 01:17 . 2008-02-23 01:17 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-23 01:17 . 2008-02-23 01:17 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-23 00:37 . 2008-02-23 00:37 <DIR> d-------- C:\_OTMoveIt
2008-02-22 23:45 . 2008-02-22 23:45 <DIR> d--hs---- C:\found.000
2008-02-21 23:37 . 2008-02-25 22:48 114,106 -r-hs---- C:\h2.com
2008-02-16 22:30 . 2002-10-21 14:31 1,013,760 --a------ C:\WINDOWS\system32\Ltwvc13n.dll
2008-02-16 22:30 . 2002-10-21 14:01 446,464 --a------ C:\WINDOWS\system32\ltimg13n.dll
2008-02-16 22:30 . 2002-10-24 16:08 443,392 --a------ C:\WINDOWS\system32\ltkrn13n.dll
2008-02-16 22:30 . 2002-10-22 12:53 393,216 --a------ C:\WINDOWS\system32\LFCMP13n.DLL
2008-02-16 22:30 . 2002-10-21 13:53 265,728 --a------ C:\WINDOWS\system32\LTDIS13n.dll
2008-02-16 22:30 . 2002-10-21 14:01 205,824 --a------ C:\WINDOWS\system32\ltefx13n.dll
2008-02-16 22:30 . 2002-10-21 14:39 181,248 --a------ C:\WINDOWS\system32\Lfpng13n.dll
2008-02-16 22:30 . 2002-10-21 14:00 139,776 --a------ C:\WINDOWS\system32\ltfil13n.DLL
2008-02-16 22:30 . 2002-10-21 14:03 35,328 --a------ C:\WINDOWS\system32\lfgif13n.dll
2008-02-16 22:30 . 2002-10-21 14:02 30,208 --a------ C:\WINDOWS\system32\lfbmp13n.dll
2008-02-16 17:28 . 2008-02-16 17:29 <DIR> d-------- C:\Program Files\Common Files\Macromedia
2008-02-16 02:38 . 2007-01-29 23:59 6,482,944 --a------ C:\Documents and Settings\Siang\ffmpeg.exe
2008-02-14 23:50 . 2008-02-14 23:50 <DIR> d--h----- C:\WINDOWS\PIF
2008-02-03 02:03 . 2008-02-03 02:03 <DIR> d-------- C:\Program Files\Guitar Pro 5

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-27 08:39 26,957,856 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-02-27 08:36 --------- d-----w C:\Program Files\TuneUp Utilities 2006
2008-02-27 08:30 1,581,056 ----a-w C:\WINDOWS\Internet Logs\xDB14.tmp
2008-02-27 06:32 318,836 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-02-27 04:59 --------- d-----w C:\Documents and Settings\Siang\Application Data\AVG7
2008-02-25 16:16 14,909,464 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2008-02-22 18:06 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-22 09:47 3,675,136 ----a-w C:\WINDOWS\Internet Logs\xDB13.tmp
2008-02-20 04:45 3,663,360 ----a-w C:\WINDOWS\Internet Logs\xDB12.tmp
2008-02-20 04:42 3,663,360 ----a-w C:\WINDOWS\Internet Logs\xDB11.tmp
2008-02-18 03:06 3,657,728 ----a-w C:\WINDOWS\Internet Logs\xDB10.tmp
2008-02-17 11:35 --------- d-----w C:\Program Files\Steam
2008-02-17 11:30 3,656,704 ----a-w C:\WINDOWS\Internet Logs\xDBF.tmp
2008-02-16 09:28 --------- d-----w C:\Program Files\Macromedia
2008-02-16 08:20 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-14 18:46 --------- d-----w C:\Documents and Settings\Siang\Application Data\Bioshock
2008-02-14 18:18 3,619,840 ----a-w C:\WINDOWS\Internet Logs\xDBE.tmp
2008-02-02 05:09 --------- d-----w C:\Documents and Settings\Siang\Application Data\gtk-2.0
2008-02-01 18:49 --------- d-----w C:\Program Files\Winamp
2008-01-30 04:35 3,604,480 ----a-w C:\WINDOWS\Internet Logs\xDBD.tmp
2008-01-29 15:16 3,603,456 ----a-w C:\WINDOWS\Internet Logs\xDBC.tmp
2008-01-29 09:42 3,603,456 ----a-w C:\WINDOWS\Internet Logs\xDBB.tmp
2008-01-29 09:42 2,638,336 ----a-w C:\WINDOWS\Internet Logs\xDBA.tmp
2008-01-29 09:40 3,603,456 ----a-w C:\WINDOWS\Internet Logs\xDB9.tmp
2008-01-25 03:53 3,596,288 ----a-w C:\WINDOWS\Internet Logs\xDB8.tmp
2008-01-23 06:27 --------- d-----w C:\Documents and Settings\Siang\Application Data\MP3Rocket
2008-01-20 18:32 --------- d-----w C:\Program Files\Common Files\SolidWorks Shared
2008-01-20 18:32 --------- d-----w C:\Program Files\Common Files\eDrawings2008
2008-01-17 05:44 3,572,224 ----a-w C:\WINDOWS\Internet Logs\xDB7.tmp
2008-01-16 15:43 3,566,592 ----a-w C:\WINDOWS\Internet Logs\xDB6.tmp
2008-01-16 08:28 3,565,568 ----a-w C:\WINDOWS\Internet Logs\xDB5.tmp
2008-01-07 16:16 --------- d-----w C:\Program Files\Lemonade Tycoon 2
2008-01-07 16:10 --------- d-----w C:\Program Files\ReflexiveArcade
2008-01-07 16:04 --------- d-----w C:\Program Files\Zone.com Deluxe Games
2008-01-07 14:06 3,531,264 ----a-w C:\WINDOWS\Internet Logs\xDB4.tmp
2008-01-06 17:10 --------- d-----w C:\Program Files\GIMP-2.0
2008-01-04 05:52 3,515,392 ----a-w C:\WINDOWS\Internet Logs\xDB3.tmp
2008-01-03 16:00 1,006,592 ----a-w C:\WINDOWS\Internet Logs\xDB2.tmp
2007-12-30 06:13 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-29 06:13 --------- d-----w C:\Program Files\SWiSH Max2
2007-12-28 16:38 --------- d-----w C:\Program Files\RegScrubXP
2007-12-22 17:25 185,344 ----a-w C:\WINDOWS\system32\upnphost.dll
2007-12-07 02:21 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2007-11-14 18:21 36,600 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_11_15_02_06_46_small.dmp.zip
2007-11-14 18:21 107,004 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_11_15_02_06_38_small.dmp.zip
2007-08-23 16:25 118,832 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_08_23_23_46_23_small.dmp.zip
2007-08-14 13:52 39,523 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_08_14_17_51_13_small.dmp.zip
2007-08-14 13:52 21,584,076 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_08_14_17_50_48_full.dmp.zip
2007-07-24 13:12 121,337 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_07_24_05_01_14_small.dmp.zip
2007-07-23 05:06 119,629 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_07_23_06_40_20_small.dmp.zip
2007-07-15 06:29 117,300 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_07_15_02_59_30_small.dmp.zip
2007-04-28 00:03 112,956 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_04_28_03_39_32_small.dmp.zip
2007-04-27 15:46 112,336 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_04_27_22_27_30_small.dmp.zip
2006-07-06 18:05 937,672 ----a-w C:\Program Files\INSTALL.LOG
2002-07-26 09:02 153,088 ----a-w C:\Program Files\UNWISE.EXE
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"STYLEXP"="C:\Program Files\TGTSoft\StyleXP\StyleXP.exe" [2006-05-25 02:31 1372160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-12-19 11:12 16062464 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 18:04 2879488 C:\WINDOWS\SkyTel.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-06-29 00:43 8466432]
"nwiz"="nwiz.exe" [2007-06-29 00:43 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-06-29 00:43 81920]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05 919016]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-26 21:51 579072]
"QuickTime Task"="C:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe" [2007-06-29 06:24 286720]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-27 02:56 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"status"= present

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"NVIDIA nTune"="C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"
"Alcmtr"=ALCMTR.EXE
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
"QuickTime Task"="C:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe" -atboottime

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Activision\\Call of Duty 2\\CoD2MP_s.exe"=
"C:\\Program Files\\BitComet\\BitComet.exe"=
"C:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
"C:\\Program Files\\MP3 Rocket\\MP3Rocket.exe"=
"C:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"15638:TCP"= 15638:TCP:BitComet 15638 TCP
"15638:UDP"= 15638:UDP:BitComet 15638 UDP
"65100:TCP"= 65100:TCP:BitComet 65100 TCP
"65100:UDP"= 65100:UDP:BitComet 65100 UDP
"17131:TCP"= 17131:TCP:BitComet 17131 TCP
"17131:UDP"= 17131:UDP:BitComet 17131 UDP
"20281:TCP"= 20281:TCP:BitComet 20281 TCP
"20281:UDP"= 20281:UDP:BitComet 20281 UDP
"27679:TCP"= 27679:TCP:BitComet 27679 TCP
"27679:UDP"= 27679:UDP:BitComet 27679 UDP
"22796:TCP"= 22796:TCP:BitComet 22796 TCP
"22796:UDP"= 22796:UDP:BitComet 22796 UDP

R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};C:\Program Files\CyberLink\PowerDVD\000.fcl [2006-11-02 16:51]
R2 UxTuneUp;TuneUp Design Expansion;C:\WINDOWS\System32\svchost.exe [2004-08-04 00:56]
R2 X4HSX32;X4HSX32;C:\Program Files\GameTap\bin\Release\X4HSX32.Sys [2007-12-11 14:59]
S3 AEXPAM;Philips SmartManage Service;C:\WINDOWS\system32\Drivers\aexpamdrv.sys []

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ff8e3fa8-735d-11dc-99ee-001617428474}]
\Shell\Auto\command - MicrosoftPowerPoint.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-12-18 04:15:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-27 16:39:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\Program Files\TuneUp Utilities 2006\WinStylerThemeHelper.dll

PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> C:\Program Files\TuneUp Utilities 2006\WinStylerThemeHelper.dll

PROCESS: C:\WINDOWS\system32\csrss.exe
-> C:\Program Files\TuneUp Utilities 2006\WinStylerThemeHelper.dll
.
Completion time: 2008-02-27 16:40:15
ComboFix-quarantined-files.txt 2008-02-27 08:40:11
ComboFix2.txt 2008-02-25 15:35:32
ComboFix3.txt 2008-02-25 15:18:22
.
2008-02-14 18:54:53 --- E O F ---

Shaba
2008-02-27, 17:10
Hi

Please do an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/downloads/kws/kavwebscan.html). You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings
In the scan settings make sure that the following are selected:

o Scan using the following Anti-Virus database:

+ Extended (If available otherwise Standard)

o Scan Options:

+ Scan Archives
+ Scan Mail Bases

Click OK
Now under select a target to scan select My Computer
The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button
Save the file to your desktop.
Copy and paste that information in your next post.

Note: This scanner will work with Internet Explorer Only!

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Post:

- a fresh HijackThis log
- kaspersky report

t33ss
2008-02-28, 08:05
Hi,

Ok, i've done the Kaspersky scan.

Seems like my system is still infected because Kaspersky found like over 60 infection during the scan........or is it not?!

Anyway, here is the Kaspersky scan report:


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, February 28, 2008 6:35:44 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 27/02/2008
Kaspersky Anti-Virus database records: 583972
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 88074
Number of viruses found: 10
Number of infected objects: 64
Number of suspicious objects: 0
Duration of the scan process: 01:29:02

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Siang\Application Data\Mozilla\Firefox\Profiles\7cldkmqn.default\cert8.db Object is locked skipped
C:\Documents and Settings\Siang\Application Data\Mozilla\Firefox\Profiles\7cldkmqn.default\history.dat Object is locked skipped
C:\Documents and Settings\Siang\Application Data\Mozilla\Firefox\Profiles\7cldkmqn.default\key3.db Object is locked skipped
C:\Documents and Settings\Siang\Application Data\Mozilla\Firefox\Profiles\7cldkmqn.default\parent.lock Object is locked skipped
C:\Documents and Settings\Siang\Application Data\Mozilla\Firefox\Profiles\7cldkmqn.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Siang\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Siang\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Siang\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Siang\Local Settings\Application Data\Mozilla\Firefox\Profiles\7cldkmqn.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Siang\Local Settings\Application Data\Mozilla\Firefox\Profiles\7cldkmqn.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Siang\Local Settings\Application Data\Mozilla\Firefox\Profiles\7cldkmqn.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Siang\Local Settings\Application Data\Mozilla\Firefox\Profiles\7cldkmqn.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Siang\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Siang\Local Settings\History\History.IE5\MSHist012008022820080229\index.dat Object is locked skipped
C:\Documents and Settings\Siang\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Siang\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Siang\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Siang\ntuser.dat.LOG Object is locked skipped
C:\Downloads\Style XP v3.19 - Female + Male (full)+1000 Themes +1000 Boot Screens +1000 Walls\prog.rar/ikony/51904.exe/WISE0017.BIN Infected: not-a-virus:AdWare.Win32.Quick.a skipped
C:\Downloads\Style XP v3.19 - Female + Male (full)+1000 Themes +1000 Boot Screens +1000 Walls\prog.rar/ikony/51904.exe/WISE0018.BIN Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\Downloads\Style XP v3.19 - Female + Male (full)+1000 Themes +1000 Boot Screens +1000 Walls\prog.rar/ikony/51904.exe/WISE0019.BIN Infected: not-a-virus:AdWare.Win32.Gator.3103 skipped
C:\Downloads\Style XP v3.19 - Female + Male (full)+1000 Themes +1000 Boot Screens +1000 Walls\prog.rar/ikony/51904.exe Infected: not-a-virus:AdWare.Win32.Gator.3103 skipped
C:\Downloads\Style XP v3.19 - Female + Male (full)+1000 Themes +1000 Boot Screens +1000 Walls\prog.rar/login/58443.exe/WISE0017.BIN Infected: not-a-virus:AdWare.Win32.Quick.a skipped
C:\Downloads\Style XP v3.19 - Female + Male (full)+1000 Themes +1000 Boot Screens +1000 Walls\prog.rar/login/58443.exe/WISE0018.BIN Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\Downloads\Style XP v3.19 - Female + Male (full)+1000 Themes +1000 Boot Screens +1000 Walls\prog.rar/login/58443.exe/WISE0019.BIN Infected: not-a-virus:AdWare.Win32.Gator.3103 skipped
C:\Downloads\Style XP v3.19 - Female + Male (full)+1000 Themes +1000 Boot Screens +1000 Walls\prog.rar/login/58443.exe Infected: not-a-virus:AdWare.Win32.Gator.3103 skipped
C:\Downloads\Style XP v3.19 - Female + Male (full)+1000 Themes +1000 Boot Screens +1000 Walls\prog.rar RAR: infected - 8 skipped
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\logs\access_log Object is locked skipped
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\logs\error.log Object is locked skipped
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\logs\error_log Object is locked skipped
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\logs\ssl_request_log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{43CDA3CE-A7AA-44C8-AF05-2A04DC5789B7}\RP443\A0267281.exe Infected: Trojan-PSW.Win32.OnLineGames.rpn skipped
C:\System Volume Information\_restore{43CDA3CE-A7AA-44C8-AF05-2A04DC5789B7}\RP443\A0267282.dll Infected: Trojan-PSW.Win32.OnLineGames.rlb skipped
C:\System Volume Information\_restore{43CDA3CE-A7AA-44C8-AF05-2A04DC5789B7}\RP443\A0267283.com Infected: Trojan-PSW.Win32.OnLineGames.rpn skipped
C:\System Volume Information\_restore{43CDA3CE-A7AA-44C8-AF05-2A04DC5789B7}\RP443\A0267316.dll Infected: Trojan-PSW.Win32.OnLineGames.rpm skipped
C:\System Volume Information\_restore{43CDA3CE-A7AA-44C8-AF05-2A04DC5789B7}\RP443\A0267319.com Infected: Trojan-PSW.Win32.OnLineGames.rpn skipped
C:\System Volume Information\_restore{43CDA3CE-A7AA-44C8-AF05-2A04DC5789B7}\RP443\A0268406.dll Infected: Trojan-PSW.Win32.OnLineGames.rpm skipped
C:\System Volume Information\_restore{43CDA3CE-A7AA-44C8-AF05-2A04DC5789B7}\RP443\A0268409.com Infected: Trojan-PSW.Win32.OnLineGames.rpn skipped
C:\System Volume Information\_restore{43CDA3CE-A7AA-44C8-AF05-2A04DC5789B7}\RP443\A0268426.dll Infected: Trojan-PSW.Win32.OnLineGames.rpm skipped
C:\System Volume Information\_restore{43CDA3CE-A7AA-44C8-AF05-2A04DC5789B7}\RP443\A0268429.com Infected: Trojan-PSW.Win32.OnLineGames.rpn skipped
C:\System Volume Information\_restore{43CDA3CE-A7AA-44C8-AF05-2A04DC5789B7}\RP443\A0269443.dll Infected: Trojan-PSW.Win32.OnLineGames.rpm skipped
C:\System Volume Information\_restore{43CDA3CE-A7AA-44C8-AF05-2A04DC5789B7}\RP443\A0269445.com Infected: Trojan-PSW.Win32.OnLineGames.rpn skipped
C:\System Volume Information\_restore{43CDA3CE-A7AA-44C8-AF05-2A04DC5789B7}\RP443\A0269528.dll Infected: Trojan-PSW.Win32.OnLineGames.rpm skipped
C:\System Volume Information\_restore{43CDA3CE-A7AA-44C8-AF05-2A04DC5789B7}\RP443\A0269531.com Infected: Trojan-PSW.Win32.OnLineGames.rpn skipped
C:\System Volume Information\_restore{43CDA3CE-A7AA-44C8-AF05-2A04DC5789B7}\RP443\A0269555.dll Infected: Trojan-PSW.Win32.OnLineGames.rpm skipped
C:\System Volume Information\_restore{43CDA3CE-A7AA-44C8-AF05-2A04DC5789B7}\RP443\A0269558.com Infected: Trojan-PSW.Win32.OnLineGames.rpn skipped
C:\System Volume Information\_restore{43CDA3CE-A7AA-44C8-AF05-2A04DC5789B7}\RP443\A0269573.exe/WISE0017.BIN Infected: not-a-virus:AdWare.Win32.Quick.a skipped
C:\System Volume Information\_restore{43CDA3CE-A7AA-44C8-AF05-2A04DC5789B7}\RP443\A0269573.exe/WISE0018.BIN Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\System Volume Information\_restore{43CDA3CE-A7AA-44C8-AF05-2A04DC5789B7}\RP443\A0269573.exe/WISE0019.BIN Infected: not-a-virus:AdWare.Win32.Gator.3103 skipped
C:\System Volume Information\_restore{43CDA3CE-A7AA-44C8-AF05-2A04DC5789B7}\RP443\A0269573.exe WiseSFX: infected - 3 skipped
C:\System Volume Information\_restore{43CDA3CE-A7AA-44C8-AF05-2A04DC5789B7}\RP443\A0269574.exe/WISE0017.BIN Infected: not-a-virus:AdWare.Win32.Quick.a skipped
C:\System Volume Information\_restore{43CDA3CE-A7AA-44C8-AF05-2A04DC5789B7}\RP443\A0269574.exe/WISE0018.BIN Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\System Volume Information\_restore{43CDA3CE-A7AA-44C8-AF05-2A04DC5789B7}\RP443\A0269574.exe/WISE0019.BIN Infected: not-a-virus:AdWare.Win32.Gator.3103 skipped
C:\System Volume Information\_restore{43CDA3CE-A7AA-44C8-AF05-2A04DC5789B7}\RP443\A0269574.exe WiseSFX: infected - 3 skipped
C:\System Volume Information\_restore{43CDA3CE-A7AA-44C8-AF05-2A04DC5789B7}\RP443\A0269599.dll Infected: Trojan-PSW.Win32.OnLineGames.rpm skipped
C:\System Volume Information\_restore{43CDA3CE-A7AA-44C8-AF05-2A04DC5789B7}\RP443\A0269602.com Infected: Trojan-PSW.Win32.OnLineGames.rpn skipped
C:\System Volume Information\_restore{43CDA3CE-A7AA-44C8-AF05-2A04DC5789B7}\RP444\A0269637.com Infected: Trojan-PSW.Win32.OnLineGames.rpn skipped
C:\System Volume Information\_restore{43CDA3CE-A7AA-44C8-AF05-2A04DC5789B7}\RP444\A0269667.dll Infected: Trojan-PSW.Win32.OnLineGames.rpm skipped
C:\System Volume Information\_restore{43CDA3CE-A7AA-44C8-AF05-2A04DC5789B7}\RP444\A0269670.com Infected: Trojan-PSW.Win32.OnLineGames.rpn skipped
C:\System Volume Information\_restore{43CDA3CE-A7AA-44C8-AF05-2A04DC5789B7}\RP444\A0269746.dll Infected: Trojan-PSW.Win32.OnLineGames.rpm skipped
C:\System Volume Information\_restore{43CDA3CE-A7AA-44C8-AF05-2A04DC5789B7}\RP444\A0269749.com Infected: Trojan-PSW.Win32.OnLineGames.rpn skipped
C:\System Volume Information\_restore{43CDA3CE-A7AA-44C8-AF05-2A04DC5789B7}\RP444\A0269753.exe Infected: Trojan-PSW.Win32.OnLineGames.rpn skipped
C:\System Volume Information\_restore{43CDA3CE-A7AA-44C8-AF05-2A04DC5789B7}\RP444\A0269829.dll Infected: Trojan-PSW.Win32.OnLineGames.rsa skipped
C:\System Volume Information\_restore{43CDA3CE-A7AA-44C8-AF05-2A04DC5789B7}\RP444\A0269832.com Infected: Trojan-PSW.Win32.OnLineGames.rsb skipped
C:\System Volume Information\_restore{43CDA3CE-A7AA-44C8-AF05-2A04DC5789B7}\RP444\A0269836.exe Infected: Trojan-PSW.Win32.OnLineGames.rsb skipped
C:\System Volume Information\_restore{43CDA3CE-A7AA-44C8-AF05-2A04DC5789B7}\RP445\A0270005.dll Infected: Trojan-PSW.Win32.OnLineGames.rpm skipped
C:\System Volume Information\_restore{43CDA3CE-A7AA-44C8-AF05-2A04DC5789B7}\RP446\A0270021.exe Infected: Worm.Win32.AutoRun.csg skipped
C:\System Volume Information\_restore{43CDA3CE-A7AA-44C8-AF05-2A04DC5789B7}\RP446\A0270022.dll Infected: Worm.Win32.AutoRun.csg skipped
C:\System Volume Information\_restore{43CDA3CE-A7AA-44C8-AF05-2A04DC5789B7}\RP449\A0271444.com Infected: Worm.Win32.AutoRun.csg skipped
C:\System Volume Information\_restore{43CDA3CE-A7AA-44C8-AF05-2A04DC5789B7}\RP451\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\SMILEY.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{7E4850A6-58C6-4EB2-8655-FB49B9194658}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\atapi.sys Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\ZLT07d4c.TMP Object is locked skipped
C:\WINDOWS\Temp\ZLT07d50.TMP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\Live Life Kool\Installation Files\keyfinder.exe/data.rar/xpkey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
D:\Live Life Kool\Installation Files\keyfinder.exe/data.rar/officekey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
D:\Live Life Kool\Installation Files\keyfinder.exe/data.rar Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
D:\Live Life Kool\Installation Files\keyfinder.exe RarSFX: infected - 3 skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{43CDA3CE-A7AA-44C8-AF05-2A04DC5789B7}\RP443\A0267285.com Infected: Trojan-PSW.Win32.OnLineGames.rpn skipped
D:\System Volume Information\_restore{43CDA3CE-A7AA-44C8-AF05-2A04DC5789B7}\RP443\A0267321.com Infected: Trojan-PSW.Win32.OnLineGames.rpn skipped
D:\System Volume Information\_restore{43CDA3CE-A7AA-44C8-AF05-2A04DC5789B7}\RP443\A0268411.com Infected: Trojan-PSW.Win32.OnLineGames.rpn skipped
D:\System Volume Information\_restore{43CDA3CE-A7AA-44C8-AF05-2A04DC5789B7}\RP443\A0268431.com Infected: Trojan-PSW.Win32.OnLineGames.rpn skipped
D:\System Volume Information\_restore{43CDA3CE-A7AA-44C8-AF05-2A04DC5789B7}\RP443\A0269447.com Infected: Trojan-PSW.Win32.OnLineGames.rpn skipped
D:\System Volume Information\_restore{43CDA3CE-A7AA-44C8-AF05-2A04DC5789B7}\RP443\A0269533.com Infected: Trojan-PSW.Win32.OnLineGames.rpn skipped
D:\System Volume Information\_restore{43CDA3CE-A7AA-44C8-AF05-2A04DC5789B7}\RP443\A0269560.com Infected: Trojan-PSW.Win32.OnLineGames.rpn skipped
D:\System Volume Information\_restore{43CDA3CE-A7AA-44C8-AF05-2A04DC5789B7}\RP443\A0269604.com Infected: Trojan-PSW.Win32.OnLineGames.rpn skipped
D:\System Volume Information\_restore{43CDA3CE-A7AA-44C8-AF05-2A04DC5789B7}\RP444\A0269639.com Infected: Trojan-PSW.Win32.OnLineGames.rpn skipped
D:\System Volume Information\_restore{43CDA3CE-A7AA-44C8-AF05-2A04DC5789B7}\RP444\A0269672.com Infected: Trojan-PSW.Win32.OnLineGames.rpn skipped
D:\System Volume Information\_restore{43CDA3CE-A7AA-44C8-AF05-2A04DC5789B7}\RP444\A0269751.com Infected: Trojan-PSW.Win32.OnLineGames.rpn skipped
D:\System Volume Information\_restore{43CDA3CE-A7AA-44C8-AF05-2A04DC5789B7}\RP444\A0269834.com Infected: Trojan-PSW.Win32.OnLineGames.rsb skipped
D:\System Volume Information\_restore{43CDA3CE-A7AA-44C8-AF05-2A04DC5789B7}\RP449\A0271445.com Infected: Worm.Win32.AutoRun.csg skipped
D:\System Volume Information\_restore{43CDA3CE-A7AA-44C8-AF05-2A04DC5789B7}\RP451\change.log Object is locked skipped

Scan process completed.


The HJT log will be posted on the next reply. Thks.

t33ss
2008-02-28, 08:08
Here is the HJT log.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:06:27 PM, on 2/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKLM\..\Policies\Explorer\Run: [status] present
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6EC98949-ABC3-40FF-B8A8-A043DFDF727E}: NameServer = 192.168.1.1
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8712 bytes


Thks again for helping.

Shaba
2008-02-28, 11:30
Hi

Most of them are in system restore and inactive.

This is no virus at all:

D:\Live Life Kool\Installation Files\keyfinder.exe/data.rar/xpkey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
D:\Live Life Kool\Installation Files\keyfinder.exe/data.rar/officekey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
D:\Live Life Kool\Installation Files\keyfinder.exe/data.rar Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
D:\Live Life Kool\Installation Files\keyfinder.exe RarSFX: infected - 3 skipped

Delete this:

C:\Downloads\Style XP v3.19 - Female + Male (full)+1000 Themes +1000 Boot Screens +1000 Walls\prog.rar

Empty Recycle Bin.

All other viruses are in system restore and inactive.

I give you later instructions how to empty it.

Other than that, any problems left?

t33ss
2008-02-29, 16:35
Hi,

Glad to hear that my system is ok now. I don't seem to recall any problem since my 1st combofix scan, so i think everything is back to normal now, HOORAY!!!

Thks to you :bigthumb:, now that i know it's clean, i feel so relieved. Phew!

Oh ya, a little favor i need to ask you, how to clean a thumb drive that is infected? I think it's the same virus win32/nsanti.

Thks again.

Shaba
2008-02-29, 18:56
Hi

If thumb drive is infected and you plug it into computer which is clean, computer will get re-infected.

So practically two choices (as there is very little point to re-infect and clean your computer in order to get your thumb drive clean).

1) Get a new thumb drive

2) Format thumb drive in another OS (eg. Linux).

t33ss
2008-03-01, 11:44
Hi there,



1) Get a new thumb drive

Dun think i'll do that, coz i just got this 4GB thumb drive not long ago. So i guess that left me with option no. 2, that is format my thumb drive in another system.

Hmmm......

may b i'll do that on my university computer then :devil:

HAHAHA!

Anyway, seems like the problem had been resolved. So i would like to thk you again for the help you've offered.

Thank you.

Shaba
2008-03-01, 12:15
Hi

Ok, but remember that you will infect that computer in which you format it unless OS is different :)

Don't use that thumb drive in your computer before formatting.

Any other issues?

Shaba
2008-03-06, 12:09
Due to the lack of feedback this Topic is closed.

If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send a private message (pm). A valid, working link to the closed topic is required.

Everyone else please begin a New Topic.