damnit
2008-05-29, 20:36
Situational info:
Basically, this is the malware I've got for sure: the rogue spyware type. It pops up prompts in IE telling me that I'm infected and that I should download "Vista Antivirus 2008". I probably got more ***t but this is what I got for sure. Neither S&D nor Kaspersky detect it at this point so it must be pretty fresh.
Thanks, to my firewall I caught several requests to x1.theactionshow.com and netflame.cc and c.bigmir.net which seem to be spyware call-home domains.
I do have some legitimate adware such as Zango and Vomba installed on my PC and they are NOT the problem - I've had them for a long time with no problem - and I'd like to keep them.
HiJackThis Scan Output:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:18:07 AM, on 5/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\D4\D4.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\VombaShots\VombaShots.exe
C:\Documents and Settings\RASTEKO\Application Data\vomba\vomba.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Apoint2K\HidFind.exe
C:\Program Files\PGP Corporation\PGP for Windows XP\PGPtray.exe
C:\Program Files\OpenVPN\bin\openvpn-gui-1.0.3.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\PROGRA~1\Agnitum\OUTPOS~1\outpost.exe
C:\WINDOWS\system32\PGPserv.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Adobe\Acrobat 6.0\Reader\AcroRd32.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\SNDVOL32.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 201.231.238.189:80
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: (no name) - {32341E7E-C319-46DE-91D0-E30BB1A3CABA} - C:\WINDOWS\system32\mlJYsPjk.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Zango - {90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - C:\Program Files\Zango\bin\10.3.36.0\HostIE.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O2 - BHO: HttpWatch Professional - {F1F69322-008F-4895-B2BF-AD194219825A} - C:\Program Files\HttpWatch\httpwatchscpro.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O3 - Toolbar: Zango - {90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - C:\Program Files\Zango\bin\10.3.36.0\HostIE.dll
O4 - HKLM\..\Run: [Outpost Firewall] C:\Program Files\Agnitum\Outpost Firewall\outpost.exe /waitservice
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Dimension4] C:\Program Files\D4\D4.exe
O4 - HKLM\..\Run: [ZangoOE] C:\Program Files\Zango\bin\10.3.36.0\OEAddOn.exe
O4 - HKLM\..\Run: [ZangoSA] "C:\Program Files\Zango\bin\10.3.36.0\ZangoSA.exe"
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [VombaShots Manager] "C:\Program Files\VombaShots\VombaShots.exe"
O4 - HKCU\..\Run: [Vomba] C:\Documents and Settings\RASTEKO\Application Data\vomba\vomba.exe
O4 - HKCU\..\Run: [IFStub] C:\WINDOWS\Temp\Adware\InstaFinderK_inst.exe
O4 - HKCU\..\Run: [A00FF4C6BB2.exe] C:\DOCUME~1\RASTEKO\LOCALS~1\Temp\_A00FF4C6BB2.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O4 - Startup: OpenVPN GUI (2).lnk = C:\Program Files\OpenVPN\bin\openvpn-gui-1.0.3.exe
O4 - Startup: Shortcut to trillianpro.lnk = C:\Program Files\Trillian\trillianpro.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: PGPtray.lnk = ?
O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Program Files\RALINK\Common\RaUI.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Google AdSense Preview Tool - http://pagead2.googlesyndication.com/pagead/preview/en/preview.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Whois - {11E47140-F946-4049-B038-AB77CAA0480B} - C:\Program Files\Whois Web\WWtoolbar.htm
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: HttpWatch Professional - {D103E85B-5D67-42c1-8C83-F01079DBAB26} - C:\Program Files\HttpWatch\httpwatchpro.dll
O9 - Extra 'Tools' menuitem: HttpWatch Professional - {D103E85B-5D67-42c1-8C83-F01079DBAB26} - C:\Program Files\HttpWatch\httpwatchpro.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\Program Files\Agnitum\Outpost Firewall\TRASH.EXE (HKCU)
O9 - Extra 'Tools' menuitem: Show Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\Program Files\Agnitum\Outpost Firewall\TRASH.EXE (HKCU)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD40/JSCDL/jre/6u5-b19/jinstall-6u5-windows-i586-jc.cab?AuthParam=1210594866_95d8c4d64b514611950d55af0921396b&GroupName=JSC&BHost=javadl.sun.com&FilePath=/ESD40/JSCDL/jre/6u5-b19/jinstall-6u5-windows-i586-jc.cab&File=jinstall-6u5-windows-i586-jc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{55AF3450-1F2B-42F3-B786-401F790F81B6}: NameServer = 212.150.49.10,62.90.42.110
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: Antiwpa - C:\WINDOWS\SYSTEM32\antiwpa.dll
O20 - Winlogon Notify: mlJYsPjk - C:\WINDOWS\SYSTEM32\mlJYsPjk.dll
O20 - Winlogon Notify: __c00CB2BA - C:\WINDOWS\system32\__c00CB2BA.dat
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: OpenVPN Service (OpenVPNService) - Unknown owner - C:\Program Files\OpenVPN\bin\openvpnserv.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum - C:\PROGRA~1\Agnitum\OUTPOS~1\outpost.exe
O23 - Service: PGPserv - PGP Corporation - C:\WINDOWS\system32\PGPserv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
--
End of file - 10853 bytes
Kaspersky Log:
Thursday, May 29, 2008 11:14:20 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 29/05/2008
Kaspersky Anti-Virus database records: 812777
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
C:\
D:\
Scan Statistics
Total number of scanned objects 65237
Number of viruses found 15
Number of infected objects 59
Number of suspicious objects 0
Duration of the scan process 00:42:55
Infected Object Name Virus Name Last Action
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\RASTEKO\Application Data\Skype\skype-username\call1024.dbb Object is locked skipped
C:\Documents and Settings\RASTEKO\Application Data\Skype\skype-username\call256.dbb Object is locked skipped
C:\Documents and Settings\RASTEKO\Application Data\Skype\skype-username\call512.dbb Object is locked skipped
C:\Documents and Settings\RASTEKO\Application Data\Skype\skype-username\callmember256.dbb Object is locked skipped
C:\Documents and Settings\RASTEKO\Application Data\Skype\skype-username\chat256.dbb Object is locked skipped
C:\Documents and Settings\RASTEKO\Application Data\Skype\skype-username\chat512.dbb Object is locked skipped
C:\Documents and Settings\RASTEKO\Application Data\Skype\skype-username\chatmember256.dbb Object is locked skipped
C:\Documents and Settings\RASTEKO\Application Data\Skype\skype-username\chatmsg1024.dbb Object is locked skipped
C:\Documents and Settings\RASTEKO\Application Data\Skype\skype-username\chatmsg2048.dbb Object is locked skipped
C:\Documents and Settings\RASTEKO\Application Data\Skype\skype-username\chatmsg256.dbb Object is locked skipped
C:\Documents and Settings\RASTEKO\Application Data\Skype\skype-username\chatmsg32768.dbb Object is locked skipped
C:\Documents and Settings\RASTEKO\Application Data\Skype\skype-username\chatmsg4096.dbb Object is locked skipped
C:\Documents and Settings\RASTEKO\Application Data\Skype\skype-username\chatmsg512.dbb Object is locked skipped
C:\Documents and Settings\RASTEKO\Application Data\Skype\skype-username\chatmsg8192.dbb Object is locked skipped
C:\Documents and Settings\RASTEKO\Application Data\Skype\skype-username\chatsync\c5\c549aef892692fa3.dat Object is locked skipped
C:\Documents and Settings\RASTEKO\Application Data\Skype\skype-username\contactgroup256.dbb Object is locked skipped
C:\Documents and Settings\RASTEKO\Application Data\Skype\skype-username\dyncontent\bundle.dat Object is locked skipped
C:\Documents and Settings\RASTEKO\Application Data\Skype\skype-username\index2.dat Object is locked skipped
C:\Documents and Settings\RASTEKO\Application Data\Skype\skype-username\profile256.dbb Object is locked skipped
C:\Documents and Settings\RASTEKO\Application Data\Skype\skype-username\transfer512.dbb Object is locked skipped
C:\Documents and Settings\RASTEKO\Application Data\Skype\skype-username\user1024.dbb Object is locked skipped
C:\Documents and Settings\RASTEKO\Application Data\Skype\skype-username\user16384.dbb Object is locked skipped
C:\Documents and Settings\RASTEKO\Application Data\Skype\skype-username\user256.dbb Object is locked skipped
C:\Documents and Settings\RASTEKO\Application Data\Skype\skype-username\user4096.dbb Object is locked skipped
C:\Documents and Settings\RASTEKO\Application Data\Skype\skype-username\voicemail256.dbb Object is locked skipped
C:\Documents and Settings\RASTEKO\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\RASTEKO\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\RASTEKO\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\RASTEKO\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\RASTEKO\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\RASTEKO\Local Settings\History\History.IE5\MSHist012008052920080530\index.dat Object is locked skipped
C:\Documents and Settings\RASTEKO\Local Settings\Temp\Acr2C.tmp Object is locked skipped
C:\Documents and Settings\RASTEKO\Local Settings\Temp\Acr32.tmp Object is locked skipped
C:\Documents and Settings\RASTEKO\Local Settings\Temp\Acr33.tmp Object is locked skipped
C:\Documents and Settings\RASTEKO\Local Settings\Temp\asmfiles.cab/asm.exe Infected: not-a-virus:AdWare.Win32.Altnet.l skipped
C:\Documents and Settings\RASTEKO\Local Settings\Temp\asmfiles.cab/asmps.dll Infected: not-a-virus:AdWare.Win32.Altnet.t skipped
C:\Documents and Settings\RASTEKO\Local Settings\Temp\asmfiles.cab CAB: infected - 2 skipped
C:\Documents and Settings\RASTEKO\Local Settings\Temp\hpodvd09.log Object is locked skipped
C:\Documents and Settings\RASTEKO\Local Settings\Temp\mirc631.exe/stream/data0014 Infected: not-a-virus:Client-IRC.Win32.mIRC.631 skipped
C:\Documents and Settings\RASTEKO\Local Settings\Temp\mirc631.exe/stream Infected: not-a-virus:Client-IRC.Win32.mIRC.631 skipped
C:\Documents and Settings\RASTEKO\Local Settings\Temp\mirc631.exe NSIS: infected - 2 skipped
C:\Documents and Settings\RASTEKO\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\RASTEKO\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\RASTEKO\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\RASTEKO\ntuser.dat.LOG Object is locked skipped
C:\INST\mirc\mirc616.exe/data0001.bin Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
C:\INST\mirc\mirc616.exe mIRC: infected - 1 skipped
C:\Program Files\Agnitum\Outpost Firewall\op_data.ldb Object is locked skipped
C:\Program Files\Agnitum\Outpost Firewall\op_data.mdb Object is locked skipped
C:\Program Files\D4\SyncHistory.dat Object is locked skipped
C:\Program Files\D4\SyncHistoryServers.dat Object is locked skipped
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.631 skipped
C:\Program Files\Mozilla Firefox\plugins\NPNd2fn.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.o skipped
C:\Program Files\Zango\bin\10.3.36.0\CntntCntr.dll Infected: not-a-virus:AdWare.Win32.HotBar.ck skipped
C:\Program Files\Zango\bin\10.3.36.0\CoreSrv.dll Infected: not-a-virus:AdWare.Win32.HotBar.ck skipped
C:\Program Files\Zango\bin\10.3.36.0\HostOE.dll Infected: not-a-virus:AdWare.Win32.HotBar.ck skipped
C:\Program Files\Zango\bin\10.3.36.0\HostOL.dll Infected: not-a-virus:AdWare.Win32.HotBar.ck skipped
C:\Program Files\Zango\bin\10.3.36.0\OEAddOn.exe Infected: not-a-virus:AdWare.Win32.HotBar.ck skipped
C:\Program Files\Zango\bin\10.3.36.0\Wallpaper.dll Infected: not-a-virus:AdWare.Win32.HotBar.ck skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{A75B2583-256F-4901-8E43-DD733423A218}\RP141\A0043735.dll Infected: not-a-virus:AdWare.Win32.Altnet.d skipped
C:\System Volume Information\_restore{A75B2583-256F-4901-8E43-DD733423A218}\RP141\A0043737.exe/TopSearch.dll Infected: not-a-virus:AdWare.Win32.Altnet.d skipped
C:\System Volume Information\_restore{A75B2583-256F-4901-8E43-DD733423A218}\RP141\A0043737.exe CAB: infected - 1 skipped
C:\System Volume Information\_restore{A75B2583-256F-4901-8E43-DD733423A218}\RP141\A0043737.exe Execryptor: infected - 1 skipped
C:\System Volume Information\_restore{A75B2583-256F-4901-8E43-DD733423A218}\RP141\A0043749.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.o skipped
C:\System Volume Information\_restore{A75B2583-256F-4901-8E43-DD733423A218}\RP141\A0043750.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.l skipped
C:\System Volume Information\_restore{A75B2583-256F-4901-8E43-DD733423A218}\RP141\A0043751.DLL Infected: not-a-virus:AdWare.Win32.MySearch.e skipped
C:\System Volume Information\_restore{A75B2583-256F-4901-8E43-DD733423A218}\RP141\A0043752.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.o skipped
C:\System Volume Information\_restore{A75B2583-256F-4901-8E43-DD733423A218}\RP142\A0044678.dll Infected: not-a-virus:AdWare.Win32.Altnet.d skipped
C:\System Volume Information\_restore{A75B2583-256F-4901-8E43-DD733423A218}\RP142\A0044680.exe/TopSearch.dll Infected: not-a-virus:AdWare.Win32.Altnet.d skipped
C:\System Volume Information\_restore{A75B2583-256F-4901-8E43-DD733423A218}\RP142\A0044680.exe CAB: infected - 1 skipped
C:\System Volume Information\_restore{A75B2583-256F-4901-8E43-DD733423A218}\RP142\A0044680.exe Execryptor: infected - 1 skipped
C:\System Volume Information\_restore{A75B2583-256F-4901-8E43-DD733423A218}\RP142\A0044692.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.o skipped
C:\System Volume Information\_restore{A75B2583-256F-4901-8E43-DD733423A218}\RP143\A0045689.dll Infected: not-a-virus:AdWare.Win32.Altnet.d skipped
C:\System Volume Information\_restore{A75B2583-256F-4901-8E43-DD733423A218}\RP143\A0045691.exe/TopSearch.dll Infected: not-a-virus:AdWare.Win32.Altnet.d skipped
C:\System Volume Information\_restore{A75B2583-256F-4901-8E43-DD733423A218}\RP143\A0045691.exe CAB: infected - 1 skipped
C:\System Volume Information\_restore{A75B2583-256F-4901-8E43-DD733423A218}\RP143\A0045691.exe Execryptor: infected - 1 skipped
C:\System Volume Information\_restore{A75B2583-256F-4901-8E43-DD733423A218}\RP143\A0045704.dll Infected: not-a-virus:AdWare.Win32.RXBar.f skipped
C:\System Volume Information\_restore{A75B2583-256F-4901-8E43-DD733423A218}\RP143\A0045707.dll Infected: not-a-virus:AdWare.Win32.RXBar.f skipped
C:\System Volume Information\_restore{A75B2583-256F-4901-8E43-DD733423A218}\RP144\A0045719.exe/TopSearch.dll Infected: not-a-virus:AdWare.Win32.Altnet.d skipped
C:\System Volume Information\_restore{A75B2583-256F-4901-8E43-DD733423A218}\RP144\A0045719.exe CAB: infected - 1 skipped
C:\System Volume Information\_restore{A75B2583-256F-4901-8E43-DD733423A218}\RP144\A0045719.exe Execryptor: infected - 1 skipped
C:\System Volume Information\_restore{A75B2583-256F-4901-8E43-DD733423A218}\RP144\A0045721.dll Infected: not-a-virus:AdWare.Win32.Altnet.d skipped
C:\System Volume Information\_restore{A75B2583-256F-4901-8E43-DD733423A218}\RP144\A0045739.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.l skipped
C:\System Volume Information\_restore{A75B2583-256F-4901-8E43-DD733423A218}\RP144\A0045740.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.o skipped
C:\System Volume Information\_restore{A75B2583-256F-4901-8E43-DD733423A218}\RP144\A0045741.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.l skipped
C:\System Volume Information\_restore{A75B2583-256F-4901-8E43-DD733423A218}\RP144\A0045742.DLL Infected: not-a-virus:AdWare.Win32.MySearch.e skipped
C:\System Volume Information\_restore{A75B2583-256F-4901-8E43-DD733423A218}\RP144\A0045743.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.o skipped
C:\System Volume Information\_restore{A75B2583-256F-4901-8E43-DD733423A218}\RP144\A0045747.dll Infected: not-a-virus:AdWare.Win32.RXBar.f skipped
C:\System Volume Information\_restore{A75B2583-256F-4901-8E43-DD733423A218}\RP144\A0045748.dll Infected: not-a-virus:AdWare.Win32.RXBar.f skipped
C:\System Volume Information\_restore{A75B2583-256F-4901-8E43-DD733423A218}\RP144\A0045749.DLL Infected: not-a-virus:AdWare.Win32.MySearch.e skipped
C:\System Volume Information\_restore{A75B2583-256F-4901-8E43-DD733423A218}\RP147\A0046747.dll Infected: not-a-virus:AdWare.Win32.MySearch.e skipped
C:\System Volume Information\_restore{A75B2583-256F-4901-8E43-DD733423A218}\RP156\A0050747.dll Infected: not-a-virus:AdWare.Win32.HotBar.ck skipped
C:\System Volume Information\_restore{A75B2583-256F-4901-8E43-DD733423A218}\RP156\A0050765.dll Infected: not-a-virus:AdWare.Win32.Altnet.a skipped
C:\System Volume Information\_restore{A75B2583-256F-4901-8E43-DD733423A218}\RP156\A0050766.dll Infected: not-a-virus:AdWare.Win32.Altnet.a skipped
C:\System Volume Information\_restore{A75B2583-256F-4901-8E43-DD733423A218}\RP156\A0050767.exe Infected: not-a-virus:AdWare.Win32.Altnet.a skipped
C:\System Volume Information\_restore{A75B2583-256F-4901-8E43-DD733423A218}\RP156\A0050768.dll Infected: not-a-virus:AdWare.Win32.Altnet.x skipped
C:\System Volume Information\_restore{A75B2583-256F-4901-8E43-DD733423A218}\RP156\A0050769.dll Infected: not-a-virus:AdWare.Win32.BrilliantDigital.3039 skipped
C:\System Volume Information\_restore{A75B2583-256F-4901-8E43-DD733423A218}\RP156\A0050770.dll Infected: not-a-virus:AdWare.Win32.Altnet.j skipped
C:\System Volume Information\_restore{A75B2583-256F-4901-8E43-DD733423A218}\RP156\A0050771.dll Infected: not-a-virus:AdWare.Win32.Altnet.a skipped
C:\System Volume Information\_restore{A75B2583-256F-4901-8E43-DD733423A218}\RP156\A0050772.exe Infected: not-a-virus:AdWare.Win32.Altnet.g skipped
C:\System Volume Information\_restore{A75B2583-256F-4901-8E43-DD733423A218}\RP156\A0050773.exe Infected: not-a-virus:AdWare.Win32.Altnet.l skipped
C:\System Volume Information\_restore{A75B2583-256F-4901-8E43-DD733423A218}\RP156\A0050775.dll Infected: not-a-virus:AdWare.Win32.Altnet.t skipped
C:\System Volume Information\_restore{A75B2583-256F-4901-8E43-DD733423A218}\RP158\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\JETA170.tmp Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
S&D doesnt find any problems except Zango and Vomba and I'm OK with both.
Basically, this is the malware I've got for sure: the rogue spyware type. It pops up prompts in IE telling me that I'm infected and that I should download "Vista Antivirus 2008". I probably got more ***t but this is what I got for sure. Neither S&D nor Kaspersky detect it at this point so it must be pretty fresh.
Thanks, to my firewall I caught several requests to x1.theactionshow.com and netflame.cc and c.bigmir.net which seem to be spyware call-home domains.
I do have some legitimate adware such as Zango and Vomba installed on my PC and they are NOT the problem - I've had them for a long time with no problem - and I'd like to keep them.
HiJackThis Scan Output:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:18:07 AM, on 5/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\D4\D4.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\VombaShots\VombaShots.exe
C:\Documents and Settings\RASTEKO\Application Data\vomba\vomba.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Apoint2K\HidFind.exe
C:\Program Files\PGP Corporation\PGP for Windows XP\PGPtray.exe
C:\Program Files\OpenVPN\bin\openvpn-gui-1.0.3.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\PROGRA~1\Agnitum\OUTPOS~1\outpost.exe
C:\WINDOWS\system32\PGPserv.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Adobe\Acrobat 6.0\Reader\AcroRd32.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\SNDVOL32.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 201.231.238.189:80
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: (no name) - {32341E7E-C319-46DE-91D0-E30BB1A3CABA} - C:\WINDOWS\system32\mlJYsPjk.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Zango - {90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - C:\Program Files\Zango\bin\10.3.36.0\HostIE.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O2 - BHO: HttpWatch Professional - {F1F69322-008F-4895-B2BF-AD194219825A} - C:\Program Files\HttpWatch\httpwatchscpro.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O3 - Toolbar: Zango - {90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - C:\Program Files\Zango\bin\10.3.36.0\HostIE.dll
O4 - HKLM\..\Run: [Outpost Firewall] C:\Program Files\Agnitum\Outpost Firewall\outpost.exe /waitservice
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Dimension4] C:\Program Files\D4\D4.exe
O4 - HKLM\..\Run: [ZangoOE] C:\Program Files\Zango\bin\10.3.36.0\OEAddOn.exe
O4 - HKLM\..\Run: [ZangoSA] "C:\Program Files\Zango\bin\10.3.36.0\ZangoSA.exe"
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [VombaShots Manager] "C:\Program Files\VombaShots\VombaShots.exe"
O4 - HKCU\..\Run: [Vomba] C:\Documents and Settings\RASTEKO\Application Data\vomba\vomba.exe
O4 - HKCU\..\Run: [IFStub] C:\WINDOWS\Temp\Adware\InstaFinderK_inst.exe
O4 - HKCU\..\Run: [A00FF4C6BB2.exe] C:\DOCUME~1\RASTEKO\LOCALS~1\Temp\_A00FF4C6BB2.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O4 - Startup: OpenVPN GUI (2).lnk = C:\Program Files\OpenVPN\bin\openvpn-gui-1.0.3.exe
O4 - Startup: Shortcut to trillianpro.lnk = C:\Program Files\Trillian\trillianpro.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: PGPtray.lnk = ?
O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Program Files\RALINK\Common\RaUI.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Google AdSense Preview Tool - http://pagead2.googlesyndication.com/pagead/preview/en/preview.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Whois - {11E47140-F946-4049-B038-AB77CAA0480B} - C:\Program Files\Whois Web\WWtoolbar.htm
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: HttpWatch Professional - {D103E85B-5D67-42c1-8C83-F01079DBAB26} - C:\Program Files\HttpWatch\httpwatchpro.dll
O9 - Extra 'Tools' menuitem: HttpWatch Professional - {D103E85B-5D67-42c1-8C83-F01079DBAB26} - C:\Program Files\HttpWatch\httpwatchpro.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\Program Files\Agnitum\Outpost Firewall\TRASH.EXE (HKCU)
O9 - Extra 'Tools' menuitem: Show Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\Program Files\Agnitum\Outpost Firewall\TRASH.EXE (HKCU)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD40/JSCDL/jre/6u5-b19/jinstall-6u5-windows-i586-jc.cab?AuthParam=1210594866_95d8c4d64b514611950d55af0921396b&GroupName=JSC&BHost=javadl.sun.com&FilePath=/ESD40/JSCDL/jre/6u5-b19/jinstall-6u5-windows-i586-jc.cab&File=jinstall-6u5-windows-i586-jc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{55AF3450-1F2B-42F3-B786-401F790F81B6}: NameServer = 212.150.49.10,62.90.42.110
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: Antiwpa - C:\WINDOWS\SYSTEM32\antiwpa.dll
O20 - Winlogon Notify: mlJYsPjk - C:\WINDOWS\SYSTEM32\mlJYsPjk.dll
O20 - Winlogon Notify: __c00CB2BA - C:\WINDOWS\system32\__c00CB2BA.dat
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: OpenVPN Service (OpenVPNService) - Unknown owner - C:\Program Files\OpenVPN\bin\openvpnserv.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum - C:\PROGRA~1\Agnitum\OUTPOS~1\outpost.exe
O23 - Service: PGPserv - PGP Corporation - C:\WINDOWS\system32\PGPserv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
--
End of file - 10853 bytes
Kaspersky Log:
Thursday, May 29, 2008 11:14:20 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 29/05/2008
Kaspersky Anti-Virus database records: 812777
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
C:\
D:\
Scan Statistics
Total number of scanned objects 65237
Number of viruses found 15
Number of infected objects 59
Number of suspicious objects 0
Duration of the scan process 00:42:55
Infected Object Name Virus Name Last Action
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\RASTEKO\Application Data\Skype\skype-username\call1024.dbb Object is locked skipped
C:\Documents and Settings\RASTEKO\Application Data\Skype\skype-username\call256.dbb Object is locked skipped
C:\Documents and Settings\RASTEKO\Application Data\Skype\skype-username\call512.dbb Object is locked skipped
C:\Documents and Settings\RASTEKO\Application Data\Skype\skype-username\callmember256.dbb Object is locked skipped
C:\Documents and Settings\RASTEKO\Application Data\Skype\skype-username\chat256.dbb Object is locked skipped
C:\Documents and Settings\RASTEKO\Application Data\Skype\skype-username\chat512.dbb Object is locked skipped
C:\Documents and Settings\RASTEKO\Application Data\Skype\skype-username\chatmember256.dbb Object is locked skipped
C:\Documents and Settings\RASTEKO\Application Data\Skype\skype-username\chatmsg1024.dbb Object is locked skipped
C:\Documents and Settings\RASTEKO\Application Data\Skype\skype-username\chatmsg2048.dbb Object is locked skipped
C:\Documents and Settings\RASTEKO\Application Data\Skype\skype-username\chatmsg256.dbb Object is locked skipped
C:\Documents and Settings\RASTEKO\Application Data\Skype\skype-username\chatmsg32768.dbb Object is locked skipped
C:\Documents and Settings\RASTEKO\Application Data\Skype\skype-username\chatmsg4096.dbb Object is locked skipped
C:\Documents and Settings\RASTEKO\Application Data\Skype\skype-username\chatmsg512.dbb Object is locked skipped
C:\Documents and Settings\RASTEKO\Application Data\Skype\skype-username\chatmsg8192.dbb Object is locked skipped
C:\Documents and Settings\RASTEKO\Application Data\Skype\skype-username\chatsync\c5\c549aef892692fa3.dat Object is locked skipped
C:\Documents and Settings\RASTEKO\Application Data\Skype\skype-username\contactgroup256.dbb Object is locked skipped
C:\Documents and Settings\RASTEKO\Application Data\Skype\skype-username\dyncontent\bundle.dat Object is locked skipped
C:\Documents and Settings\RASTEKO\Application Data\Skype\skype-username\index2.dat Object is locked skipped
C:\Documents and Settings\RASTEKO\Application Data\Skype\skype-username\profile256.dbb Object is locked skipped
C:\Documents and Settings\RASTEKO\Application Data\Skype\skype-username\transfer512.dbb Object is locked skipped
C:\Documents and Settings\RASTEKO\Application Data\Skype\skype-username\user1024.dbb Object is locked skipped
C:\Documents and Settings\RASTEKO\Application Data\Skype\skype-username\user16384.dbb Object is locked skipped
C:\Documents and Settings\RASTEKO\Application Data\Skype\skype-username\user256.dbb Object is locked skipped
C:\Documents and Settings\RASTEKO\Application Data\Skype\skype-username\user4096.dbb Object is locked skipped
C:\Documents and Settings\RASTEKO\Application Data\Skype\skype-username\voicemail256.dbb Object is locked skipped
C:\Documents and Settings\RASTEKO\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\RASTEKO\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\RASTEKO\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\RASTEKO\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\RASTEKO\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\RASTEKO\Local Settings\History\History.IE5\MSHist012008052920080530\index.dat Object is locked skipped
C:\Documents and Settings\RASTEKO\Local Settings\Temp\Acr2C.tmp Object is locked skipped
C:\Documents and Settings\RASTEKO\Local Settings\Temp\Acr32.tmp Object is locked skipped
C:\Documents and Settings\RASTEKO\Local Settings\Temp\Acr33.tmp Object is locked skipped
C:\Documents and Settings\RASTEKO\Local Settings\Temp\asmfiles.cab/asm.exe Infected: not-a-virus:AdWare.Win32.Altnet.l skipped
C:\Documents and Settings\RASTEKO\Local Settings\Temp\asmfiles.cab/asmps.dll Infected: not-a-virus:AdWare.Win32.Altnet.t skipped
C:\Documents and Settings\RASTEKO\Local Settings\Temp\asmfiles.cab CAB: infected - 2 skipped
C:\Documents and Settings\RASTEKO\Local Settings\Temp\hpodvd09.log Object is locked skipped
C:\Documents and Settings\RASTEKO\Local Settings\Temp\mirc631.exe/stream/data0014 Infected: not-a-virus:Client-IRC.Win32.mIRC.631 skipped
C:\Documents and Settings\RASTEKO\Local Settings\Temp\mirc631.exe/stream Infected: not-a-virus:Client-IRC.Win32.mIRC.631 skipped
C:\Documents and Settings\RASTEKO\Local Settings\Temp\mirc631.exe NSIS: infected - 2 skipped
C:\Documents and Settings\RASTEKO\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\RASTEKO\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\RASTEKO\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\RASTEKO\ntuser.dat.LOG Object is locked skipped
C:\INST\mirc\mirc616.exe/data0001.bin Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
C:\INST\mirc\mirc616.exe mIRC: infected - 1 skipped
C:\Program Files\Agnitum\Outpost Firewall\op_data.ldb Object is locked skipped
C:\Program Files\Agnitum\Outpost Firewall\op_data.mdb Object is locked skipped
C:\Program Files\D4\SyncHistory.dat Object is locked skipped
C:\Program Files\D4\SyncHistoryServers.dat Object is locked skipped
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.631 skipped
C:\Program Files\Mozilla Firefox\plugins\NPNd2fn.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.o skipped
C:\Program Files\Zango\bin\10.3.36.0\CntntCntr.dll Infected: not-a-virus:AdWare.Win32.HotBar.ck skipped
C:\Program Files\Zango\bin\10.3.36.0\CoreSrv.dll Infected: not-a-virus:AdWare.Win32.HotBar.ck skipped
C:\Program Files\Zango\bin\10.3.36.0\HostOE.dll Infected: not-a-virus:AdWare.Win32.HotBar.ck skipped
C:\Program Files\Zango\bin\10.3.36.0\HostOL.dll Infected: not-a-virus:AdWare.Win32.HotBar.ck skipped
C:\Program Files\Zango\bin\10.3.36.0\OEAddOn.exe Infected: not-a-virus:AdWare.Win32.HotBar.ck skipped
C:\Program Files\Zango\bin\10.3.36.0\Wallpaper.dll Infected: not-a-virus:AdWare.Win32.HotBar.ck skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{A75B2583-256F-4901-8E43-DD733423A218}\RP141\A0043735.dll Infected: not-a-virus:AdWare.Win32.Altnet.d skipped
C:\System Volume Information\_restore{A75B2583-256F-4901-8E43-DD733423A218}\RP141\A0043737.exe/TopSearch.dll Infected: not-a-virus:AdWare.Win32.Altnet.d skipped
C:\System Volume Information\_restore{A75B2583-256F-4901-8E43-DD733423A218}\RP141\A0043737.exe CAB: infected - 1 skipped
C:\System Volume Information\_restore{A75B2583-256F-4901-8E43-DD733423A218}\RP141\A0043737.exe Execryptor: infected - 1 skipped
C:\System Volume Information\_restore{A75B2583-256F-4901-8E43-DD733423A218}\RP141\A0043749.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.o skipped
C:\System Volume Information\_restore{A75B2583-256F-4901-8E43-DD733423A218}\RP141\A0043750.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.l skipped
C:\System Volume Information\_restore{A75B2583-256F-4901-8E43-DD733423A218}\RP141\A0043751.DLL Infected: not-a-virus:AdWare.Win32.MySearch.e skipped
C:\System Volume Information\_restore{A75B2583-256F-4901-8E43-DD733423A218}\RP141\A0043752.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.o skipped
C:\System Volume Information\_restore{A75B2583-256F-4901-8E43-DD733423A218}\RP142\A0044678.dll Infected: not-a-virus:AdWare.Win32.Altnet.d skipped
C:\System Volume Information\_restore{A75B2583-256F-4901-8E43-DD733423A218}\RP142\A0044680.exe/TopSearch.dll Infected: not-a-virus:AdWare.Win32.Altnet.d skipped
C:\System Volume Information\_restore{A75B2583-256F-4901-8E43-DD733423A218}\RP142\A0044680.exe CAB: infected - 1 skipped
C:\System Volume Information\_restore{A75B2583-256F-4901-8E43-DD733423A218}\RP142\A0044680.exe Execryptor: infected - 1 skipped
C:\System Volume Information\_restore{A75B2583-256F-4901-8E43-DD733423A218}\RP142\A0044692.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.o skipped
C:\System Volume Information\_restore{A75B2583-256F-4901-8E43-DD733423A218}\RP143\A0045689.dll Infected: not-a-virus:AdWare.Win32.Altnet.d skipped
C:\System Volume Information\_restore{A75B2583-256F-4901-8E43-DD733423A218}\RP143\A0045691.exe/TopSearch.dll Infected: not-a-virus:AdWare.Win32.Altnet.d skipped
C:\System Volume Information\_restore{A75B2583-256F-4901-8E43-DD733423A218}\RP143\A0045691.exe CAB: infected - 1 skipped
C:\System Volume Information\_restore{A75B2583-256F-4901-8E43-DD733423A218}\RP143\A0045691.exe Execryptor: infected - 1 skipped
C:\System Volume Information\_restore{A75B2583-256F-4901-8E43-DD733423A218}\RP143\A0045704.dll Infected: not-a-virus:AdWare.Win32.RXBar.f skipped
C:\System Volume Information\_restore{A75B2583-256F-4901-8E43-DD733423A218}\RP143\A0045707.dll Infected: not-a-virus:AdWare.Win32.RXBar.f skipped
C:\System Volume Information\_restore{A75B2583-256F-4901-8E43-DD733423A218}\RP144\A0045719.exe/TopSearch.dll Infected: not-a-virus:AdWare.Win32.Altnet.d skipped
C:\System Volume Information\_restore{A75B2583-256F-4901-8E43-DD733423A218}\RP144\A0045719.exe CAB: infected - 1 skipped
C:\System Volume Information\_restore{A75B2583-256F-4901-8E43-DD733423A218}\RP144\A0045719.exe Execryptor: infected - 1 skipped
C:\System Volume Information\_restore{A75B2583-256F-4901-8E43-DD733423A218}\RP144\A0045721.dll Infected: not-a-virus:AdWare.Win32.Altnet.d skipped
C:\System Volume Information\_restore{A75B2583-256F-4901-8E43-DD733423A218}\RP144\A0045739.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.l skipped
C:\System Volume Information\_restore{A75B2583-256F-4901-8E43-DD733423A218}\RP144\A0045740.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.o skipped
C:\System Volume Information\_restore{A75B2583-256F-4901-8E43-DD733423A218}\RP144\A0045741.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.l skipped
C:\System Volume Information\_restore{A75B2583-256F-4901-8E43-DD733423A218}\RP144\A0045742.DLL Infected: not-a-virus:AdWare.Win32.MySearch.e skipped
C:\System Volume Information\_restore{A75B2583-256F-4901-8E43-DD733423A218}\RP144\A0045743.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.o skipped
C:\System Volume Information\_restore{A75B2583-256F-4901-8E43-DD733423A218}\RP144\A0045747.dll Infected: not-a-virus:AdWare.Win32.RXBar.f skipped
C:\System Volume Information\_restore{A75B2583-256F-4901-8E43-DD733423A218}\RP144\A0045748.dll Infected: not-a-virus:AdWare.Win32.RXBar.f skipped
C:\System Volume Information\_restore{A75B2583-256F-4901-8E43-DD733423A218}\RP144\A0045749.DLL Infected: not-a-virus:AdWare.Win32.MySearch.e skipped
C:\System Volume Information\_restore{A75B2583-256F-4901-8E43-DD733423A218}\RP147\A0046747.dll Infected: not-a-virus:AdWare.Win32.MySearch.e skipped
C:\System Volume Information\_restore{A75B2583-256F-4901-8E43-DD733423A218}\RP156\A0050747.dll Infected: not-a-virus:AdWare.Win32.HotBar.ck skipped
C:\System Volume Information\_restore{A75B2583-256F-4901-8E43-DD733423A218}\RP156\A0050765.dll Infected: not-a-virus:AdWare.Win32.Altnet.a skipped
C:\System Volume Information\_restore{A75B2583-256F-4901-8E43-DD733423A218}\RP156\A0050766.dll Infected: not-a-virus:AdWare.Win32.Altnet.a skipped
C:\System Volume Information\_restore{A75B2583-256F-4901-8E43-DD733423A218}\RP156\A0050767.exe Infected: not-a-virus:AdWare.Win32.Altnet.a skipped
C:\System Volume Information\_restore{A75B2583-256F-4901-8E43-DD733423A218}\RP156\A0050768.dll Infected: not-a-virus:AdWare.Win32.Altnet.x skipped
C:\System Volume Information\_restore{A75B2583-256F-4901-8E43-DD733423A218}\RP156\A0050769.dll Infected: not-a-virus:AdWare.Win32.BrilliantDigital.3039 skipped
C:\System Volume Information\_restore{A75B2583-256F-4901-8E43-DD733423A218}\RP156\A0050770.dll Infected: not-a-virus:AdWare.Win32.Altnet.j skipped
C:\System Volume Information\_restore{A75B2583-256F-4901-8E43-DD733423A218}\RP156\A0050771.dll Infected: not-a-virus:AdWare.Win32.Altnet.a skipped
C:\System Volume Information\_restore{A75B2583-256F-4901-8E43-DD733423A218}\RP156\A0050772.exe Infected: not-a-virus:AdWare.Win32.Altnet.g skipped
C:\System Volume Information\_restore{A75B2583-256F-4901-8E43-DD733423A218}\RP156\A0050773.exe Infected: not-a-virus:AdWare.Win32.Altnet.l skipped
C:\System Volume Information\_restore{A75B2583-256F-4901-8E43-DD733423A218}\RP156\A0050775.dll Infected: not-a-virus:AdWare.Win32.Altnet.t skipped
C:\System Volume Information\_restore{A75B2583-256F-4901-8E43-DD733423A218}\RP158\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\JETA170.tmp Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
S&D doesnt find any problems except Zango and Vomba and I'm OK with both.