Jump to content


Photo

Hikackthis log: F2- REG:system.ini: UserInit (Resolved)


  • This topic is locked This topic is locked
18 replies to this topic

#1 xdustyx

xdustyx

    Member

  • Members
  • 12 posts

Posted 08 May 2009 - 04:45 AM

Hi,
My computer has been running really slow and when i looked in my security centre i noticed that my windows firewall was turned off. I guessed there might be some kind of virus on it, i ran malwarebytes anti-malware and during the scan AVG popped up and said there was a threat detected.
It found:Trojan horseAgent2.GKP in: C\WINDOWS\system32\oembios.exe
I moved the file to the virus vault.
ALSO during the same malwarebytes scan AVG found 2 other viruses:
Trojan horseAgent2.GKP - C\system volume information\_restore
Trojan horseAgent2.GKP - C\Documents and settings\Local settings\Temp\wJQs.exe
I moved both to the virus vault same as the first one.
After trying to find some info on this virus, i read that it can infect other things on the computer... some advice was to do a Hijackthis scan and let someone take a look who maybe be able to help (please)
I did notice that alot of people were concerned about something showing up on their logs, and i have the same thing on mine & don't know what to do OR even if there's something wrong. What's bothering me after i did the scan with trendmicro hijackthis is this:
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\oembios.exe
Could someone PLEASE take a look at my log and help me? It's really worrying me.
Many many thanks :)


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:52:20, on 07/05/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\oembios.exe,
O1 - Hosts: 193.125.23.12 updates.sald.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [gadcom] "C:\Documents and Settings\billy\Application Data\gadcom\gadcom.exe" 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewi...oOnlineScan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1238500135000
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1241634729171
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelg...in/cortvrml.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B9F79165-A264-4C4A-A211-133A5E8D647F} (F-Secure Health Check 1.1) - http://support.f-sec.../fshc/fscax.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...428/mcfscan.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apache - Unknown owner - C:\Program Files\Saurus CMS\Apache\Apache.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MySql - Unknown owner - C:/Program Files/Saurus CMS/Apache/mysql/bin/mysqld-nt.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 6968 bytes

Edited by xdustyx, 08 May 2009 - 05:08 AM.


#2 Katana

Katana

    MRU Teacher

  • Trusted Malware Techs
  • 1,523 posts
  • Location:Manchester (UK)


Posted 08 May 2009 - 09:02 AM

Please note that all instructions given are customised for this computer only,
the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.


Hello and welcome to the forums

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:
  • Please Read All Instructions Carefully
  • If you don't understand something, stop and ask! Don't keep going on.
  • Please do not run any other tools or scans whilst I am helping you
  • Failure to reply within 5 days will result in the topic being closed.
  • Please continue to respond until I give you the "All Clear"
    (Just because you can't see a problem doesn't mean it isn't there)
If you can do those few things, everything should go smoothly Posted Image

Please Note, your security programs may give warnings for some of the tools I will ask you to use.
Be assured, any links I give are safe

----------------------------------------------------------------------------------------



==============================WARNING==============================
There is some evidence of what may be a very nasty infection.
If the Computer has been used for any important data, you are strongly advised to do the following, immediately:
  • Back up all important data on the machine.
  • If you have ever used this computer for shopping, banking, or any transactions relating to your financial well being:
    Call all of your banks, credit card companies, and financial institutions, informing them that you may be a victim of identity theft, and to put a watch on your accounts or change all your account numbers.
  • From a clean computer, change ALL your online passwords -- for ISP login, email, banks, financial accounts, PayPal, eBay, online companies, and any online forums or groups you belong to.
  • DO NOT change passwords or do any transactions while using the infected computer because the attacker will get the new password and transaction information.
  • Take any other steps you think appropriate for an attempted identity theft.
==============================WARNING==============================



Download and Run SD Fix

Please download SDFix( by andymanchesta ) and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

Download and Run RSIT
  • Please download Random's System Information Tool by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open:
    • log.txt will be opened maximized.
    • info.txt will be opened minimized.
  • Please post the contents of both log.txt and info.txt.


#3 xdustyx

xdustyx

    Member

  • Members
  • 12 posts

Posted 10 May 2009 - 09:38 AM

Hello Katana...
First can i please say THANKYOU very very much for replying...
After posting this thread i checked my version of malwarebytes and found that i wasn't using the latest version. I downloaded it and installed it, it seems to have found the:
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\oembios.exe
and other things besides...
I also installed SUPER antispyware, and it found quite a few things as well!
I've also rebooted in safe mode and rescanned afterwards and it found NOTHING.
I manually deleted the: O1 - Hosts: 193.125.23.12 updates.sald.com

Please could you have a look at the logs you requested? Thankyou again very much :)
(i've included a log of the malware bytes scan first, so you can see what it removed before it came back clear.

(malwarebytes after updating scan BEFORE removal)

Malwarebytes' Anti-Malware 1.36
Database version: 2092
Windows 5.1.2600 Service Pack 3

08/05/2009 14:26:01
mbam-log-2009-05-08 (14-26-01).txt

Scan type: Full Scan (C:\|)
Objects scanned: 291276
Time elapsed: 2 hour(s), 35 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 4
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Somefox (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\oembios.exe,) Good: (userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\system32\sysproc64 (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\sysproc64 (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\billy\Local Settings\Temp\snapsnet (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\billy\Application Data\NI.GSCNS (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\MSINET.oca (Rogue.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sysproc64\sysproc32.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sysproc64\sysproc86.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\sysproc64\sysproc32.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\billy\Application Data\NI.GSCNS\dl.ini (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\billy\Application Data\NI.GSCNS\settings.ini (Trojan.Agent) -> Quarantined and deleted successfully.


(malwarebytes NEW scan AFTER removal)

Malwarebytes' Anti-Malware 1.36
Database version: 2092
Windows 5.1.2600 Service Pack 3

10/05/2009 15:18:25
mbam-log-2009-05-10 (15-18-25).txt

Scan type: Full Scan (C:\|)
Objects scanned: 289694
Time elapsed: 1 hour(s), 23 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:35:58, on 10/05/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewi...oOnlineScan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1238500135000
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1241634729171
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelg...in/cortvrml.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadbl...ivex/sabspx.cab
O16 - DPF: {B9F79165-A264-4C4A-A211-133A5E8D647F} (F-Secure Health Check 1.1) - http://support.f-sec.../fshc/fscax.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...428/mcfscan.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apache - Unknown owner - C:\Program Files\Saurus CMS\Apache\Apache.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MySql - Unknown owner - C:/Program Files/Saurus CMS/Apache/mysql/bin/mysqld-nt.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 5581 bytes

----------------------------------------------------------------------------------------------------------------------------

Edited by xdustyx, 10 May 2009 - 09:42 AM.


#4 xdustyx

xdustyx

    Member

  • Members
  • 12 posts

Posted 10 May 2009 - 09:44 AM

Logfile of random's system information tool 1.06 (written by random/random)
Run by billy at 2009-05-10 13:39:14
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 11 GB (19%) free of 57 GB
Total RAM: 495 MB (51% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:39:16, on 10/05/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\billy\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\billy.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewi...oOnlineScan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1238500135000
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1241634729171
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelg...in/cortvrml.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadbl...ivex/sabspx.cab
O16 - DPF: {B9F79165-A264-4C4A-A211-133A5E8D647F} (F-Secure Health Check 1.1) - http://support.f-sec.../fshc/fscax.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...428/mcfscan.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apache - Unknown owner - C:\Program Files\Saurus CMS\Apache\Apache.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MySql - Unknown owner - C:/Program Files/Saurus CMS/Apache/mysql/bin/mysqld-nt.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 5592 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1190283110.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-22 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
AVG Safe Search - C:\Program Files\AVG\AVG8\avgssie.dll [2009-05-02 1107224]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2006-08-31 322368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-03-09 35840]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-03-09 73728]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"=C:\WINDOWS\system32\igfxtray.exe [2004-10-08 155648]
"HotKeysCmds"=C:\WINDOWS\system32\hkcmd.exe [2004-10-08 126976]
"SynTPLpr"=C:\Program Files\Synaptics\SynTP\SynTPLpr.exe [2004-05-07 98304]
"SynTPEnh"=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2004-05-07 536576]
"AVG8_TRAY"=C:\PROGRA~1\AVG\AVG8\avgtray.exe [2009-05-02 1947928]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-01-11 39792]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AMTDeviceService]
C:\Program Files\AMT Media Manager\AMTDeviceService.exe [2009-01-21 184320]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe [2006-09-28 57344]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE [2004-02-03 401491]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
C:\Program Files\Nero\Nero8\InCD\InCD.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe [2009-04-02 342312]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe [2001-07-09 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NI.GSCNS]
C:\DOCUME~1\billy\LOCALS~1\Temp\xcsoseeamm.tmp []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe [2007-06-18 271360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe [2009-01-05 413696]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SecurDisc]
C:\Program Files\Nero\Nero8\InCD\NBHGui.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre6\bin\jusched.exe [2009-03-09 148888]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [2009-05-07 1830128]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
C:\PROGRA~1\Adobe\ACROBA~1.0\Reader\READER~1.EXE []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Event Planner Reminders Tray Icon.lnk]
C:\SIERRA\CARDST~1\PLNRnote.exe [2000-03-24 167936]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2008-12-22 356352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avgrsstarter]
C:\WINDOWS\system32\avgrsstx.dll [2009-05-02 11952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxsrvc.dll [2004-10-08 344064]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"=msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Guard]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\AVG Anti-Spyware Guard]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Yahoo!\Messenger\YPager.exe"="C:\Program Files\Yahoo!\Messenger\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\Program Files\Yahoo!\Messenger\YServer.exe"="C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\Program Files\SmartFTP Client 2.0\SmartFTP.exe"="C:\Program Files\SmartFTP Client 2.0\SmartFTP.exe:*:Enabled:SmartFTP Client 2.0"
"C:\Program Files\Internet Explorer\IEXPLORE.EXE"="C:\Program Files\Internet Explorer\IEXPLORE.EXE:*:Enabled:Internet Explorer"
"C:\Program Files\Grisoft\AVG Free\avginet.exe"="C:\Program Files\Grisoft\AVG Free\avginet.exe:*:Enabled:avginet.exe"
"C:\Program Files\Grisoft\AVG Free\avgamsvr.exe"="C:\Program Files\Grisoft\AVG Free\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\Program Files\Grisoft\AVG Free\avgcc.exe"="C:\Program Files\Grisoft\AVG Free\avgcc.exe:*:Enabled:avgcc.exe"
"C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE:*:Enabled:ActiveSync Connection Manager"
"C:\Program Files\AVG\AVG8\avgemc.exe"="C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe"
"C:\Program Files\AVG\AVG8\avgupd.exe"="C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe"
"C:\Program Files\AVG\AVG8\avgnsx.exe"="C:\Program Files\AVG\AVG8\avgnsx.exe:*:Enabled:avgnsx.exe"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\Program Files\MSN Messenger\livecall.exe"="C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Program Files\uTorrent\utorrent.exe"="C:\Program Files\uTorrent\utorrent.exe:*:Disabled:µTorrent"
"C:\Program Files\LimeWire\LimeWire.exe"="C:\Program Files\LimeWire\LimeWire.exe:*:Disabled:LimeWire"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\Program Files\MSN Messenger\livecall.exe"="C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
shell\AutoRun\command - F:\MediaManager.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a84d0e96-3af2-11de-acb9-000e35db220a}]
shell\AutoRun\command - F:\MediaManager.exe


======File associations======

.js - edit - "C:\Program Files\Macromedia\Dreamweaver 8\dreamweaver.exe" "%1"
.reg - open - regedit.exe "%1" %*
.scr - open - "%1" %*

======List of files/folders created in the last 1 months======

2009-05-10 00:54:38 ----D---- C:\rsit
2009-05-09 22:27:44 ----D---- C:\Documents and Settings\billy\Application Data\wsInspector
2009-05-09 22:07:27 ----D---- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2009-05-09 22:07:18 ----D---- C:\Program Files\Security Task Manager
2009-05-08 18:24:30 ----A---- C:\WINDOWS\ntbtlog.txt
2009-05-08 14:27:59 ----D---- C:\Avenger
2009-05-07 20:35:28 ----D---- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2009-05-07 20:35:09 ----D---- C:\Program Files\SUPERAntiSpyware
2009-05-07 20:35:08 ----D---- C:\Documents and Settings\billy\Application Data\SUPERAntiSpyware.com
2009-05-07 20:34:32 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2009-05-07 16:27:54 ----D---- C:\Program Files\Trend Micro
2009-05-07 14:21:05 ----D---- C:\Program Files\AMT Media Manager
2009-05-07 09:56:47 ----A---- C:\WINDOWS\system32\mucltui.dll.mui
2009-05-07 09:56:47 ----A---- C:\WINDOWS\system32\mucltui.dll
2009-04-16 22:02:29 ----D---- C:\Program Files\Navman
2009-04-16 22:01:25 ----D---- C:\Documents and Settings\billy\Application Data\InstallShield
2009-04-16 07:42:38 ----HDC---- C:\WINDOWS\$NtUninstallKB959426$
2009-04-16 07:42:22 ----HDC---- C:\WINDOWS\$NtUninstallKB961373$
2009-04-16 07:37:31 ----HDC---- C:\WINDOWS\$NtUninstallKB956572$
2009-04-16 07:37:05 ----HDC---- C:\WINDOWS\$NtUninstallKB952004$
2009-04-16 07:36:53 ----HDC---- C:\WINDOWS\$NtUninstallKB960803$
2009-04-16 07:36:32 ----HDC---- C:\WINDOWS\$NtUninstallKB963027$
2009-04-16 07:36:04 ----HDC---- C:\WINDOWS\$NtUninstallKB923561$
2009-04-16 07:32:44 ----N---- C:\WINDOWS\system32\xpsp4res.dll

======List of files/folders modified in the last 1 months======

2009-05-10 12:44:15 ----D---- C:\WINDOWS\system32\CatRoot2
2009-05-10 12:35:34 ----D---- C:\WINDOWS\Temp
2009-05-10 02:51:14 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-05-10 00:31:48 ----D---- C:\Program Files\Bonjour
2009-05-10 00:26:20 ----D---- C:\WINDOWS\system32
2009-05-10 00:26:06 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-05-09 22:27:59 ----RD---- C:\Program Files
2009-05-09 10:30:23 ----SHD---- C:\System Volume Information
2009-05-09 10:30:23 ----D---- C:\WINDOWS\system32\Restore
2009-05-08 18:24:30 ----D---- C:\WINDOWS
2009-05-08 16:31:15 ----A---- C:\playout.txt
2009-05-08 14:52:11 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-05-08 14:46:00 ----SH---- C:\boot.ini
2009-05-08 14:46:00 ----A---- C:\WINDOWS\win.ini
2009-05-08 14:46:00 ----A---- C:\WINDOWS\system.ini
2009-05-08 14:27:59 ----D---- C:\WINDOWS\system32\drivers
2009-05-08 14:14:44 ----HD---- C:\$AVG8.VAULT$
2009-05-08 11:14:19 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-05-07 20:35:22 ----SHD---- C:\WINDOWS\Installer
2009-05-07 20:34:32 ----D---- C:\Program Files\Common Files
2009-05-07 20:03:07 ----D---- C:\WINDOWS\Help
2009-05-07 14:21:03 ----HD---- C:\Program Files\InstallShield Installation Information
2009-05-07 09:56:45 ----HD---- C:\WINDOWS\inf
2009-05-02 21:37:11 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-05-02 09:17:16 ----A---- C:\WINDOWS\system32\avgrsstx.dll
2009-04-30 14:14:25 ----A---- C:\WINDOWS\NeroDigital.ini
2009-04-17 13:19:07 ----D---- C:\WINDOWS\Prefetch
2009-04-16 17:17:07 ----D---- C:\WINDOWS\system32\wbem
2009-04-16 17:17:06 ----D---- C:\WINDOWS\AppPatch
2009-04-16 07:42:34 ----A---- C:\WINDOWS\imsins.BAK
2009-04-16 07:37:19 ----HD---- C:\WINDOWS\$hf_mig$
2009-04-11 12:18:19 ----D---- C:\WINDOWS\Microsoft.NET
2009-04-11 12:18:15 ----RSD---- C:\WINDOWS\assembly

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AFS2K;AFS2k; C:\WINDOWS\system32\drivers\AFS2K.sys [2004-10-08 35840]
R1 AvgLdx86;AVG Free AVI Loader Driver x86; C:\WINDOWS\System32\Drivers\avgldx86.sys [2009-05-02 325896]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\WINDOWS\System32\Drivers\avgmfx86.sys [2009-05-02 27784]
R1 AvgTdiX;AVG Free8 Network Redirector; C:\WINDOWS\System32\Drivers\avgtdix.sys [2009-05-02 108552]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS []
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys []
R2 ElbyCDIO;ElbyCDIO Driver; C:\WINDOWS\System32\Drivers\ElbyCDIO.sys [2006-12-26 15440]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-13 60800]
R3 CmBatt;Microsoft AC Adapter Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2008-04-13 13952]
R3 CONAN;CONAN; C:\WINDOWS\system32\drivers\o2mmb.sys [2004-02-12 191092]
R3 ElbyCDFL;ElbyCDFL; C:\WINDOWS\System32\Drivers\ElbyCDFL.sys [2006-12-26 34760]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys [2009-03-19 23400]
R3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\ialmnt5.sys [2004-10-08 752093]
R3 MbxStby;MbxStby; C:\WINDOWS\system32\drivers\MbxStby.sys [2004-01-28 6100]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-13 61824]
R3 pfc;Padus ASPI Shell; C:\WINDOWS\system32\drivers\pfc.sys [2002-02-11 14572]
R3 RTL8023xp;Realtek RTL8139/810x/8169/8110 all in one NDIS XP Driver; C:\WINDOWS\system32\DRIVERS\Rtlnicxp.sys [2004-04-13 70144]
R3 SynTP;Synaptics TouchPad Driver; C:\WINDOWS\system32\DRIVERS\SynTP.sys [2004-05-07 182688]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R3 VIAudio;Vinyl AC'97 Audio Controller (WDM); C:\WINDOWS\system32\drivers\vinyl97.sys [2004-07-23 159488]
R3 w22n51;Intel® PRO/Wireless 2200 Adapter Driver; C:\WINDOWS\system32\DRIVERS\w22n51.sys [2004-03-08 1657344]
S3 agcl3pp4;agcl3pp4; C:\WINDOWS\system32\drivers\agcl3pp4.sys []
S3 AR5211;TP-LINK Wireless Network Adapter Service; C:\WINDOWS\system32\DRIVERS\ar5211.sys [2005-06-25 463168]
S3 grmnusb;grmnusb; C:\WINDOWS\system32\drivers\grmnusb.sys [2006-03-13 7296]
S3 HPZid412;IEEE-1284.4 Driver HPZid412; C:\WINDOWS\system32\DRIVERS\HPZid412.sys [2003-03-09 51024]
S3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; C:\WINDOWS\system32\DRIVERS\HPZipr12.sys [2003-03-09 16080]
S3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; C:\WINDOWS\system32\DRIVERS\HPZius12.sys [2003-03-09 21456]
S3 MODEMCSA;Unimodem Streaming Filter Device; C:\WINDOWS\system32\drivers\MODEMCSA.sys [2001-08-17 16128]
S3 Mtlmnt5;Mtlmnt5; C:\WINDOWS\system32\DRIVERS\Mtlmnt5.sys [2004-04-19 230656]
S3 Mtlstrm;Mtlstrm; C:\WINDOWS\system32\DRIVERS\Mtlstrm.sys [2004-04-19 1301488]
S3 MusCAudio;MusCAudio; C:\WINDOWS\system32\drivers\MusCAudio.sys [2009-03-26 23096]
S3 MusCVideo;MusCVideo; C:\WINDOWS\system32\DRIVERS\MusCVideo.sys [2009-03-26 3768]
S3 nmwcd;Nokia USB Phone Parent; C:\WINDOWS\system32\drivers\nmwcd.sys [2007-02-22 137216]
S3 nmwcdc;Nokia USB Generic; C:\WINDOWS\system32\drivers\nmwcdc.sys [2007-02-22 8320]
S3 nmwcdcj;Nokia USB Port; C:\WINDOWS\system32\drivers\nmwcdcj.sys [2007-02-22 12288]
S3 nmwcdcm;Nokia USB Modem; C:\WINDOWS\system32\drivers\nmwcdcm.sys [2007-02-22 12288]
S3 NtMtlFax;NtMtlFax; C:\WINDOWS\system32\DRIVERS\NtMtlFax.sys [2004-04-19 180664]
S3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver; C:\WINDOWS\system32\DRIVERS\RTL8139.SYS [2004-08-03 20992]
S3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter; C:\WINDOWS\system32\DRIVERS\RTL8187.sys [2006-08-16 180480]
S3 SABProcEnum;SABProcEnum; \??\C:\Program Files\Internet Explorer\SABProcEnum.sys []
S3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS []
S3 Slntamr;SmartLink AMR_PCI Driver; C:\WINDOWS\system32\DRIVERS\slntamr.sys [2004-04-19 635152]
S3 SlNtHal;SlNtHal; C:\WINDOWS\system32\DRIVERS\Slnthal.sys [2004-04-19 95760]
S3 SlWdmSup;SlWdmSup; C:\WINDOWS\system32\DRIVERS\SlWdmSup.sys [2004-04-19 13312]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 usbser;Motorola A1000 USB Modem Driver; C:\WINDOWS\system32\DRIVERS\usbser.sys [2008-04-13 26112]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 wceusbsh;Windows CE USB Serial Host Driver; C:\WINDOWS\system32\DRIVERS\wceusbsh.sys [2003-12-22 104064]
S3 WpdUsb;WpdUsb; C:\WINDOWS\System32\Drivers\wpdusb.sys [2004-08-11 18944]
S3 ZD1211U(ZyDAS);WLAN 802.11g USB2.0 Adapter(ZyDAS); C:\WINDOWS\system32\DRIVERS\zd1211u.sys [2004-08-03 237568]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2009-03-26 132424]
R2 avg8emc;AVG Free8 E-mail Scanner; C:\PROGRA~1\AVG\AVG8\avgemc.exe [2009-05-02 908568]
R2 avg8wd;AVG Free8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2009-05-02 298776]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-12-12 238888]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-03-09 152984]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2004-08-11 38912]
S2 Apache;Apache; C:\Program Files\Saurus CMS\Apache\Apache.exe --ntservice []
S2 MySql;MySql; C:/Program Files/Saurus CMS/Apache/mysql/bin/mysqld-nt.exe []
S2 SLService;SmartLinkService; C:\WINDOWS\system32\slserv.exe [2004-04-19 45056]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 idsvc;Windows CardSpace; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2009-04-02 656168]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.exe [2003-03-09 65795]
S3 ServiceLayer;ServiceLayer; C:\Program Files\PC Connectivity Solution\ServiceLayer.exe [2007-06-15 300544]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\MSN Messenger\usnsvc.exe [2007-01-19 97136]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]

-----------------EOF-----------------

#5 xdustyx

xdustyx

    Member

  • Members
  • 12 posts

Posted 10 May 2009 - 09:46 AM

info.txt logfile of random's system information tool 1.06 2009-05-10 13:39:18

======Uninstall list======

-->C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
µTorrent-->"C:\Program Files\uTorrent\uninstall.exe"
A4Desk v6.15-->"C:\Program Files\A4Desk\unins000.exe"
AAS Template Generator-->MsiExec.exe /I{23E08DBD-FCFA-4B51-98AA-26A3ADCCA893}
AceFTP 3 Freeware-->"C:\Program Files\Visicom Media\AceFTP 3 freeware\uninst-ftp.exe"
Ad-Aware SE Personal-->C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)-->MsiExec.exe /X{6846389C-BAC0-4374-808E-B120F86AF5D7}
Adobe Flash Player ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.2-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Shockwave Player-->C:\WINDOWS\system32\Adobe\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Adobe\SHOCKW~1\Install.log
AMT Media Manager-->"C:\Program Files\InstallShield Installation Information\{80AAD9DF-7E64-40D2-80D2-BECA41593EEB}\setup.exe" -runfromtemp -l0x0009 -removeonly
Apple Mobile Device Support-->MsiExec.exe /I{AFA20D47-69C3-4030-8DF8-D37466E70F13}
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
AVG 8.5-->C:\Program Files\AVG\AVG8\setup.exe /UNINSTALL
Bonjour-->MsiExec.exe /I{07287123-B8AC-41CE-8346-3D777245C35B}
CDRWIN-->C:\CDRWIN3\UNWISE.EXE C:\CDRWIN3\INSTALL.LOG
Cell Phone Wallpaper Maker 2.0-->"C:\Program Files\Keronsoft\Cell Phone Wallpaper Maker\unins000.exe"
CloneCD-->"C:\Program Files\SlySoft\CloneCD\ccd-uninst.exe" /D="C:\Program Files\SlySoft\CloneCD"
Consolo-->"C:\Program Files\Consolo\uninstall.exe"
DivX Codec-->C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Content Uploader-->C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Converter-->C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
DivX Player-->C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player-->C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
DJEM 1.1.947-->C:\Program Files\DJEM\uninst.exe
DVD Decrypter (Remove Only)-->"C:\Program Files\DVD Decrypter\uninstall.exe"
DVD Shrink 3.2-->"C:\Program Files\DVD Shrink\unins000.exe"
Ewisoft Template Builder 1.1-->"C:\Program Files\EwisoftTemplate\unins000.exe"
Ewisoft Website Builder (include eCommerce Builder) Version 4.3-->"C:\Program Files\EwisoftWeb\unins000.exe"
FlashWebKit v2.0 Trial-->"C:\WINDOWS\system32\SpoonUninstall.exe" <uninstall>C:\WINDOWS\system32\SpoonUninstall-FlashWebKit v2.0 Trial.dat
Garmin WebUpdater-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2FD94FBC-07AE-475C-B522-BFE899B9048E}\setup.exe" -l0x9
GTK+ 2.8.18-1 runtime environment-->"C:\Program Files\Common Files\GTK\2.0\unins000.exe"
Hallmark Card Studio-->C:\WINDOWS\IsUninst.exe -fC:\SIERRA\CardStudio\Uninst.isu
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB961118)-->"C:\WINDOWS\$NtUninstallKB961118$\spuninst\spuninst.exe"
HP Memories Disc-->MsiExec.exe /X{B376402D-58EA-45EA-BD50-DD924EB67A70}
HP Photo and Imaging 2.0 - All-in-One Drivers-->MsiExec.exe /X{6ECB39BD-73C2-44DD-B1A0-898207C58D8B}
HP Photo and Imaging 2.0 - All-in-One-->MsiExec.exe /X{9867A917-5D17-40DE-83BA-BEA5293194B1}
HP Photo and Imaging 2.0 - hp psc 1200 series-->C:\Program Files\Hewlett-Packard\Digital Imaging\{7C8BB31C-E09E-4c7d-BBF1-45E33B467FE1}\Setup\hpzscr01.exe -datfile hposcr02.dat -forcereboot
hp psc 1200 series-->MsiExec.exe /X{C900EF06-2E76-49C7-8DB0-41F629B21DC5}
hp psc 1200 series-->rundll32 hpzcon07.dll,VendorJettison hp psc 1200 series
Intel® Extreme Graphics 2 Driver-->RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_3582
iTunes-->MsiExec.exe /I{5EFCBB42-36AB-4FF9-B90C-E78C7B9EE7B3}
Jasc Animation Shop 3 20041030_07 Help file Patch-->C:\Program Files\Jasc Software Inc\Animation Shop 3\Unwise.exe /R /U C:\PROGRA~1\JASCSO~1\ANIMAT~1\INSTALL.LOG
Jasc Animation Shop 3-->MsiExec.exe /I{7C4196CA-CA41-4F34-9C08-7724E7705D52}
Jasc Paint Shop Pro 9 GDI+ Patch-->C:\Program Files\Jasc Software Inc\Paint Shop Pro 9\Unwise.exe /R /U C:\PROGRA~1\JASCSO~1\PAINTS~1\INSTALL.LOG
Jasc Paint Shop Pro 9.01 - (9.0.1.1)-->C:\Program Files\Jasc Software Inc\Paint Shop Pro 9\Unwise.exe /R /U C:\PROGRA~1\JASCSO~1\PAINTS~1\INSTALL.LOG
Jasc Paint Shop Pro 9.01 Patch-->C:\Program Files\Jasc Software Inc\Paint Shop Pro 9\Unwise.exe /R /U C:\PROGRA~1\JASCSO~1\PAINTS~1\INSTALL.LOG
Jasc Paint Shop Pro 9-->MsiExec.exe /I{F843C6A3-224D-4615-94F8-3C461BD9AEA0}
Java™ 6 Update 13-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216012FF}
Java™ 6 Update 2-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Macromedia Dreamweaver 8-->MsiExec.exe /I{0837A661-FEC3-48B3-876C-91E7D32048A9}
Macromedia Extension Manager-->MsiExec.exe /I{5546CDB5-2CE2-498B-B059-5B3BF81FC41F}
Macromedia Fireworks 8-->MsiExec.exe /I{4C24A8C1-7CFA-4650-AF15-732F5BD7B46D}
Macromedia Flash 8 Video Encoder-->MsiExec.exe /X{8BF2C401-02CE-424D-BC26-6C4F9FB446B6}
Macromedia Flash Player 4 for the PocketPC-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D0B71D81-1AEB-4C9F-849B-C4CD318F0A46}\Setup.exe"
Macromedia Flash Player 8 Plugin-->MsiExec.exe /X{91057632-CA70-413C-B628-2D3CDBBB906B}
MAGIX Ringtone Maker 2 silver (US)-->C:\MAGIX\Ringtone_Maker_2_silver\instslct.exe
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0 Service Pack 2-->MsiExec.exe /I{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}
Microsoft .NET Framework 3.0 Service Pack 2-->MsiExec.exe /I{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}
Microsoft .NET Framework 3.5 SP1-->C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft ActiveSync 3.7-->"C:\WINDOWS\ISUNINST.EXE" -f"C:\Program Files\Microsoft ActiveSync\DeIsL1.isu" -c"C:\Program Files\Microsoft ActiveSync\ceuninst.dll"
Microsoft Arcade PocketPak-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C75445DB-3A6D-11D5-A081-005004F915E3}\Setup.exe" anything
Microsoft Cubicle Chaos for Pocket PC (Remove Only)-->C:\WINDOWS\uninst.exe -f"C:\Program Files\Microsoft ActiveSync\Pocket PC Cubicle Chaos\DeIsL1.isu"
Microsoft Office Professional Edition 2003-->MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual J# 2.0 Redistributable Package-->C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft Visual J# 2.0 Redistributable Package\install.exe
MP3+G Toolz-->MsiExec.exe /I{F50A4470-7A45-4A5A-97F8-806990B736C2}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
My Free Web Site Builder-->"C:\Program Files\My Free Web Site Builder\unins000.exe"
Navman NavDesk 2008-->C:\Program Files\InstallShield Installation Information\{9C8732C3-32DE-4569-9E90-30040D76DABC}\Setup.exe -runfromtemp -l0x0009 -removeonly
Nero 6-->C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
NeroVision Express 3-->C:\WINDOWS\UNNeroVision.exe /UNINSTALL
NeroVision Express Content-->C:\WINDOWS\UNNVEContent.exe /UNINSTALL
Nokia Connectivity Cable Driver-->MsiExec.exe /X{11964613-805F-432D-A12B-169554B793E7}
Nokia PC Suite-->C:\Documents and Settings\All Users\Application Data\Installations\{A982E6CC-9F0D-4948-9B18-BDFD55DE4A72}\Nokia_PC_Suite_6_84_10_3_eng_web.exe
Nokia PC Suite-->MsiExec.exe /I{A982E6CC-9F0D-4948-9B18-BDFD55DE4A72}
O2Micro MemoryCardBus Windows Driver-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{015D937D-9D52-45A4-BDAA-2413938C0564} /l1033
PC Connectivity Solution-->MsiExec.exe /I{99A40651-0BC2-4095-8F9A-A40FAB224FEF}
Pocket Wallpaper-->C:\Program Files\PocketWallpaper\uninstal.exe
PowerDVD-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
QuickTime-->MsiExec.exe /I{216AB108-2AE1-4130-B3D5-20B2C4C80F8F}
ROUTE 66 Safety Camera Update-->C:\Program Files\InstallShield Installation Information\{FB89456A-8EEE-4357-AAE1-1A5A46A974AD}\setup.exe -runfromtemp -l0x0009 -removeonly
scooterrace-->C:\WINDOWS\system32\scooterrace.scr /u /m scooterrace
Security Task Manager 1.7h-->C:\Program Files\Security Task Manager\Uninstal.exe "C:\Documents and Settings\All Users\Start Menu\Programs\Security Task Manager"
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player 9 (KB917734)-->"C:\WINDOWS\$NtUninstallKB917734_WMP9$\spuninst\spuninst.exe"
Security Update for Windows XP (KB913433)-->C:\WINDOWS\system32\MacroMed\Flash\genuinst.exe C:\WINDOWS\system32\MacroMed\Flash\KB913433.inf
Security Update for Windows XP (KB923561)-->"C:\WINDOWS\$NtUninstallKB923561$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923689)-->"C:\WINDOWS\$NtUninstallKB923689$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464-v2)-->"C:\WINDOWS\$NtUninstallKB938464-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952004)-->"C:\WINDOWS\$NtUninstallKB952004$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956572)-->"C:\WINDOWS\$NtUninstallKB956572$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958215)-->"C:\WINDOWS\$NtUninstallKB958215$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958690)-->"C:\WINDOWS\$NtUninstallKB958690$\spuninst\spuninst.exe"
Security Update for Windows XP (KB959426)-->"C:\WINDOWS\$NtUninstallKB959426$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960714)-->"C:\WINDOWS\$NtUninstallKB960714$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960715)-->"C:\WINDOWS\$NtUninstallKB960715$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960803)-->"C:\WINDOWS\$NtUninstallKB960803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961373)-->"C:\WINDOWS\$NtUninstallKB961373$\spuninst\spuninst.exe"
Security Update for Windows XP (KB963027)-->"C:\WINDOWS\$NtUninstallKB963027$\spuninst\spuninst.exe"
Serif WebManager 1.0-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FE9A7847-4496-451B-B39F-CF2C11AFABE5}\setup.exe" -l0x9
Serif WebPlus 7.0-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8702416E-5CFD-4D48-9674-F0ED6AAC13BF}\setup.exe"
Smart Link 56K Modem-->C:\WINDOWS\Modio\SLAMR2KV\Setup.exe /Remove
SmartFTP Client 2.0-->MsiExec.exe /I{C169D3BB-9A27-43F5-9979-09A0D65FE95C}
Sqirlz Water Reflections-->C:\WINDOWS\Sqirlz Water Reflections Uninstaller.exe
SUPERAntiSpyware Free Edition-->MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Synaptics Pointing Device Driver-->rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
The GIMP 2.2.12-->"C:\Program Files\GIMP-2.0\unins000.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Update for Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
VIA Audio Driver Setup Program-->RunDll32.exe UnAudioNT.dll,UninstallAudio C:\WINDOWS\IsUninst.exe -y-f"C:\PROGRA~1\VIAudioi\SBASetup\Uninst.isu"
Web Easy Professional 6-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BB46AB60-F603-4FEA-8A0C-590EA4982C0B}\Setup.exe" -l0x9 -removeonly
Windows Driver Package - Nokia (WUDFRd) WPD (06/01/2007 6.84.33.0)-->C:\PROGRA~1\DIFX\270581355A767BF1\dpinst.exe /u C:\WINDOWS\system32\DRVSTORE\pccswpddri_044C8712DB44F83D9DE6C376991EE9254E0A69E4\pccswpddriver.inf
Windows Driver Package - Nokia Modem (02/15/2007 3.1)-->C:\PROGRA~1\DIFX\270581355A767BF1\dpinst.exe /u C:\WINDOWS\system32\DRVSTORE\pccs_bluet_8B37DC72918CCD58A6EC20373AF6242B037A293B\pccs_bluetooth.inf
Windows Driver Package - Nokia Modem (02/15/2007 3.1)-->C:\PROGRA~1\DIFX\270581355A767BF1\dpinst.exe /u C:\WINDOWS\system32\DRVSTORE\pccs_bluet_F12A08B6F776984A95553486F64C541356F86E38\pccs_bluetooth.inf
Windows Driver Package - Nokia Modem (05/24/2007 6.84.0.1)-->C:\PROGRA~1\DIFX\270581355A767BF1\dpinst.exe /u C:\WINDOWS\system32\DRVSTORE\nokbtmdm_5E1541AFF1E1EA3554CE566743CCAD323ED1C108\nokbtmdm.inf
Windows Live Messenger-->MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
Windows Live Sign-in Assistant-->MsiExec.exe /I{49672EC2-171B-47B4-8CE7-50D7806360D7}
Windows Media Format Runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe
Yahoo! Messenger-->C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG

=====HijackThis Backups=====

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) [2009-05-10]
O1 - Hosts: 193.125.23.12 updates.sald.com [2009-05-10]

======Hosts File======

127.0.0.1 *symantec*
127.0.0.1 symantec.com
127.0.0.1 *avast*
127.0.0.1 *avira*
127.0.0.1 *nod32*
127.0.0.1 nod32.com
127.0.0.1 nod32.ru
127.0.0.1 nod32.co.uk
127.0.0.1 http://nod32.com
127.0.0.1 *eset*

======Security center information======

AV: AVG Anti-Virus Free

======System event log======

Computer Name: BILLY007
Event Code: 7000
Message: The Apache service failed to start due to the following error:
The system cannot find the path specified.


Record Number: 58495
Source Name: Service Control Manager
Time Written: 20090331171505.000000+060
Event Type: error
User:

Computer Name: BILLY007
Event Code: 20
Message: Printer Driver Microsoft XPS Document Writer for Windows NT x86 Version-3 was added or updated. Files:- mxdwdrv.dll, unidrvui.dll, mxdwdui.gpd, unidrv.hlp, mxdwdui.dll, mxdwdui.ini, stddtype.gdl, stdnames.gpd, stdschem.gdl, stdschmx.gdl, unidrv.dll, unires.dll, XpsSvcs.dll.

Record Number: 58445
Source Name: Print
Time Written: 20090331165645.000000+060
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: BILLY007
Event Code: 20
Message: Printer Driver Microsoft XPS Document Writer for Windows NT x86 Version-3 was added or updated. Files:- mxdwdrv.dll, unidrvui.dll, mxdwdui.gpd, unidrv.hlp, mxdwdui.dll, mxdwdui.ini, stddtype.gdl, stdnames.gpd, stdschem.gdl, stdschmx.gdl, unidrv.dll, unires.dll, XpsSvcs.dll.

Record Number: 58444
Source Name: Print
Time Written: 20090331165635.000000+060
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: BILLY007
Event Code: 7000
Message: The MySql service failed to start due to the following error:
The system cannot find the file specified.


Record Number: 58410
Source Name: Service Control Manager
Time Written: 20090331161524.000000+060
Event Type: error
User:

Computer Name: BILLY007
Event Code: 7000
Message: The Apache service failed to start due to the following error:
The system cannot find the path specified.


Record Number: 58409
Source Name: Service Control Manager
Time Written: 20090331161524.000000+060
Event Type: error
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=C:\Program Files\PC Connectivity Solution\;%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\Common Files\GTK\2.0\bin;C:\Program Files\QuickTime\QTSystem\
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 13 Stepping 6, GenuineIntel
"PROCESSOR_REVISION"=0d06
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"CLASSPATH"=.;C:\Program Files\Java\jre6\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre6\lib\ext\QTJava.zip

-----------------EOF-----------------

#6 Katana

Katana

    MRU Teacher

  • Trusted Malware Techs
  • 1,523 posts
  • Location:Manchester (UK)


Posted 10 May 2009 - 01:13 PM

Information

I also installed SUPER antispyware, and it found quite a few things as well!

Please do not run any other tools or scans whilst I am helping you



IMPORTANT
I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

uTorrent
LimeWire


I'd like you to read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.

Also available here.

My recommendation is you go to Control Panel > Add/Remove Programs and uninstall any P2P programs
Please note: you must NOT use any P2P whilst we are cleaning your machine.

----------------------------------------------------------- -----------------------------------------------------------

Step 1


Download and Run ComboFix (by sUBs)
Please visit this webpage for instructions for downloading and running ComboFix:

Bleeping Computer ComboFix Tutorial
  • You must download it to and run it from your Desktop
  • Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
  • Double click combofix.exe & follow the prompts.
  • When finished, it will produce a log. Please save that log to post in your next reply
  • Re-enable all the programs that were disabled during the running of ComboFix..
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


----------------------------------------------------------- -----------------------------------------------------------
Step 2

Restore Host File

Download HostsXpert v4.1 and unzip it to your desktop.
  • Double click on HostsXpert.exe to launch the program.
  • Click on Restore MS Hosts File to restore your Hosts file to its default condition.
  • Click on Make ReadOnly to secure it against further infection. (unless you plan to use another host file)
  • Exit the program.
Visit the Website for more information.

----------------------------------------------------------- -----------------------------------------------------------
Step 3
Kaspersky Online Scanner .
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
NOTE:- This scan is best done from IE (Internet Explorer)

NOTE:- Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin
Go Here http://www.kaspersky...kavwebscan.html

Read the Requirements and limitations before you click Accept.
Once the database has downloaded, click My Computer in the left pane
Now go and put the kettle on !
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.


**Note**

To optimize scanning time and produce a more sensible report for review:
  • Close any open programs.
  • Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.


----------------------------------------------------------- -----------------------------------------------------------
Step 4

Logs/Information to Post in Reply
Please post the following logs/Information in your reply
  • Combofix Log
  • Kaspersky Log
  • How are things running now ?
----------------------------------------------------------- -----------------------------------------------------------

Additional Notes


Your Adobe Acrobat Reader is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Adobe Reader is a large program and uses unnecessary space.
If you prefer a smaller program you can get Foxit 3.0 from http://www.foxitsoft...df/rd_intro.php << Recommended

There is a newer version of Adobe Acrobat Reader available.
  • Please go to this link Adobe Acrobat Reader Download Link
  • Click Download
  • On the right Untick Adobe Phototshop Album Starter Edition if you do not wish to include this in the installation.
  • Click the Continue button
  • Click Run, and click Run again
  • Next click the Install Now button and follow the on screen prompts
Remove Programs

Older versions of some programs have vulnerabilities that malware can use to infect your system.

Now click Start---Control Panel. Double click Add or Remove Programs (XP) / Programs and Features (Vista) . If any of the following programs are listed there,
click on the program to highlight it, and click on remove.
  • Adobe Reader 8.1.2
    Java™ 6 Update 2
Now close the Control Panel.

Edited by Katana, 10 May 2009 - 01:13 PM.


#7 xdustyx

xdustyx

    Member

  • Members
  • 12 posts

Posted 11 May 2009 - 09:31 AM

Hello Katana,

I removed utorrent, i didn't use it anyway... and limewire was removed a long time ago, but it was still ticked in the exceptions on my firewall settings so i deleted it along with the utorrent one.
I did the combofix (please see attached log) and i also did the hosts file AND made it read only, there was absolutely loads of entries in it... i saved a copy before i restored the MShosts file.
I did a kaspersky online scan (please see attached log) i had actually done it the wrong way around (before using combofix) so i've added that one as well.
I've also removed:
Adobe Reader 8.1.2 AND Java™ 6 Update 2

Thankyou once again for helping me.


ComboFix 09-05-09.05 - billy 11/05/2009 8:11.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.495.201 [GMT 1:00]
Running from: c:\documents and settings\billy\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\temp\FT62
c:\windows\a3kebook.ini
c:\windows\akebook.ini
c:\windows\ANS2000.INI
c:\windows\system32\dPI19

.
((((((((((((((((((((((((( Files Created from 2009-04-11 to 2009-05-11 )))))))))))))))))))))))))))))))
.

2009-05-09 23:54 . 2009-05-10 12:39 -------- d-----w C:\rsit
2009-05-09 21:27 . 2009-05-09 21:27 -------- d-----w c:\documents and settings\billy\Application Data\wsInspector
2009-05-09 21:07 . 2009-05-09 21:24 -------- d-----w c:\documents and settings\All Users\Application Data\SecTaskMan
2009-05-09 21:07 . 2009-05-09 21:09 -------- d-----w c:\program files\Security Task Manager
2009-05-07 19:35 . 2009-05-07 19:35 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-05-07 19:35 . 2009-05-07 21:23 -------- d-----w c:\program files\SUPERAntiSpyware
2009-05-07 19:35 . 2009-05-07 19:35 -------- d-----w c:\documents and settings\billy\Application Data\SUPERAntiSpyware.com
2009-05-07 19:34 . 2009-05-07 19:34 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-05-07 15:27 . 2009-05-07 15:27 -------- d-----w c:\program files\Trend Micro
2009-05-07 13:21 . 2009-05-07 14:53 -------- d-----w c:\program files\AMT Media Manager
2009-05-07 08:56 . 2008-10-16 13:06 268648 ----a-w c:\windows\system32\mucltui.dll
2009-05-02 10:28 . 2008-04-13 18:46 38912 -c--a-w c:\windows\system32\dllcache\avc.sys
2009-05-02 10:21 . 2001-08-17 13:07 101888 -c--a-w c:\windows\system32\dllcache\adpu160m.sys
2009-05-02 10:20 . 2001-08-17 13:56 66048 -c--a-w c:\windows\system32\dllcache\s3legacy.dll
2009-04-16 22:12 . 2009-04-16 22:12 -------- d-----w c:\documents and settings\billy\Local Settings\Application Data\Navman_Technology_New_Zea
2009-04-16 21:02 . 2009-04-16 21:02 -------- d-----w c:\program files\Navman
2009-04-16 21:01 . 2009-04-16 21:01 -------- d-----w c:\documents and settings\billy\Application Data\InstallShield
2009-04-16 06:32 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-16 06:32 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-16 06:31 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-16 06:31 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-16 06:31 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-16 06:31 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-16 06:31 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 06:31 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-10 21:59 . 2006-09-03 01:49 -------- d-----w c:\program files\Java
2009-05-10 21:56 . 2006-09-06 14:53 -------- d-----w c:\program files\Common Files\Adobe
2009-05-09 23:31 . 2009-04-06 21:03 -------- d-----w c:\program files\Bonjour
2009-05-08 10:14 . 2008-08-13 05:40 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-07 13:21 . 2006-09-03 02:06 -------- d--h--w c:\program files\InstallShield Installation Information
2009-05-02 08:17 . 2008-07-23 07:22 11952 ----a-w c:\windows\system32\avgrsstx.dll
2009-05-02 08:17 . 2008-07-23 07:22 325896 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-05-02 08:16 . 2008-07-23 07:22 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-04-06 21:04 . 2009-04-06 21:03 -------- d-----w c:\program files\iTunes
2009-04-06 21:03 . 2009-04-06 21:03 -------- d-----w c:\program files\iPod
2009-04-06 21:02 . 2009-04-06 21:01 -------- d-----w c:\program files\QuickTime
2009-04-06 21:01 . 2009-04-06 21:01 -------- d-----w c:\program files\Apple Software Update
2009-04-06 21:00 . 2009-04-06 21:00 -------- d-----w c:\program files\Common Files\Apple
2009-04-06 20:21 . 2007-01-04 21:00 -------- d-----w c:\program files\MP3+G Toolz .NET 4
2009-04-06 20:20 . 2006-09-03 01:57 263808 ----a-w c:\documents and settings\billy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-06 20:18 . 2009-04-06 20:14 -------- d-----w c:\program files\HooTech
2009-04-06 14:32 . 2008-08-13 05:40 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 14:32 . 2008-08-13 05:40 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-31 18:42 . 2006-09-03 03:42 -------- d-----w c:\program files\MSN Messenger
2009-03-31 15:57 . 2009-03-31 15:57 -------- d-----w c:\program files\MSBuild
2009-03-31 15:57 . 2009-03-31 15:57 -------- d-----w c:\program files\Reference Assemblies
2009-03-31 14:55 . 2009-03-31 14:55 -------- d-----w c:\program files\MSXML 4.0
2009-03-31 13:14 . 2006-09-03 01:45 76487 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-03-26 09:49 . 2009-04-06 20:32 3768 ----a-w c:\windows\system32\drivers\MusCVideo.sys
2009-03-26 09:49 . 2009-04-06 20:32 23096 ----a-w c:\windows\system32\drivers\MusCAudio.sys
2009-03-19 15:32 . 2009-04-06 21:04 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-09 05:19 . 2009-02-25 07:59 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-06 14:22 . 2004-08-04 12:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-02-20 08:10 . 2004-09-29 18:47 666112 ----a-w c:\windows\system32\wininet.dll
2009-02-20 08:10 . 2004-08-04 12:00 81920 ----a-w c:\windows\system32\ieencode.dll
2006-10-30 20:58 . 2006-10-30 20:58 59860 ----a-w c:\program files\StreetPiloti3_320.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-10-08 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-10-08 126976]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-05-07 98304]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-05-07 536576]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-02 1947928]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 1241088]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 10:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-02 08:17 11952 ----a-w c:\windows\system32\avgrsstx.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave"= serwvdrv.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Event Planner Reminders Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Event Planner Reminders Tray Icon.lnk
backup=c:\windows\pss\Event Planner Reminders Tray Icon.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\WCESCOMM.EXE"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [23/07/2008 08:22 325896]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [23/07/2008 08:22 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [17/02/2009 11:43 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [17/02/2009 11:43 55024]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [23/07/2008 08:22 908568]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [23/07/2008 08:22 298776]
R3 CONAN;CONAN;c:\windows\system32\drivers\o2mmb.sys [03/09/2006 03:10 191092]
R3 MbxStby;MbxStby;c:\windows\system32\drivers\MbxStby.sys [03/09/2006 03:10 6100]
S3 MusCAudio;MusCAudio;c:\windows\system32\drivers\MusCAudio.sys [06/04/2009 21:32 23096]
S3 MusCVideo;MusCVideo;c:\windows\system32\drivers\MusCVideo.sys [06/04/2009 21:32 3768]
S3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [01/03/2007 19:39 180480]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [17/02/2009 11:43 7408]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\MediaManager.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a84d0e96-3af2-11de-acb9-000e35db220a}]
\Shell\AutoRun\command - F:\MediaManager.exe
.
Contents of the 'Scheduled Tasks' folder

2009-04-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2007-12-27 c:\windows\Tasks\FRU Task 2003-04-06 08:52ewlett-Packard2003-04-06 08:52p psc 1200 series5E771253C1676EBED677BF361FDFC537825E15B8190283110.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-05 23:52]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://uk.yahoo.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Handler: ic32pp - {BBCA9F81-8F4F-11D2-90FF-0080C83D3571} - c:\windows\wc98pp.dll
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://downloads.ewido.net/ewidoOnlineScan.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-11 08:14
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySql]
"ImagePath"="C:/Program Files/Saurus CMS/Apache/mysql/bin/mysqld-nt.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySql]
"ImagePath"="C:/Program Files/Saurus CMS/Apache/mysql/bin/mysqld-nt.exe"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(768)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2009-05-11 8:17
ComboFix-quarantined-files.txt 2009-05-11 07:17

Pre-Run: 11,169,320,960 bytes free
Post-Run: 17,815,207,936 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

180 --- E O F --- 2009-04-16 06:42

#8 xdustyx

xdustyx

    Member

  • Members
  • 12 posts

Posted 11 May 2009 - 09:39 AM

KASPERSKY LOG BEFORE combofix



--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Monday, May 11, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Sunday, May 10, 2009 23:57:18
Records in database: 2156690
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Files scanned: 199108
Threat name: 11
Infected objects: 51
Suspicious objects: 0
Duration of the scan: 05:32:14


File name / Threat name / Threats count
C:\Documents and Settings\billy\Application Data\Sun\Java\Deployment\cache\6.0\22\74018dd6-2c062a7a Infected: Trojan-Downloader.Java.OpenStream.ac 1
C:\Documents and Settings\billy\Desktop\All From Desktop\old stuff\AutomatedeBookStore\files to upload\download\davidblaine.zip Infected: Trojan-PSW.Win32.Agent.klk 1
C:\Documents and Settings\billy\Desktop\recent downloads\alberts new website\MegaeBookStore200MRR.zip Infected: Trojan-PSW.Win32.Agent.klk 1
C:\Documents and Settings\billy\Local Settings\Temp\backup_full.tar.gz Infected: Email-Worm.Win32.Avron.b 1
C:\Documents and Settings\billy\Local Settings\Temp\rrmrcraoxc.tmp Infected: Trojan.Win32.VB.hew 1
C:\Documents and Settings\billy\Local Settings\Temp\xoccaemaar.tmp Infected: Trojan.Win32.VB.hew 1
C:\Documents and Settings\billy\My Documents\albert ebooks\ebooks1.zip Infected: Trojan-PSW.Win32.Agent.klk 1
C:\Documents and Settings\billy\My Documents\albert ebooks\MembershipSiteManager-Rights.zip Infected: Trojan-Clicker.HTML.IFrame.aer 2
C:\Documents and Settings\billy\My Documents\alberts new website\files to upload\download\davidblaine.zip Infected: Trojan-PSW.Win32.Agent.klk 1
C:\Documents and Settings\billy\My Documents\alberts new website\MegaeBookStore200MRR.zip Infected: Trojan-PSW.Win32.Agent.klk 1
C:\Documents and Settings\billy\My Documents\cryptt-stuff\backup-forum 25th Sept 07\backup_full.tar Infected: Email-Worm.Win32.Avron.b 1
C:\Documents and Settings\billy\My Documents\cryptt-stuff\backup-forum 25th Sept 07\digitalsite\download\davidblaine.zip Infected: Trojan-PSW.Win32.Agent.klk 1
C:\Documents and Settings\billy\My Documents\cryptt-stuff\backup-forum 25th Sept 07\dragonfun\newadmin\emailall.php Infected: Email-Worm.Win32.Avron.b 1
C:\Documents and Settings\billy\My Documents\cryptt-stuff\backup-forum 26th Nov 07\backup_full.tar Infected: Email-Worm.Win32.Avron.b 1
C:\Documents and Settings\billy\My Documents\cryptt-stuff\backup-forum 26th Nov 07\digitalsite\download\davidblaine.zip Infected: Trojan-PSW.Win32.Agent.klk 1
C:\Documents and Settings\billy\My Documents\cryptt-stuff\backup-forum 26th Nov 07\dragonfun\newadmin\emailall.php Infected: Email-Worm.Win32.Avron.b 1
C:\Documents and Settings\billy\My Documents\cryptt-stuff\backup-forum 28th Aug 07.gz Infected: Email-Worm.Win32.Avron.b 1
C:\Documents and Settings\billy\My Documents\My Pictures\hotchix2006.exe Infected: not-a-virus:AdWare.Win32.NewDotNet 1
C:\Documents and Settings\billy\My Documents\My Pictures\hotchix2006.exe Infected: not-a-virus:WebToolbar.Win32.WhenU.a 1
C:\Documents and Settings\billy\My Documents\untouched albert website\MegaeBookStore200MRR.zip Infected: Trojan-PSW.Win32.Agent.klk 1
C:\Documents and Settings\billy\My Documents\website and internet\autoebookstore\AutomatedeBookStore\AutomatedeBookStore\files to upload\download\davidblaine.zip Infected: Trojan-PSW.Win32.Agent.klk 1
C:\Documents and Settings\billy\My Documents\website and internet\autoebookstore\billyzx ebooksore\AutomatedeBookStore\AutomatedeBookStore\files to upload\download\davidblaine.zip Infected: Trojan-PSW.Win32.Agent.klk 1
C:\Documents and Settings\billy\My Documents\website and internet\autoebookstore\billyzx ebooksore\AutomatedeBookStore.zip Infected: Trojan-PSW.Win32.Agent.klk 1
C:\Documents and Settings\billy\My Documents\website and internet\autoebookstore\billyzx ebookstore\billyzx ebooksore\AutomatedeBookStore.zip Infected: Trojan-PSW.Win32.Agent.klk 1
C:\Documents and Settings\billy\My Documents\website and internet\autoebookstore\Copy of billyzx ebooksore\AutomatedeBookStore\AutomatedeBookStore\files to upload\download\davidblaine.zip Infected: Trojan-PSW.Win32.Agent.klk 1
C:\Documents and Settings\billy\My Documents\website and internet\autoebookstore\Copy of billyzx ebooksore\AutomatedeBookStore.zip Infected: Trojan-PSW.Win32.Agent.klk 1
C:\Documents and Settings\billy\My Documents\website and internet\ebooks on ebay (all)\AD Balster.zip Infected: not-a-virus:AdWare.Win32.Megap.a 1
C:\Documents and Settings\billy\My Documents\website and internet\ebooks on ebay (all)\Carradiodecoders\Car Codes\DAEWOO Serials Calculator 1.00.exe Infected: Trojan.Win32.Agent.blfs 1
C:\Documents and Settings\billy\My Documents\website and internet\ebooks on ebay (all)\Carradiodecoders\Car Codes\Decoder Software (most of decoders in here)\Install me for decoders.exe Infected: Trojan.Win32.Agent.blfs 1
C:\Documents and Settings\billy\My Documents\website and internet\ebooks on ebay (all)\Carradiodecoders\Car Codes\Decoder Software (most of decoders in here)\Install me for decoders.exe Infected: Backdoor.Win32.Delf.nuu 1
C:\Documents and Settings\billy\My Documents\website and internet\ebooks on ebay (all)\Carradiodecoders\Car Codes\Decoder Software (most of decoders in here)\Install me for decoders.exe Infected: Backdoor.Win32.Delf.nut 1
C:\Documents and Settings\billy\My Documents\website and internet\ebooks on ebay (all)\davidblaine784.zip Infected: Trojan-PSW.Win32.Agent.klk 1
C:\Documents and Settings\billy\My Documents\website and internet\ebooks on ebay (all)\membership_site_manager.zip Infected: Trojan-Clicker.HTML.IFrame.aer 2
C:\Documents and Settings\billy\My Documents\website and internet\leonardoe ebook &websites\L ebooks\blaine_mega_magic.zip Infected: Trojan-PSW.Win32.Agent.klk 1
C:\Documents and Settings\billy\My Documents\website and internet\matt empyre\ebookempyre website backup\backup\public_html\download\davidblaine.zip Infected: Trojan-PSW.Win32.Agent.klk 1
C:\Documents and Settings\billy\My Documents\website and internet\matt empyre\ebookempyre website backup\backup.zip Infected: Trojan-PSW.Win32.Agent.klk 1
C:\Documents and Settings\billy\My Documents\website and internet\matt empyre\empyre back up disc\3_video_pack.zip Infected: Trojan-PSW.Win32.Agent.klk 1
C:\Documents and Settings\billy\My Documents\website and internet\matt empyre\empyre manual\bonus_download\davidblaine\davidblaine\David Blaines Mega Magic Guide Book.exe Infected: Trojan-PSW.Win32.Agent.klk 1
C:\Documents and Settings\billy\My Documents\website and internet\matt empyre\empyre manual\bonus_download\davidblaine.zip Infected: Trojan-PSW.Win32.Agent.klk 1
C:\Documents and Settings\billy\My Documents\website and internet\miscellaneous ebooks&sites\downloads\Ebooks\Magic\davidblaine784.zip Infected: Trojan-PSW.Win32.Agent.klk 1
C:\Documents and Settings\billy\My Documents\website and internet\miscellaneous ebooks&sites\downloads\Ebooks.part2.rar Infected: Trojan-PSW.Win32.Agent.klk 1
C:\Documents and Settings\billy\My Documents\website and internet\miscellaneous ebooks&sites\downloads\Ebooks.part3.rar Infected: Trojan-PSW.Win32.Agent.klk 1
C:\Documents and Settings\billy\My Documents\website and internet\miscellaneous ebooks&sites\downloads\Ebooks.part4\Ebooks\Magic\davidblaine784.zip Infected: Trojan-PSW.Win32.Agent.klk 1
C:\Documents and Settings\billy\My Documents\website and internet\miscellaneous ebooks&sites\downloads\Ebooks.part4.rar Infected: Trojan-PSW.Win32.Agent.klk 1
C:\Documents and Settings\billy\My Documents\website and internet\miscellaneous ebooks&sites\downloads2\ebooks1.zip Infected: Trojan-PSW.Win32.Agent.klk 1
C:\Documents and Settings\billy\My Documents\website and internet\miscellaneous ebooks&sites\my ebook business\hypnosis_advanced\derren_brown_type_megamagic.exe Infected: Trojan-PSW.Win32.Agent.klk 1
C:\Documents and Settings\billy\My Documents\website and internet\miscellaneous ebooks&sites\my ebook business\hypnosis_advanced.zip Infected: Trojan-PSW.Win32.Agent.klk 1
C:\Documents and Settings\billy\My Documents\website and internet\web stuff\hypnosis_advanced.zip Infected: Trojan-PSW.Win32.Agent.klk 1
C:\Documents and Settings\billy\My Documents\X My Bits & Bobs X\vip-isc.zip Infected: Email-Worm.Win32.Avron.b 1

The selected area was scanned.




KASPERSKY LOG AFTER combofix


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Monday, May 11, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Monday, May 11, 2009 09:25:16
Records in database: 2159458
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Files scanned: 187682
Threat name: 10
Infected objects: 48
Suspicious objects: 0
Duration of the scan: 05:44:50


File name / Threat name / Threats count
C:\Documents and Settings\billy\Application Data\Sun\Java\Deployment\cache\6.0\22\74018dd6-2c062a7a Infected: Trojan-Downloader.Java.OpenStream.ac 1
C:\Documents and Settings\billy\Desktop\All From Desktop\old stuff\AutomatedeBookStore\files to upload\download\davidblaine.zip Infected: Trojan-PSW.Win32.Agent.klk 1
C:\Documents and Settings\billy\Desktop\recent downloads\alberts new website\MegaeBookStore200MRR.zip Infected: Trojan-PSW.Win32.Agent.klk 1
C:\Documents and Settings\billy\My Documents\albert ebooks\ebooks1.zip Infected: Trojan-PSW.Win32.Agent.klk 1
C:\Documents and Settings\billy\My Documents\albert ebooks\MembershipSiteManager-Rights.zip Infected: Trojan-Clicker.HTML.IFrame.aer 2
C:\Documents and Settings\billy\My Documents\alberts new website\files to upload\download\davidblaine.zip Infected: Trojan-PSW.Win32.Agent.klk 1
C:\Documents and Settings\billy\My Documents\alberts new website\MegaeBookStore200MRR.zip Infected: Trojan-PSW.Win32.Agent.klk 1
C:\Documents and Settings\billy\My Documents\cryptt-stuff\backup-forum 25th Sept 07\backup_full.tar Infected: Email-Worm.Win32.Avron.b 1
C:\Documents and Settings\billy\My Documents\cryptt-stuff\backup-forum 25th Sept 07\digitalsite\download\davidblaine.zip Infected: Trojan-PSW.Win32.Agent.klk 1
C:\Documents and Settings\billy\My Documents\cryptt-stuff\backup-forum 25th Sept 07\dragonfun\newadmin\emailall.php Infected: Email-Worm.Win32.Avron.b 1
C:\Documents and Settings\billy\My Documents\cryptt-stuff\backup-forum 26th Nov 07\backup_full.tar Infected: Email-Worm.Win32.Avron.b 1
C:\Documents and Settings\billy\My Documents\cryptt-stuff\backup-forum 26th Nov 07\digitalsite\download\davidblaine.zip Infected: Trojan-PSW.Win32.Agent.klk 1
C:\Documents and Settings\billy\My Documents\cryptt-stuff\backup-forum 26th Nov 07\dragonfun\newadmin\emailall.php Infected: Email-Worm.Win32.Avron.b 1
C:\Documents and Settings\billy\My Documents\cryptt-stuff\backup-forum 26th Nov 07.gz Infected: Email-Worm.Win32.Avron.b 1
C:\Documents and Settings\billy\My Documents\My Pictures\hotchix2006.exe Infected: not-a-virus:AdWare.Win32.NewDotNet 1
C:\Documents and Settings\billy\My Documents\My Pictures\hotchix2006.exe Infected: not-a-virus:WebToolbar.Win32.WhenU.a 1
C:\Documents and Settings\billy\My Documents\untouched albert website\MegaeBookStore200MRR.zip Infected: Trojan-PSW.Win32.Agent.klk 1
C:\Documents and Settings\billy\My Documents\website and internet\autoebookstore\AutomatedeBookStore\AutomatedeBookStore\files to upload\download\davidblaine.zip Infected: Trojan-PSW.Win32.Agent.klk 1
C:\Documents and Settings\billy\My Documents\website and internet\autoebookstore\billyzx ebooksore\AutomatedeBookStore\AutomatedeBookStore\files to upload\download\davidblaine.zip Infected: Trojan-PSW.Win32.Agent.klk 1
C:\Documents and Settings\billy\My Documents\website and internet\autoebookstore\billyzx ebooksore\AutomatedeBookStore.zip Infected: Trojan-PSW.Win32.Agent.klk 1
C:\Documents and Settings\billy\My Documents\website and internet\autoebookstore\billyzx ebookstore\billyzx ebooksore\AutomatedeBookStore.zip Infected: Trojan-PSW.Win32.Agent.klk 1
C:\Documents and Settings\billy\My Documents\website and internet\autoebookstore\Copy of billyzx ebooksore\AutomatedeBookStore\AutomatedeBookStore\files to upload\download\davidblaine.zip Infected: Trojan-PSW.Win32.Agent.klk 1
C:\Documents and Settings\billy\My Documents\website and internet\autoebookstore\Copy of billyzx ebooksore\AutomatedeBookStore.zip Infected: Trojan-PSW.Win32.Agent.klk 1
C:\Documents and Settings\billy\My Documents\website and internet\ebooks on ebay (all)\AD Balster.zip Infected: not-a-virus:AdWare.Win32.Megap.a 1
C:\Documents and Settings\billy\My Documents\website and internet\ebooks on ebay (all)\Carradiodecoders\Car Codes\DAEWOO Serials Calculator 1.00.exe Infected: Trojan.Win32.Agent.blfs 1
C:\Documents and Settings\billy\My Documents\website and internet\ebooks on ebay (all)\Carradiodecoders\Car Codes\Decoder Software (most of decoders in here)\Install me for decoders.exe Infected: Trojan.Win32.Agent.blfs 1
C:\Documents and Settings\billy\My Documents\website and internet\ebooks on ebay (all)\Carradiodecoders\Car Codes\Decoder Software (most of decoders in here)\Install me for decoders.exe Infected: Backdoor.Win32.Delf.nuu 1
C:\Documents and Settings\billy\My Documents\website and internet\ebooks on ebay (all)\Carradiodecoders\Car Codes\Decoder Software (most of decoders in here)\Install me for decoders.exe Infected: Backdoor.Win32.Delf.nut 1
C:\Documents and Settings\billy\My Documents\website and internet\ebooks on ebay (all)\davidblaine784.zip Infected: Trojan-PSW.Win32.Agent.klk 1
C:\Documents and Settings\billy\My Documents\website and internet\ebooks on ebay (all)\membership_site_manager.zip Infected: Trojan-Clicker.HTML.IFrame.aer 2
C:\Documents and Settings\billy\My Documents\website and internet\leonardoe ebook &websites\L ebooks\blaine_mega_magic.zip Infected: Trojan-PSW.Win32.Agent.klk 1
C:\Documents and Settings\billy\My Documents\website and internet\matt empyre\ebookempyre website backup\backup\public_html\download\davidblaine.zip Infected: Trojan-PSW.Win32.Agent.klk 1
C:\Documents and Settings\billy\My Documents\website and internet\matt empyre\ebookempyre website backup\backup.zip Infected: Trojan-PSW.Win32.Agent.klk 1
C:\Documents and Settings\billy\My Documents\website and internet\matt empyre\empyre back up disc\3_video_pack.zip Infected: Trojan-PSW.Win32.Agent.klk 1
C:\Documents and Settings\billy\My Documents\website and internet\matt empyre\empyre manual\bonus_download\davidblaine\davidblaine\David Blaines Mega Magic Guide Book.exe Infected: Trojan-PSW.Win32.Agent.klk 1
C:\Documents and Settings\billy\My Documents\website and internet\matt empyre\empyre manual\bonus_download\davidblaine.zip Infected: Trojan-PSW.Win32.Agent.klk 1
C:\Documents and Settings\billy\My Documents\website and internet\miscellaneous ebooks&sites\downloads\Ebooks\Magic\davidblaine784.zip Infected: Trojan-PSW.Win32.Agent.klk 1
C:\Documents and Settings\billy\My Documents\website and internet\miscellaneous ebooks&sites\downloads\Ebooks.part2.rar Infected: Trojan-PSW.Win32.Agent.klk 1
C:\Documents and Settings\billy\My Documents\website and internet\miscellaneous ebooks&sites\downloads\Ebooks.part3.rar Infected: Trojan-PSW.Win32.Agent.klk 1
C:\Documents and Settings\billy\My Documents\website and internet\miscellaneous ebooks&sites\downloads\Ebooks.part4\Ebooks\Magic\davidblaine784.zip Infected: Trojan-PSW.Win32.Agent.klk 1
C:\Documents and Settings\billy\My Documents\website and internet\miscellaneous ebooks&sites\downloads\Ebooks.part4.rar Infected: Trojan-PSW.Win32.Agent.klk 1
C:\Documents and Settings\billy\My Documents\website and internet\miscellaneous ebooks&sites\downloads2\ebooks1.zip Infected: Trojan-PSW.Win32.Agent.klk 1
C:\Documents and Settings\billy\My Documents\website and internet\miscellaneous ebooks&sites\my ebook business\hypnosis_advanced\derren_brown_type_megamagic.exe Infected: Trojan-PSW.Win32.Agent.klk 1
C:\Documents and Settings\billy\My Documents\website and internet\miscellaneous ebooks&sites\my ebook business\hypnosis_advanced.zip Infected: Trojan-PSW.Win32.Agent.klk 1
C:\Documents and Settings\billy\My Documents\website and internet\web stuff\hypnosis_advanced.zip Infected: Trojan-PSW.Win32.Agent.klk 1
C:\Documents and Settings\billy\My Documents\X My Bits & Bobs X\vip-isc.zip Infected: Email-Worm.Win32.Avron.b 1

The selected area was scanned.




HIJACKTHIS log



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:35:49, on 11/05/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewi...oOnlineScan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1238500135000
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1241634729171
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelg...in/cortvrml.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadbl...ivex/sabspx.cab
O16 - DPF: {B9F79165-A264-4C4A-A211-133A5E8D647F} (F-Secure Health Check 1.1) - http://support.f-sec.../fshc/fscax.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...428/mcfscan.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apache - Unknown owner - C:\Program Files\Saurus CMS\Apache\Apache.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MySql - Unknown owner - C:/Program Files/Saurus CMS/Apache/mysql/bin/mysqld-nt.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 6001 bytes

#9 Katana

Katana

    MRU Teacher

  • Trusted Malware Techs
  • 1,523 posts
  • Location:Manchester (UK)


Posted 11 May 2009 - 03:18 PM

There appear to be a lot of david blaine related zip folders that seem to be infected, do you know anything about them ?
I'm going to upload a couple and see if they are actually infected.

There also looks to be some infected backups ..

C:\Documents and Settings\billy\My Documents\cryptt-stuff\backup-forum 25th Sept 07\backup_full.tar
C:\Documents and Settings\billy\My Documents\cryptt-stuff\backup-forum 25th Sept 07\dragonfun\newadmin\emailall.php
C:\Documents and Settings\billy\My Documents\cryptt-stuff\backup-forum 26th Nov 07\backup_full.tar
C:\Documents and Settings\billy\My Documents\cryptt-stuff\backup-forum 26th Nov 07\dragonfun\newadmin\emailall.php
C:\Documents and Settings\billy\My Documents\cryptt-stuff\backup-forum 26th Nov 07.gz

I don't know if there is anything in those that you need, so if not let me know and then I can remove them.

( do you run a website ? )


Custom CFScript
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    http://forums.pcpitstop.com/index.php?showtopic=168357
    Comment:: Katana
    
    Suspect::[4]
    C:\Documents and Settings\billy\Desktop\All From Desktop\old stuff\AutomatedeBookStore\files to upload\download\davidblaine.zip
    C:\Documents and Settings\billy\Desktop\recent downloads\alberts new website\MegaeBookStore200MRR.zip
    C:\Documents and Settings\billy\My Documents\albert ebooks\ebooks1.zip
    C:\Documents and Settings\billy\My Documents\website and internet\web stuff\hypnosis_advanced.zip
    File::
    C:\Documents and Settings\billy\Application Data\Sun\Java\Deployment\cache\6.0
    C:\Documents and Settings\billy\My Documents\albert ebooks\MembershipSiteManager-Rights.zip
    C:\Documents and Settings\billy\My Documents\My Pictures\hotchix2006.exe
    C:\Documents and Settings\billy\My Documents\website and internet\ebooks on ebay (all)\AD Balster.zip
    C:\Documents and Settings\billy\My Documents\website and internet\ebooks on ebay (all)\Carradiodecoders\Car Codes\DAEWOO Serials Calculator 1.00.exe
    C:\Documents and Settings\billy\My Documents\website and internet\ebooks on ebay (all)\Carradiodecoders\Car Codes\Decoder Software (most of decoders in here)\Install me for decoders.exe
    C:\Documents and Settings\billy\My Documents\website and internet\ebooks on ebay (all)\membership_site_manager.zip
    C:\Documents and Settings\billy\My Documents\X My Bits & Bobs X\vip-isc.zip
    ADS::
  • Save this as CFScript.txt and place it on your desktop.


    Posted Image


  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • **Note**
    When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
    • Ensure you are connected to the internet and click OK on the message box.
  • Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

#10 xdustyx

xdustyx

    Member

  • Members
  • 12 posts

Posted 11 May 2009 - 05:21 PM

Hello Katana,

The David Blaine zip folders are what my husband bought along with alot more different ones, because he opened an ebookstore online, and was gradually going to use them on there and another "magic" site he was planning to open.
We always scan them after we download them BUT none have ever shown up to have a virus inside. Once when we scanned a file after we'd paid for it and downloaded it, it DID show up to have a virus... it was the: vip-isc.zip and after scanning it found the: Email-Worm.Win32.Avron.b

Posted Image

We contacted the person who sold it us and he was horrified, he said he had scanned it before he sent it and again after we told him, and it still showed nothing after the virus scan. He refunded us, but we never used or even opened the file, we let AVG have it. I screenshot what came up in AVG and sent it to him to show him.
He sent us another download link to try again, we scanned it and it came up as the same so we never touched it. (forgot to delete it)
Yes i have my own website (a forum) which i started again from scratch with a new domain name etc. We couldn't back the old forum up anymore or make changes anymore, and strange things were happening to it. We couldn't access it through FTP either because it said there was a problem with the passwords. (thecryptt) was the old forum we had & it's still there (www.thecryptt.co.uk) but we don't use it anymore and i just put a redirection link on there for the new forum.

I don't need ANY of the files that's on the kaspersky list, and really would appreciate it if you help me get rid of them all please, they're really a worry now.
Once again THANKYOU very very much, and here's the log.

Jayne


ComboFix 09-05-11.01 - billy 11/05/2009 21:47.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.495.132 [GMT 1:00]
Running from: c:\documents and settings\billy\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\billy\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)

FILE ::
c:\documents and settings\billy\Application Data\Sun\Java\Deployment\cache\6.0
c:\documents and settings\billy\My Documents\albert ebooks\MembershipSiteManager-Rights.zip
c:\documents and settings\billy\My Documents\My Pictures\hotchix2006.exe
c:\documents and settings\billy\My Documents\website and internet\ebooks on ebay (all)\AD Balster.zip
c:\documents and settings\billy\My Documents\website and internet\ebooks on ebay (all)\Carradiodecoders\Car Codes\DAEWOO Serials Calculator 1.00.exe
c:\documents and settings\billy\My Documents\website and internet\ebooks on ebay (all)\Carradiodecoders\Car Codes\Decoder Software (most of decoders in here)\Install me for decoders.exe
c:\documents and settings\billy\My Documents\website and internet\ebooks on ebay (all)\membership_site_manager.zip
c:\documents and settings\billy\My Documents\X My Bits & Bobs X\vip-isc.zip

file zipped: c:\documents and settings\billy\Desktop\All From Desktop\old stuff\AutomatedeBookStore\files to upload\download\Suspect_davidblaine.zip.vir
file zipped: c:\documents and settings\billy\Desktop\recent downloads\alberts new website\Suspect_MegaeBookStore200MRR.zip.vir
file zipped: c:\documents and settings\billy\My Documents\albert ebooks\Suspect_ebooks1.zip.vir
file zipped: c:\documents and settings\billy\My Documents\website and internet\web stuff\Suspect_hypnosis_advanced.zip.vir
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\billy\My Documents\albert ebooks\MembershipSiteManager-Rights.zip
c:\documents and settings\billy\My Documents\My Pictures\hotchix2006.exe
c:\documents and settings\billy\My Documents\website and internet\ebooks on ebay (all)\AD Balster.zip
c:\documents and settings\billy\My Documents\website and internet\ebooks on ebay (all)\Carradiodecoders\Car Codes\DAEWOO Serials Calculator 1.00.exe
c:\documents and settings\billy\My Documents\website and internet\ebooks on ebay (all)\Carradiodecoders\Car Codes\Decoder Software (most of decoders in here)\Install me for decoders.exe
c:\documents and settings\billy\My Documents\website and internet\ebooks on ebay (all)\membership_site_manager.zip
c:\documents and settings\billy\My Documents\X My Bits & Bobs X\vip-isc.zip

.
((((((((((((((((((((((((( Files Created from 2009-04-11 to 2009-05-11 )))))))))))))))))))))))))))))))
.

2009-05-09 23:54 . 2009-05-10 12:39 -------- d-----w C:\rsit
2009-05-09 21:27 . 2009-05-09 21:27 -------- d-----w c:\documents and settings\billy\Application Data\wsInspector
2009-05-09 21:07 . 2009-05-09 21:24 -------- d-----w c:\documents and settings\All Users\Application Data\SecTaskMan
2009-05-09 21:07 . 2009-05-09 21:09 -------- d-----w c:\program files\Security Task Manager
2009-05-07 19:35 . 2009-05-07 19:35 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-05-07 19:35 . 2009-05-07 21:23 -------- d-----w c:\program files\SUPERAntiSpyware
2009-05-07 19:35 . 2009-05-07 19:35 -------- d-----w c:\documents and settings\billy\Application Data\SUPERAntiSpyware.com
2009-05-07 19:34 . 2009-05-07 19:34 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-05-07 15:27 . 2009-05-07 15:27 -------- d-----w c:\program files\Trend Micro
2009-05-07 13:21 . 2009-05-07 14:53 -------- d-----w c:\program files\AMT Media Manager
2009-05-07 08:56 . 2008-10-16 13:06 268648 ----a-w c:\windows\system32\mucltui.dll
2009-05-02 10:28 . 2008-04-13 18:46 38912 -c--a-w c:\windows\system32\dllcache\avc.sys
2009-05-02 10:21 . 2001-08-17 13:07 101888 -c--a-w c:\windows\system32\dllcache\adpu160m.sys
2009-05-02 10:20 . 2001-08-17 13:56 66048 -c--a-w c:\windows\system32\dllcache\s3legacy.dll
2009-04-16 22:12 . 2009-04-16 22:12 -------- d-----w c:\documents and settings\billy\Local Settings\Application Data\Navman_Technology_New_Zea
2009-04-16 21:02 . 2009-04-16 21:02 -------- d-----w c:\program files\Navman
2009-04-16 21:01 . 2009-04-16 21:01 -------- d-----w c:\documents and settings\billy\Application Data\InstallShield
2009-04-16 06:32 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-16 06:32 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-16 06:31 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-16 06:31 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-16 06:31 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-16 06:31 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-16 06:31 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 06:31 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-10 21:59 . 2006-09-03 01:49 -------- d-----w c:\program files\Java
2009-05-10 21:56 . 2006-09-06 14:53 -------- d-----w c:\program files\Common Files\Adobe
2009-05-09 23:31 . 2009-04-06 21:03 -------- d-----w c:\program files\Bonjour
2009-05-08 10:14 . 2008-08-13 05:40 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-07 13:21 . 2006-09-03 02:06 -------- d--h--w c:\program files\InstallShield Installation Information
2009-05-02 08:17 . 2008-07-23 07:22 11952 ----a-w c:\windows\system32\avgrsstx.dll
2009-05-02 08:17 . 2008-07-23 07:22 325896 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-05-02 08:16 . 2008-07-23 07:22 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-04-06 21:04 . 2009-04-06 21:03 -------- d-----w c:\program files\iTunes
2009-04-06 21:03 . 2009-04-06 21:03 -------- d-----w c:\program files\iPod
2009-04-06 21:02 . 2009-04-06 21:01 -------- d-----w c:\program files\QuickTime
2009-04-06 21:01 . 2009-04-06 21:01 -------- d-----w c:\program files\Apple Software Update
2009-04-06 21:00 . 2009-04-06 21:00 -------- d-----w c:\program files\Common Files\Apple
2009-04-06 20:21 . 2007-01-04 21:00 -------- d-----w c:\program files\MP3+G Toolz .NET 4
2009-04-06 20:20 . 2006-09-03 01:57 263808 ----a-w c:\documents and settings\billy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-06 20:18 . 2009-04-06 20:14 -------- d-----w c:\program files\HooTech
2009-04-06 14:32 . 2008-08-13 05:40 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 14:32 . 2008-08-13 05:40 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-31 18:42 . 2006-09-03 03:42 -------- d-----w c:\program files\MSN Messenger
2009-03-31 15:57 . 2009-03-31 15:57 -------- d-----w c:\program files\MSBuild
2009-03-31 15:57 . 2009-03-31 15:57 -------- d-----w c:\program files\Reference Assemblies
2009-03-31 14:55 . 2009-03-31 14:55 -------- d-----w c:\program files\MSXML 4.0
2009-03-31 13:14 . 2006-09-03 01:45 76487 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-03-26 09:49 . 2009-04-06 20:32 3768 ----a-w c:\windows\system32\drivers\MusCVideo.sys
2009-03-26 09:49 . 2009-04-06 20:32 23096 ----a-w c:\windows\system32\drivers\MusCAudio.sys
2009-03-19 15:32 . 2009-04-06 21:04 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-09 05:19 . 2009-02-25 07:59 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-06 14:22 . 2004-08-04 12:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-02-20 08:10 . 2004-09-29 18:47 666112 ----a-w c:\windows\system32\wininet.dll
2009-02-20 08:10 . 2004-08-04 12:00 81920 ----a-w c:\windows\system32\ieencode.dll
2006-10-30 20:58 . 2006-10-30 20:58 59860 ----a-w c:\program files\StreetPiloti3_320.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-05-11_07.14.43 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-11 20:24 . 2009-05-11 20:24 16384 c:\windows\Temp\Perflib_Perfdata_7e4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-10-08 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-10-08 126976]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-05-07 98304]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-05-07 536576]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-02 1947928]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 1241088]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 10:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-02 08:17 11952 ----a-w c:\windows\system32\avgrsstx.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave"= serwvdrv.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Event Planner Reminders Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Event Planner Reminders Tray Icon.lnk
backup=c:\windows\pss\Event Planner Reminders Tray Icon.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\WCESCOMM.EXE"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [23/07/2008 08:22 325896]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [23/07/2008 08:22 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [17/02/2009 11:43 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [17/02/2009 11:43 55024]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [23/07/2008 08:22 908568]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [23/07/2008 08:22 298776]
R3 CONAN;CONAN;c:\windows\system32\drivers\o2mmb.sys [03/09/2006 03:10 191092]
R3 MbxStby;MbxStby;c:\windows\system32\drivers\MbxStby.sys [03/09/2006 03:10 6100]
S3 MusCAudio;MusCAudio;c:\windows\system32\drivers\MusCAudio.sys [06/04/2009 21:32 23096]
S3 MusCVideo;MusCVideo;c:\windows\system32\drivers\MusCVideo.sys [06/04/2009 21:32 3768]
S3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [01/03/2007 19:39 180480]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [17/02/2009 11:43 7408]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\MediaManager.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a84d0e96-3af2-11de-acb9-000e35db220a}]
\Shell\AutoRun\command - F:\MediaManager.exe
.
Contents of the 'Scheduled Tasks' folder

2009-04-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2007-12-27 c:\windows\Tasks\FRU Task 2003-04-06 08:52ewlett-Packard2003-04-06 08:52p psc 1200 series5E771253C1676EBED677BF361FDFC537825E15B8190283110.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-05 23:52]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://uk.yahoo.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Handler: ic32pp - {BBCA9F81-8F4F-11D2-90FF-0080C83D3571} - c:\windows\wc98pp.dll
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://downloads.ewido.net/ewidoOnlineScan.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-11 21:50
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySql]
"ImagePath"="C:/Program Files/Saurus CMS/Apache/mysql/bin/mysqld-nt.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySql]
"ImagePath"="C:/Program Files/Saurus CMS/Apache/mysql/bin/mysqld-nt.exe"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(764)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2009-05-11 21:53
ComboFix-quarantined-files.txt 2009-05-11 20:53
ComboFix2.txt 2009-05-11 07:17

Pre-Run: 17,754,742,784 bytes free
Post-Run: 17,779,912,704 bytes free

194 --- E O F --- 2009-04-16 06:42

#11 Katana

Katana

    MRU Teacher

  • Trusted Malware Techs
  • 1,523 posts
  • Location:Manchester (UK)


Posted 12 May 2009 - 04:52 AM

I don't need ANY of the files that's on the kaspersky list, and really would appreciate it if you help me get rid of them all please, they're really a worry now.

I can certainly remove them for you, that isn't a going to be a problem :)
If you don't mind though, I would like to examine a couple first and see if they are infected.
The upload didn't work before, so let's try a different method.



Upload a File

Go to spykiller

Please start a new thread Titled File/s for Katana and give the following information
  • Name:-- Your name
  • Subject:-- File for Katana
In the main text window please put the following link
http://forums.pcpitstop.com/index.php?showtopic=168357
you may also add any comments you wish
then press attach and upload the the following files.

C:\Documents and Settings\billy\Desktop\All From Desktop\old stuff\AutomatedeBookStore\files to upload\download\davidblaine.zip
C:\Documents and Settings\billy\My Documents\alberts new website\files to upload\download\davidblaine.zip
C:\Documents and Settings\billy\My Documents\website and internet\leonardoe ebook &websites\L ebooks\blaine_mega_magic.zip
C:\Documents and Settings\billy\My Documents\website and internet\web stuff\hypnosis_advanced.zip


Files can be uploaded by anybody but not downloaded at all except for those users that have been given special permissions.
You DO NOT need to be a member to upload, anybody can upload the files


You can now delete SFP (exe and Zip) along with the .cab file that was created




How are things running at the moment, any problems still ?

#12 xdustyx

xdustyx

    Member

  • Members
  • 12 posts

Posted 12 May 2009 - 05:39 AM

Hello Katana,
I've uploaded the files onto the site for you... (hope i did it right)
Sorry i don't understand what you mean by:

You can now delete SFP (exe and Zip) along with the .cab file that was created

Was it a programme?
The computer seems to be running a little slower than it was, and when i turned it on i noticed a different black screen flash up for a second before it started loading.
When i installed the combofix it installed "windows recovery system" for me because it wasn't installed on here... i just wondered if it was anything to do with that?
I looked on msconfig and saw this below and wondered if that was the reason why the start up looked different, should it be changed at all?

Posted Image

THANKYOU again, very much :)
Jayne

#13 Katana

Katana

    MRU Teacher

  • Trusted Malware Techs
  • 1,523 posts
  • Location:Manchester (UK)


Posted 12 May 2009 - 05:09 PM

1) I've uploaded the files onto the site for you... (hope i did it right)

2) Sorry i don't understand what you mean by:- You can now delete SFP (exe and Zip) along with the .cab file that was created

3) when i turned it on i noticed a different black screen flash up for a second before it started loading.

1) that's fine, I've ran them through a few scanners and they all agree there is an infection present. Too many for a False Positive anyway.
2) Sorry about that, just ignore it. It was part of a different post that got left in by mistake :(
3) The black screen is part of Recovery Console that Combofix installed, it should only last a couple of seconds and it may save your machine one day :)

Right, let's remove those files .....



OTMoveIt
Please download OTMoveIt3 by OldTimer and save it to your desktop
  • Double-click OTMoveIt3.exe to run it.
  • Copy the lines in the codebox below. ( Make sure you include :Processes )
:Processes
:Files
C:\Documents and Settings\billy\Desktop\All From Desktop\old stuff\AutomatedeBookStore\files to upload\download\davidblaine.zip
C:\Documents and Settings\billy\Desktop\recent downloads\alberts new website\MegaeBookStore200MRR.zip
C:\Documents and Settings\billy\My Documents\albert ebooks\ebooks1.zip
C:\Documents and Settings\billy\My Documents\alberts new website\files to upload\download\davidblaine.zip
C:\Documents and Settings\billy\My Documents\alberts new website\MegaeBookStore200MRR.zip
C:\Documents and Settings\billy\My Documents\cryptt-stuff\backup-forum 25th Sept 07\digitalsite\download\davidblaine.zip
C:\Documents and Settings\billy\My Documents\cryptt-stuff\backup-forum 26th Nov 07\digitalsite\download\davidblaine.zip
C:\Documents and Settings\billy\My Documents\untouched albert website\MegaeBookStore200MRR.zip
C:\Documents and Settings\billy\My Documents\website and internet\autoebookstore\AutomatedeBookStore\AutomatedeBookStore\files to upload\download\davidblaine.zip
C:\Documents and Settings\billy\My Documents\website and internet\autoebookstore\billyzx ebooksore\AutomatedeBookStore\AutomatedeBookStore\files to upload\download\davidblaine.zip
C:\Documents and Settings\billy\My Documents\website and internet\autoebookstore\billyzx ebooksore\AutomatedeBookStore.zip
C:\Documents and Settings\billy\My Documents\website and internet\autoebookstore\billyzx ebookstore\billyzx ebooksore\AutomatedeBookStore.zip
C:\Documents and Settings\billy\My Documents\website and internet\autoebookstore\Copy of billyzx ebooksore\AutomatedeBookStore\AutomatedeBookStore\files to upload\download\davidblaine.zip
C:\Documents and Settings\billy\My Documents\website and internet\autoebookstore\Copy of billyzx ebooksore\AutomatedeBookStore.zip
C:\Documents and Settings\billy\My Documents\website and internet\ebooks on ebay (all)\davidblaine784.zip
C:\Documents and Settings\billy\My Documents\website and internet\leonardoe ebook &websites\L ebooks\blaine_mega_magic.zip
C:\Documents and Settings\billy\My Documents\website and internet\matt empyre\ebookempyre website backup\backup\public_html\download\davidblaine.zip
C:\Documents and Settings\billy\My Documents\website and internet\matt empyre\ebookempyre website backup\backup.zip
C:\Documents and Settings\billy\My Documents\website and internet\matt empyre\empyre back up disc\3_video_pack.zip
C:\Documents and Settings\billy\My Documents\website and internet\matt empyre\empyre manual\bonus_download\davidblaine\davidblaine\David Blaines Mega Magic Guide Book.exe
C:\Documents and Settings\billy\My Documents\website and internet\matt empyre\empyre manual\bonus_download\davidblaine.zip
C:\Documents and Settings\billy\My Documents\website and internet\miscellaneous ebooks&sites\downloads\Ebooks\Magic\davidblaine784.zip
C:\Documents and Settings\billy\My Documents\website and internet\miscellaneous ebooks&sites\downloads\Ebooks.part2.rar
C:\Documents and Settings\billy\My Documents\website and internet\miscellaneous ebooks&sites\downloads\Ebooks.part3.rar
C:\Documents and Settings\billy\My Documents\website and internet\miscellaneous ebooks&sites\downloads\Ebooks.part4\Ebooks\Magic\davidblaine784.zip
C:\Documents and Settings\billy\My Documents\website and internet\miscellaneous ebooks&sites\downloads\Ebooks.part4.rar
C:\Documents and Settings\billy\My Documents\website and internet\miscellaneous ebooks&sites\downloads2\ebooks1.zip
C:\Documents and Settings\billy\My Documents\website and internet\miscellaneous ebooks&sites\my ebook business\hypnosis_advanced\derren_brown_type_megamagic.exe
C:\Documents and Settings\billy\My Documents\website and internet\miscellaneous ebooks&sites\my ebook business\hypnosis_advanced.zip
C:\Documents and Settings\billy\My Documents\website and internet\web stuff\hypnosis_advanced.zip
:Commands
[Purity]
[EmptyTemp]
  • Return to OTMoveIt3, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
  • - Close ALL open windows (especially Internet Explorer!)-
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar), and paste it in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


Now .... When is the machine running slower, during usage or boot up ?

Please post a fresh HJT log along with the OTMI log

#14 xdustyx

xdustyx

    Member

  • Members
  • 12 posts

Posted 13 May 2009 - 01:54 AM

Hi Katana,
I've done all that you requested... THANKYOU!
It seemed to be running slower during usage, doesn't appear as slow today though :unsure:
Here are the logs you asked for...
Thankyou again :)


========== PROCESSES ==========
========== FILES ==========
C:\Documents and Settings\billy\Desktop\All From Desktop\old stuff\AutomatedeBookStore\files to upload\download\davidblaine.zip moved successfully.
C:\Documents and Settings\billy\Desktop\recent downloads\alberts new website\MegaeBookStore200MRR.zip moved successfully.
C:\Documents and Settings\billy\My Documents\albert ebooks\ebooks1.zip moved successfully.
C:\Documents and Settings\billy\My Documents\alberts new website\files to upload\download\davidblaine.zip moved successfully.
C:\Documents and Settings\billy\My Documents\alberts new website\MegaeBookStore200MRR.zip moved successfully.
C:\Documents and Settings\billy\My Documents\cryptt-stuff\backup-forum 25th Sept 07\digitalsite\download\davidblaine.zip moved successfully.
C:\Documents and Settings\billy\My Documents\cryptt-stuff\backup-forum 26th Nov 07\digitalsite\download\davidblaine.zip moved successfully.
C:\Documents and Settings\billy\My Documents\untouched albert website\MegaeBookStore200MRR.zip moved successfully.
C:\Documents and Settings\billy\My Documents\website and internet\autoebookstore\AutomatedeBookStore\AutomatedeBookStore\files to upload\download\davidblaine.zip moved successfully.
C:\Documents and Settings\billy\My Documents\website and internet\autoebookstore\billyzx ebooksore\AutomatedeBookStore\AutomatedeBookStore\files to upload\download\davidblaine.zip moved successfully.
C:\Documents and Settings\billy\My Documents\website and internet\autoebookstore\billyzx ebooksore\AutomatedeBookStore.zip moved successfully.
C:\Documents and Settings\billy\My Documents\website and internet\autoebookstore\billyzx ebookstore\billyzx ebooksore\AutomatedeBookStore.zip moved successfully.
C:\Documents and Settings\billy\My Documents\website and internet\autoebookstore\Copy of billyzx ebooksore\AutomatedeBookStore\AutomatedeBookStore\files to upload\download\davidblaine.zip moved successfully.
C:\Documents and Settings\billy\My Documents\website and internet\autoebookstore\Copy of billyzx ebooksore\AutomatedeBookStore.zip moved successfully.
C:\Documents and Settings\billy\My Documents\website and internet\ebooks on ebay (all)\davidblaine784.zip moved successfully.
C:\Documents and Settings\billy\My Documents\website and internet\leonardoe ebook &websites\L ebooks\blaine_mega_magic.zip moved successfully.
C:\Documents and Settings\billy\My Documents\website and internet\matt empyre\ebookempyre website backup\backup\public_html\download\davidblaine.zip moved successfully.
C:\Documents and Settings\billy\My Documents\website and internet\matt empyre\ebookempyre website backup\backup.zip moved successfully.
C:\Documents and Settings\billy\My Documents\website and internet\matt empyre\empyre back up disc\3_video_pack.zip moved successfully.
C:\Documents and Settings\billy\My Documents\website and internet\matt empyre\empyre manual\bonus_download\davidblaine\davidblaine\David Blaines Mega Magic Guide Book.exe moved successfully.
C:\Documents and Settings\billy\My Documents\website and internet\matt empyre\empyre manual\bonus_download\davidblaine.zip moved successfully.
C:\Documents and Settings\billy\My Documents\website and internet\miscellaneous ebooks&sites\downloads\Ebooks\Magic\davidblaine784.zip moved successfully.
C:\Documents and Settings\billy\My Documents\website and internet\miscellaneous ebooks&sites\downloads\Ebooks.part2.rar moved successfully.
C:\Documents and Settings\billy\My Documents\website and internet\miscellaneous ebooks&sites\downloads\Ebooks.part3.rar moved successfully.
C:\Documents and Settings\billy\My Documents\website and internet\miscellaneous ebooks&sites\downloads\Ebooks.part4\Ebooks\Magic\davidblaine784.zip moved successfully.
C:\Documents and Settings\billy\My Documents\website and internet\miscellaneous ebooks&sites\downloads\Ebooks.part4.rar moved successfully.
C:\Documents and Settings\billy\My Documents\website and internet\miscellaneous ebooks&sites\downloads2\ebooks1.zip moved successfully.
C:\Documents and Settings\billy\My Documents\website and internet\miscellaneous ebooks&sites\my ebook business\hypnosis_advanced\derren_brown_type_megamagic.exe moved successfully.
C:\Documents and Settings\billy\My Documents\website and internet\miscellaneous ebooks&sites\my ebook business\hypnosis_advanced.zip moved successfully.
C:\Documents and Settings\billy\My Documents\website and internet\web stuff\hypnosis_advanced.zip moved successfully.
========== COMMANDS ==========
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\billy\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
User's Temporary Internet Files folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
File delete failed. C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Network Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_148.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
Temp folders emptied.

OTMoveIt3 by OldTimer - Version 1.0.11.0 log created on 05132009_072220

Files moved on Reboot...
File C:\WINDOWS\temp\Perflib_Perfdata_148.dat not found!
---------------------------------------------------------------------



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:37:09, on 13/05/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewi...oOnlineScan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1238500135000
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1241634729171
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelg...in/cortvrml.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadbl...ivex/sabspx.cab
O16 - DPF: {B9F79165-A264-4C4A-A211-133A5E8D647F} (F-Secure Health Check 1.1) - http://support.f-sec.../fshc/fscax.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...428/mcfscan.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apache - Unknown owner - C:\Program Files\Saurus CMS\Apache\Apache.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MySql - Unknown owner - C:/Program Files/Saurus CMS/Apache/mysql/bin/mysqld-nt.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 6033 bytes

#15 Katana

Katana

    MRU Teacher

  • Trusted Malware Techs
  • 1,523 posts
  • Location:Manchester (UK)


Posted 13 May 2009 - 03:34 AM

Congratulations your logs look clean :)

Let's see if I can help you keep it that way

First lets tidy up

Please delete RSIT.exe and C:\RSIT (entire folder)
You can also delete any logs we have produced, and empty your Recycle bin.


Uninstall Combofix
  • This will clear your System Volume Information restore points and remove all the infected files that were quarantined
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the /U, it needs to be there.
  • Posted Image
Uninstall OTMoveIt
  • Open OTMoveIt Click Cleanup,
  • When a box pops up click YES.
----------------------------------------------------------- -----------------------------------------------------------

The following is some info to help you stay safe and clean.


You may already have some of the following programs, but I include the full list for the benefit of all the other people who will be reading this thread in the future.
( Vista users must ensure that any programs are Vista compatible BEFORE installing )

Online Scanners
I would recommend a scan at one or more of the following sites at least once a month.

http://www.pandasecu....com/activescan
http://www.kaspersky...kavwebscan.html

!!! Make sure that all your programs are updated !!!
Secunia Software Inspector does all the work for you, .... see HERE for details

AntiSpyware
  • AntiSpyware is not the same thing as Antivirus.
    Different AntiSpyware programs detect different things, so in this case it is recommended that you have more than one.
    You should only have one running all the time, the other/s should be used "on demand" on a regular basis.
    Most of the programs in this list have a free (for Home Users ) and paid versions,
    it is worth paying for one and having "realtime" protection, unless you intend to do a manual scan often.
  • Spybot - Search & Destroy <<< A must have program
    • It includes host protection and registry protection
    • A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites
  • MalwareBytes Anti-malware <<< A New and effective program
  • a-squared Free <<< A good "realtime" or "on demand" scanner
  • superantispyware <<< A good "realtime" or "on demand" scanner
Prevention
  • These programs don't detect malware, they help stop it getting on your machine in the first place.
    Each does a different job, so you can have more than one
  • Winpatrol
    • An excellent startup manager and then some !!
    • Notifies you if programs are added to startup
    • Allows delayed startup
    • A must have addition
  • SpywareBlaster 4.0
    • SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
  • SpywareGuard 2.2
    • SpywareGuard provides real-time protection against spyware.
    • Not required if you have other "realtime" antispyware or Winpatrol
  • ZonedOut
    • Formerly known as IE-SPYAD, adds a long list of sites and domains associated with known advertisers and marketers to the Restricted sites zone of Internet Explorer.
  • MVPS HOSTS
    • This little program packs a powerful punch as it blocks ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers.
    • For information on how to download and install, please read this tutorial by WinHelp2002.
    • Not required if you are using other host file protections
Internet Browsers
  • Microsoft has worked hard to make IE.7 a more secure browser, unfortunately whilst it is still the leading browser of choice it will always be under attack from the bad guys.
    Using a different web browser can help stop malware getting on your machine.
    • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
    • Change the Download signed ActiveX controls to Prompt
    • Change the Download unsigned ActiveX controls to Disable
    • Change the Initialise and script ActiveX controls not marked as safe to Disable
    • Change the Installation of desktop items to Prompt
    • Change the Launching programs and files in an IFRAME to Prompt
    • Change the Navigate sub-frames across different domains to Prompt
    • When all these settings have been made, click on the OK button.
    • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  • Next press the Apply button and then the OK to exit the Internet Properties page.
If you are still using IE6 then either update, or get one of the following.
  • FireFox
    • With many addons available that make customization easy this is a very popular choice
    • NoScript and AdBlockPlus addons are essential
  • Opera
    • Another popular alternative
  • Netscape
    • Another popular alternative
    • Also has Addons available
[/list] Cleaning Temporary Internet Files and Tracking Cookies
  • Temporary Internet Files are mainly the files that are downloaded when you open a web page.
    Unfortunately, if the site you visit is of a dubious nature or has been hacked, they can also be an entry point for malware.
    It is a good idea to empty the Temporary Internet Files folder on a regular basis.

    Tracking Cookies are files that websites use to monitor which sites you visit and how often.
    A lot of Antispyware scanners pick up these tracking cookies and flag them as unwanted.
    CAUTION :- If you delete all your cookies you will lose any autologin information for sites that you visit, and will need your passwords

    Both of these can be cleaned manually, but a quicker option is to use a program
  • ATF Cleaner
    • Free and very simple to use
  • CCleaner
    • Free and very flexible, you can chose which cookies to keep
Also PLEASE read this article.....So How Did I Get Infected In The First Place

The last and most important thing I can tell you is UPDATE.
If you don't update your security programs (Antivirus, Antispyware even Windows) then you are at risk.
Malware changes on a day to day basis. You should update every week at the very least.

If you follow this advice then (with a bit of luck) you will never have to hear from me again :D


If you could post back one more time to let me know everything is OK, then I can have this thread archived.

Happy surfing K'

#16 xdustyx

xdustyx

    Member

  • Members
  • 12 posts

Posted 13 May 2009 - 02:31 PM

Hi Katana,
Again THANKYOU for all your help and everything you've done for me with the computer... i did everything you mentioned:

Please delete RSIT.exe and C:\RSIT (entire folder)

Uninstall Combofix
Uninstall OTMoveIt

I've actually gained a few GB space :)
What i'm concerned about though is, i have used the kaspersky online scanner all the way through and nothing else and the last scan i did found NOTHING! BUT i ran a scan using the other link you gave me (http://www.pandasecu....com/activescan) and i was shocked at the results... it took HOURS.
What it found was this below, and i really don't know what to make of it now after kaspersky gave me the thumbs up. Also what i don't understand is where it found:

No C:\Documents and Settings\billy\My Documents\cryptt-stuff\backup-forum 25th Sept 07\backup_full.tar[./digitalsite/download/slowcookerrecipes.zip][250+Slowcookerrecipes/250+ Slow Cooker Recipes.exe]
No C:\Documents and Settings\billy\My Documents\cryptt-stuff\backup-forum 25th Sept 07\digitalsite\download\slowcookerrecipes.zip[250+Slowcookerrecipes/250+ Slow Cooker Recipes.exe]
No C:\Documents and Settings\billy\My Documents\cryptt-stuff\backup-forum 26th Nov 07\backup_full.tar[./digitalsite/download/slowcookerrecipes.zip][250+Slowcookerrecipes/250+ Slow Cooker Recipes.exe]
No C:\Documents and Settings\billy\My Documents\cryptt-stuff\backup-forum 26th Nov 07\digitalsite\download\slowcookerrecipes.zip[250+Slowcookerrecipes/250+ Slow Cooker Recipes.exe]
No C:\Documents and Settings\billy\My Documents\cryptt-stuff\backup-forum 25th Sept 07\backup_full.tar[./digitalsite/download/davidblaine.zip][davidblaine/David Blaines Mega Magic Guide Book.exe]
No C:\Documents and Settings\billy\My Documents\cryptt-stuff\backup-forum 26th Nov 07\backup_full.tar[./digitalsite/download/davidblaine.zip][davidblaine/David Blaines Mega Magic Guide Book.exe]

How can a back up of the forum contain the things it does (the digitalsite/downloads etc) when it was never used for uploading ebooks? It was just a forum... It just seems so very weird.
PLEASE can you take a look at what the scan log says and advise me? I'm really sorry to bother you again with my problems, but i've now become paranoid and really glad i did the scan.
THANKYOU AGAIN :)
Jayne


;***********************************************************************************************************************************************************************************
ANALYSIS: 2009-05-13 19:55:46
PROTECTIONS: 1
MALWARE: 9
SUSPECTS: 40
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
AVG Anti-Virus Free 8.5 Yes Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\billy\Cookies\billy@tribalfusion[2].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\billy\Cookies\billy@ad.yieldmanager[2].txt
00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\billy\Cookies\billy@adrevolver[2].txt
00472802 Adware/Beginto Adware No 0 No No C:\Documents and Settings\billy\My Documents\Lilly's Stuff!\all downloaded stuff misc\DivXInstaller.exe[²ÜÇ\GoogleToolbarFirefox.msi][unk_0020][xpi][components/googletoolbar.dll]
00702834 Bck/Hupigon.LKC Virus/Trojan No 0 Yes No C:\Documents and Settings\billy\My Documents\resellerrightspack\ProfessionalCoverCreationTutorial.zip[ebct1.exe]
00702834 Bck/Hupigon.LKC Virus/Trojan No 0 No No C:\Documents and Settings\billy\My Documents\website and internet\matt empyre\1000 ebooks part 1\1000ebook1.zip[ee6/toolkittut.rar][ebct1.exe]
00702834 Bck/Hupigon.LKC Virus/Trojan No 0 No No C:\Documents and Settings\billy\My Documents\website and internet\matt empyre\empyre back up disc\1000ebook1.zip[ee6/toolkittut.rar][ebct1.exe]
00702834 Bck/Hupigon.LKC Virus/Trojan No 0 Yes No C:\Documents and Settings\billy\My Documents\website and internet\miscellaneous ebooks&sites\webmaster2 pro\ebct1.exe
03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\Documents and Settings\billy\My Documents\alberts new website\files to upload\download\Be_a_WHIZ_at_eBIZ.zip[ebizwhiz-brand.exe]
03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\Documents and Settings\billy\My Documents\website and internet\miscellaneous ebooks&sites\downloads2\ebooks4.zip[ebooks4/easyspanish.zip][Easy Spanish For Babies & Toddlers/Easy Spanish.exe]
03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\Documents and Settings\billy\My Documents\cryptt-stuff\backup-forum 25th Sept 07\backup_full.tar[./digitalsite/download/easyspanish.zip][Easy Spanish For Babies & Toddlers/Easy Spanish.exe]
03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\Documents and Settings\billy\My Documents\cryptt-stuff\backup-forum 25th Sept 07\digitalsite\download\easyspanish.zip[Easy Spanish For Babies & Toddlers/Easy Spanish.exe]
03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\Documents and Settings\billy\My Documents\cryptt-stuff\backup-forum 26th Nov 07\backup_full.tar[./digitalsite/download/easyspanish.zip][Easy Spanish For Babies & Toddlers/Easy Spanish.exe]
03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\Documents and Settings\billy\Desktop\All From Desktop\old stuff\AutomatedeBookStore\files to upload\download\easyspanish.zip[Easy Spanish For Babies & Toddlers/Easy Spanish.exe]
03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\Documents and Settings\billy\My Documents\albert ebooks\ebooks4.zip[ebooks4/easyspanish.zip][Easy Spanish For Babies & Toddlers/Easy Spanish.exe]
03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\Documents and Settings\billy\My Documents\albert ebooks\NicheProductPak2ProductPak.zip[NichePowerPak2ProductBonuses.zip][6pakExtraBonuses.zip][Extra Bonuses/Insider.exe]
03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\Documents and Settings\billy\My Documents\alberts new website\files to upload\download\easyspanish.zip[Easy Spanish For Babies & Toddlers/Easy Spanish.exe]
03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\Documents and Settings\billy\My Documents\cryptt-stuff\backup-forum 26th Nov 07\digitalsite\download\easyspanish.zip[Easy Spanish For Babies & Toddlers/Easy Spanish.exe]
03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\Documents and Settings\billy\My Documents\website and internet\autoebookstore\AutomatedeBookStore\AutomatedeBookStore\files to upload\download\easyspanish\Easy Spanish For Babies & Toddlers\Easy Spanish.exe
03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\Documents and Settings\billy\My Documents\website and internet\autoebookstore\AutomatedeBookStore\AutomatedeBookStore\files to upload\download\easyspanish.zip[Easy Spanish For Babies & Toddlers/Easy Spanish.exe]
03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\Documents and Settings\billy\My Documents\website and internet\autoebookstore\billyzx ebooksore\AutomatedeBookStore\AutomatedeBookStore\files to upload\download\easyspanish.zip[Easy Spanish For Babies & Toddlers/Easy Spanish.exe]
03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\Documents and Settings\billy\My Documents\website and internet\autoebookstore\Copy of billyzx ebooksore\AutomatedeBookStore\AutomatedeBookStore\files to upload\download\easyspanish.zip[Easy Spanish For Babies & Toddlers/Easy Spanish.exe]
03879004 Generic Malware Virus/Trojan No 0 Yes No C:\Documents and Settings\billy\My Documents\albert ebooks\NPP3MasterR.zip[MEMBERS SITE/NPPP3DL/Insider.zip][Insider.exe]
03879004 Generic Malware Virus/Trojan No 0 Yes No C:\Documents and Settings\billy\My Documents\resellerrightspack\TheNicheProductPowerPack.zip[NICHE PRODUCTS/BONUS BOOKS.zip][BONUS BOOKS/Insider.exe]
03879007 Generic Malware Virus/Trojan No 0 Yes No C:\Documents and Settings\billy\My Documents\alberts new website\files to upload\download\inside2222r.exe
03899010 Generic Malware Virus/Trojan No 0 Yes No C:\Documents and Settings\billy\My Documents\Desktop games etc\desktop games\screen buster.exe
;===================================================================================================================================================================================
SUSPECTS
Sent Location
;===================================================================================================================================================================================
No C:\Documents and Settings\billy\Desktop\All From Desktop\old stuff\AutomatedeBookStore\files to upload\download\slowcookerrecipes.zip[250+Slowcookerrecipes/250+ Slow Cooker Recipes.exe]
No C:\Documents and Settings\billy\My Documents\albert ebooks\ebooks4.zip[ebooks4/slowcookerrecipes.zip][250+Slowcookerrecipes/250+ Slow Cooker Recipes.exe]
No C:\Documents and Settings\billy\My Documents\albert ebooks\ColorSchemer_17.zip[Portable_Color_Schemer.exe]
No C:\Documents and Settings\billy\My Documents\albert ebooks\eBayBSP.zip[eBayBSP/AuctionTidBits.zip][auctiontidbits.exe]
No C:\Documents and Settings\billy\My Documents\albert ebooks\ebooks4.zip[ebooks4/easyspanish.zip][Easy Spanish For Babies & Toddlers/Bonus Items/EZ-ebooks.exe]
No C:\Documents and Settings\billy\My Documents\albert ebooks\ebooks4.zip[ebooks4/easyspanish.zip][Easy Spanish For Babies & Toddlers/Bonus Items/princess.exe]
No C:\Documents and Settings\billy\My Documents\albert ebooks\ebooks4.zip[ebooks4/slowcookerrecipes.zip][250+Slowcookerrecipes/Bonus Items/EZ-ebooks.exe]
No C:\Documents and Settings\billy\My Documents\alberts new website\files to upload\download\slowcookerrecipes.zip[250+Slowcookerrecipes/250+ Slow Cooker Recipes.exe]
No C:\Documents and Settings\billy\My Documents\albert ebooks\NicheProductPak1ResellerProductsPak.zip[NICHE PRODUCTS/BONUS BOOKS.zip][BONUS BOOKS/BONUS BOOKS/Insider.exe]
No C:\Documents and Settings\billy\My Documents\albert ebooks\Ultimateforexcourse.zip[InsiderSecretsCurrencyTrading.zip][Insider.exe]
No C:\Documents and Settings\billy\My Documents\alberts new website\files to upload\download\free_to_sell_6.zip[freetosell 6.02.exe]
No C:\Documents and Settings\billy\My Documents\cryptt-stuff\backup-forum 25th Sept 07\backup_full.tar[./digitalsite/download/slowcookerrecipes.zip][250+Slowcookerrecipes/250+ Slow Cooker Recipes.exe]
No C:\Documents and Settings\billy\My Documents\cryptt-stuff\backup-forum 25th Sept 07\digitalsite\download\slowcookerrecipes.zip[250+Slowcookerrecipes/250+ Slow Cooker Recipes.exe]
No C:\Documents and Settings\billy\My Documents\cryptt-stuff\backup-forum 26th Nov 07\backup_full.tar[./digitalsite/download/slowcookerrecipes.zip][250+Slowcookerrecipes/250+ Slow Cooker Recipes.exe]
No C:\Documents and Settings\billy\My Documents\cryptt-stuff\backup-forum 26th Nov 07\digitalsite\download\slowcookerrecipes.zip[250+Slowcookerrecipes/250+ Slow Cooker Recipes.exe]
No C:\Documents and Settings\billy\My Documents\cryptt-stuff\backup-forum 25th Sept 07\backup_full.tar[./digitalsite/download/davidblaine.zip][davidblaine/David Blaines Mega Magic Guide Book.exe]
No C:\Documents and Settings\billy\My Documents\cryptt-stuff\backup-forum 26th Nov 07\backup_full.tar[./digitalsite/download/davidblaine.zip][davidblaine/David Blaines Mega Magic Guide Book.exe]
No C:\Documents and Settings\billy\My Documents\resellerrightspack\AuctionSourcesBigBook.zip[asbb3.exe]
No C:\Documents and Settings\billy\My Documents\website and internet\autoebookstore\AutomatedeBookStore\AutomatedeBookStore\files to upload\download\slowcookerrecipes.zip[250+Slowcookerrecipes/250+ Slow Cooker Recipes.exe]
No C:\Documents and Settings\billy\My Documents\website and internet\autoebookstore\billyzx ebooksore\AutomatedeBookStore\AutomatedeBookStore\files to upload\download\slowcookerrecipes.zip[250+Slowcookerrecipes/250+ Slow Cooker Recipes.exe]
No C:\Documents and Settings\billy\My Documents\website and internet\autoebookstore\Copy of billyzx ebooksore\AutomatedeBookStore\AutomatedeBookStore\files to upload\download\slowcookerrecipes.zip[250+Slowcookerrecipes/250+ Slow Cooker Recipes.exe]
No C:\Documents and Settings\billy\My Documents\website and internet\downloads from ebookdirectory\affirmations.zip[affirmations.exe]
No C:\Documents and Settings\billy\My Documents\website and internet\matt empyre\empyre back up disc\1000ebook2.zip[ef1/freetosell6.2.rar][FREETOSELL.EXE]
No C:\Documents and Settings\billy\My Documents\website and internet\matt empyre\empyre back up disc\1000ebook2.zip[ej1/javascriptmagic.rar][Javascript_Magic\javabookbd.exe]
No C:\Documents and Settings\billy\My Documents\website and internet\matt empyre\part2 of 1000 ebooks\1000ebook2.zip[ef1/freetosell6.2.rar][FREETOSELL.EXE]
No C:\Documents and Settings\billy\My Documents\website and internet\matt empyre\part2 of 1000 ebooks\1000ebook2.zip[ej1/javascriptmagic.rar][Javascript_Magic\javabookbd.exe]
No C:\Documents and Settings\billy\My Documents\website and internet\miscellaneous ebooks&sites\downloads2\ebooks4.zip[ebooks4/easyspanish.zip][Easy Spanish For Babies & Toddlers/Bonus Items/EZ-ebooks.exe]
No C:\Documents and Settings\billy\My Documents\website and internet\miscellaneous ebooks&sites\downloads2\ebooks4.zip[ebooks4/easyspanish.zip][Easy Spanish For Babies & Toddlers/Bonus Items/princess.exe]
No C:\Documents and Settings\billy\My Documents\website and internet\miscellaneous ebooks&sites\downloads2\ebooks4.zip[ebooks4/slowcookerrecipes.zip][250+Slowcookerrecipes/250+ Slow Cooker Recipes.exe]
No C:\Documents and Settings\billy\My Documents\website and internet\miscellaneous ebooks&sites\downloads2\ebooks4.zip[ebooks4/slowcookerrecipes.zip][250+Slowcookerrecipes/Bonus Items/EZ-ebooks.exe]
No C:\Documents and Settings\billy\My Documents\website and internet\miscellaneous ebooks&sites\my ebook business\auction_sources_bigbook\asbb3.exe
No C:\Documents and Settings\billy\My Documents\website and internet\miscellaneous ebooks&sites\my ebook business\auction_sources_bigbook.zip[asbb3.exe]
No C:\Documents and Settings\billy\My Documents\website and internet\miscellaneous ebooks&sites\my ebook business\java_macromedia_ebooks\java_for_your_web_page_magic.exe
No C:\Documents and Settings\billy\My Documents\website and internet\miscellaneous ebooks&sites\my ebook business\java_macromedia_ebooks.zip[java_for_your_web_page_magic.exe]
No C:\Documents and Settings\billy\My Documents\website and internet\miscellaneous ebooks&sites\webmaster profit pack\freetosell6.zip[freetosell6.exe]
No C:\Documents and Settings\billy\My Documents\website and internet\miscellaneous ebooks&sites\webmaster profit pack\java1.zip[javamagic/javabookbd.exe]
No C:\Documents and Settings\billy\My Documents\website and internet\miscellaneous ebooks&sites\webmaster profit pack\javamagic1.zip[javamagic/javabookbd.exe]
No C:\Documents and Settings\billy\My Documents\website and internet\miscellaneous ebooks&sites\webmaster profit pack\java1.zip[javamagic/33scripts.exe]
No C:\Documents and Settings\billy\My Documents\website and internet\miscellaneous ebooks&sites\webmaster profit pack\javamagic1.zip[javamagic/33scripts.exe]
No C:\Documents and Settings\billy\My Documents\website and internet\web stuff\auction_sources_bigbook.zip[asbb3.exe]

==========================================================================================================================================

Threats with free disinfection (5)
Low danger level (5) Generic Malwar... Virus Latent Hide + Info
1. C:\Documents and Settings\billy\My Documents\... to upload\download\inside2222r.exe

Generic Malwar... Virus Latent Hide + Info
1. C:\Documents and Settings\billy\My Documents\...BOOKS.zip][BONUS BOOKS/Insider.exe]
2. C:\Documents and Settings\billy\My Documents\...E/NPPP3DL/Insider.zip][Insider.exe]

Generic Malwar... Virus Latent Hide + Info
1. C:\Documents and Settings\billy\My Documents\...etc\desktop games\screen buster.exe

Trj/CI.A Virus Latent Hide + Info
1. C:\Documents and Settings\billy\My Documents\...HIZ_at_eBIZ.zip[ebizwhiz-brand.exe]
2. C:\Documents and Settings\billy\Desktop\All F...Babies & Toddlers/Easy Spanish.exe]
3. C:\Documents and Settings\billy\My Documents\...Babies & Toddlers/Easy Spanish.exe]
4. C:\Documents and Settings\billy\My Documents\...Babies & Toddlers/Easy Spanish.exe]
5. C:\Documents and Settings\billy\My Documents\...Babies & Toddlers/Easy Spanish.exe]
6. C:\Documents and Settings\billy\My Documents\...ses.zip][Extra Bonuses/Insider.exe]
7. C:\Documents and Settings\billy\My Documents\...Babies & Toddlers/Easy Spanish.exe]
8. C:\Documents and Settings\billy\My Documents\...Babies & Toddlers/Easy Spanish.exe]
9. C:\Documents and Settings\billy\My Documents\... Babies & Toddlers\Easy Spanish.exe
10. C:\Documents and Settings\billy\My Documents\...Babies & Toddlers/Easy Spanish.exe]
11. C:\Documents and Settings\billy\My Documents\...Babies & Toddlers/Easy Spanish.exe]
12. C:\Documents and Settings\billy\My Documents\...Babies & Toddlers/Easy Spanish.exe]
13. C:\Documents and Settings\billy\My Documents\...Babies & Toddlers/Easy Spanish.exe]
14. C:\Documents and Settings\billy\My Documents\...Babies & Toddlers/Easy Spanish.exe]

Bck/Hupigon.LK... Virus Latent Hide + Info Not disinfectable
1. C:\Documents and Settings\billy\My Documents\...ooks&sites\webmaster2 pro\ebct1.exe
2. C:\Documents and Settings\billy\My Documents\...overCreationTutorial.zip[ebct1.exe]
3. C:\Documents and Settings\billy\My Documents\....zip[ee6/toolkittut.rar][ebct1.exe]
4. C:\Documents and Settings\billy\My Documents\....zip[ee6/toolkittut.rar][ebct1.exe]


Only available for registered users.
Register free - I'm registered
Threats disinfected with the paid version (4)
Low danger level (4) Adware/Beginto Adware Latent Show + Info Not disinfectable
1. C:\Documents and Settings\billy\My Documents\...[xpi][components/googletoolbar.dll]

Cookie/YieldMa... Tracking Cookie Latent Show + Info
1. C:\Documents and Settings\billy\Cookies\billy@ad.yieldmanager[2].txt

Cookie/Tribalf... Tracking Cookie Latent Show + Info
1. C:\Documents and Settings\billy\Cookies\billy@tribalfusion[2].txt

Cookie/Adrevol... Tracking Cookie Latent Show + Info
1. C:\Documents and Settings\billy\Cookies\billy@adrevolver[2].txt


Only available in paid version.

#17 Katana

Katana

    MRU Teacher

  • Trusted Malware Techs
  • 1,523 posts
  • Location:Manchester (UK)


Posted 14 May 2009 - 04:52 AM

1) I really don't know what to make of it now after kaspersky gave me the thumbs up.
2) How can a back up of the forum contain the things it does (the digitalsite/downloads etc) when it was never used for uploading ebooks?


1) Different sanners find different things, so that isn't unexpected.
2) At some point, those files must have been on the site and you made a backup at that time. There is no other explanation.

Let's see if I can explain the results for you ...

These ones are in the SUSPECTS section, so it could be that they are encrypted, or password protected. It doesn't mean they are infected.

C:\Documents and Settings\billy\My Documents\cryptt-stuff\backup-forum 25th Sept 07\backup_full.tar
C:\Documents and Settings\billy\My Documents\cryptt-stuff\backup-forum 26th Nov 07\backup_full.tar
C:\Documents and Settings\billy\My Documents\cryptt-stuff\backup-forum 25th Sept 07\digitalsite\download\slowcookerrecipes.zip
C:\Documents and Settings\billy\My Documents\cryptt-stuff\backup-forum 26th Nov 07\digitalsite\download\slowcookerrecipes.zip




These could be False Positives due to the way they work,
If you want to keep them then I would upload them to Virustotal and check if they are safe
(If you don't need them just delete them.)

C:\Documents and Settings\billy\My Documents\resellerrightspack\ProfessionalCoverCreationTutorial.zip
C:\Documents and Settings\billy\My Documents\website and internet\matt empyre\1000 ebooks part 1\1000ebook1.zip
C:\Documents and Settings\billy\My Documents\website and internet\matt empyre\empyre back up disc\1000ebook1.zip
C:\Documents and Settings\billy\My Documents\website and internet\miscellaneous ebooks&sites\webmaster2 pro\ebct1.exe
C:\Documents and Settings\billy\My Documents\resellerrightspack\TheNicheProductPowerPack.zip
C:\Documents and Settings\billy\My Documents\alberts new website\files to upload\download\inside2222r.exe
C:\Documents and Settings\billy\My Documents\Desktop games etc\desktop games\screen buster.exe




These others, I would recommend deleting. They aren't active at all, so just select the file and hit Delete

C:\Documents and Settings\billy\My Documents\Lilly's Stuff!\all downloaded stuff misc\DivXInstaller.exe
C:\Documents and Settings\billy\My Documents\alberts new website\files to upload\download\Be_a_WHIZ_at_eBIZ.zip
C:\Documents and Settings\billy\My Documents\website and internet\miscellaneous ebooks&sites\downloads2\ebooks4.zip
C:\Documents and Settings\billy\My Documents\cryptt-stuff\backup-forum 25th Sept 07\backup_full.tar
C:\Documents and Settings\billy\My Documents\cryptt-stuff\backup-forum 25th Sept 07\digitalsite\download\easyspanish.zip
C:\Documents and Settings\billy\My Documents\cryptt-stuff\backup-forum 26th Nov 07\backup_full.tar
C:\Documents and Settings\billy\Desktop\All From Desktop\old stuff\AutomatedeBookStore\files to upload\download\easyspanish.zip
C:\Documents and Settings\billy\My Documents\albert ebooks\ebooks4.zip
C:\Documents and Settings\billy\My Documents\albert ebooks\NicheProductPak2ProductPak.zip
C:\Documents and Settings\billy\My Documents\alberts new website\files to upload\download\easyspanish.zip
C:\Documents and Settings\billy\My Documents\cryptt-stuff\backup-forum 26th Nov 07\digitalsite\download\easyspanish.zip
C:\Documents and Settings\billy\My Documents\website and internet\autoebookstore\AutomatedeBookStore\AutomatedeBookStore\files to upload\download\easyspanish\Easy Spanish For Babies & Toddlers\Easy Spanish.exe
C:\Documents and Settings\billy\My Documents\website and internet\autoebookstore\AutomatedeBookStore\AutomatedeBookStore\files to upload\download\easyspanish.zip
C:\Documents and Settings\billy\My Documents\website and internet\autoebookstore\billyzx ebooksore\AutomatedeBookStore\AutomatedeBookStore\files to upload\download\easyspanish.zip
C:\Documents and Settings\billy\My Documents\website and internet\autoebookstore\Copy of billyzx ebooksore\AutomatedeBookStore\AutomatedeBookStore\files to upload\download\easyspanish.zip
C:\Documents and Settings\billy\My Documents\albert ebooks\NPP3MasterR.zip

Edited by Katana, 14 May 2009 - 04:54 AM.


#18 xdustyx

xdustyx

    Member

  • Members
  • 12 posts

Posted 15 May 2009 - 06:26 AM

Hello again Katana,
I've deleted most of the files and sent some for analysis :)
I've taken now extra precautions and installed spybot search & destroy AND spywareguard.
I had actually installed a-squared free first and it found this:

a-squared Free - Version 4.5
Last update: 14/05/2009 11:05:38

Scan settings:

Scan type: Quick Scan
Objects: Memory, Traces, Cookies
Scan archives: On
Heuristics: Off
ADS Scan: On

Scan start: 14/05/2009 11:24:00

Value: HKEY_CLASSES_ROOT\CLSID\{0C1F87AE-AE62-11D3-911C-00105A17B608}\InprocServer32 --> ThreadingModel detected: Trace.Registry.SpyPc 8.0!A2
Value: HKEY_CLASSES_ROOT\CLSID\{371D0743-7A57-11D2-AD5A-00105A17B608}\InprocServer32 --> ThreadingModel detected: Trace.Registry.SpyPc 8.0!A2
Value: HKEY_CLASSES_ROOT\CLSID\{4F99A075-5227-11D2-AD06-00105A17B608}\InprocServer32 --> ThreadingModel detected: Trace.Registry.SpyPc 8.0!A2
Value: HKEY_CLASSES_ROOT\CLSID\{B22FE43C-D1E8-432A-A862-9F83D5F04732}\InprocServer32 --> ThreadingModel detected: Trace.Registry.SpyPc 8.0!A2
Value: HKEY_CLASSES_ROOT\CLSID\{CA4FC24B-C65C-11D1-AA6F-000000000000}\InprocServer32 --> ThreadingModel detected: Trace.Registry.SpyPc 8.0!A2
Value: HKEY_CLASSES_ROOT\CLSID\{DDD136CE-517B-11D2-AD03-00105A17B608}\InprocServer32 --> ThreadingModel detected: Trace.Registry.SpyPc 8.0!A2
Value: HKEY_CLASSES_ROOT\CLSID\{E9D55102-9683-11D2-BA68-0040053687FE}\InprocServer32 --> ThreadingModel detected: Trace.Registry.SpyPc 8.0!A2
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0C1F87AE-AE62-11D3-911C-00105A17B608}\InprocServer32 --> ThreadingModel detected: Trace.Registry.SpyPc 8.0!A2
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{371D0743-7A57-11D2-AD5A-00105A17B608}\InprocServer32 --> ThreadingModel detected: Trace.Registry.SpyPc 8.0!A2
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4F99A075-5227-11D2-AD06-00105A17B608}\InprocServer32 --> ThreadingModel detected: Trace.Registry.SpyPc 8.0!A2
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B22FE43C-D1E8-432A-A862-9F83D5F04732}\InprocServer32 --> ThreadingModel detected: Trace.Registry.SpyPc 8.0!A2
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CA4FC24B-C65C-11D1-AA6F-000000000000}\InprocServer32 --> ThreadingModel detected: Trace.Registry.SpyPc 8.0!A2
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DDD136CE-517B-11D2-AD03-00105A17B608}\InprocServer32 --> ThreadingModel detected: Trace.Registry.SpyPc 8.0!A2
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E9D55102-9683-11D2-BA68-0040053687FE}\InprocServer32 --> ThreadingModel detected: Trace.Registry.SpyPc 8.0!A2

Scanned

Files: 1289
Traces: 641460
Cookies: 6
Processes: 35

Found

Files: 0
Traces: 14
Cookies: 0
Processes: 0
Registry keys: 0

Scan end: 14/05/2009 11:26:46
Scan time: 0:02:46


I really didn't know what to do, so i did a search on it and found that many many other people found that it was picking up the same thing and no-one seemed to know why or what it was... so i didn't do anything with what it found, i turned it off and installed spybot search & destroy.
It did the same scan and didn't pick those up BUT found this:

Win32.Agent.pz: [SBI $7EC6899E] Settings (Registry value, nothing done)
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows NT\CurrentVersion\Network\UID

Win32.Agent.pz: [SBI $8980C6CD] Settings (Registry value, nothing done)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\Network\UID

i re-scanned, and hope i did the right thing and let them remove them (i had done a back-up of the registry first just incase)

Still unsure what to do with what A squared found though, and wondered if you know anything about them please?

THANKYOU again :)
Jayne

#19 Katana

Katana

    MRU Teacher

  • Trusted Malware Techs
  • 1,523 posts
  • Location:Manchester (UK)


Posted 15 May 2009 - 08:43 AM

The items that Spybot found look to be a couple of leftovers, I wouldn't worry about them. The A-Squared items look to related to Routers, so I would leave those alone. I suspect they are a false positive.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users