Login  Malware Removal & HijackThis Logs |
| |
| |
| | Thread Tools |
05-May-2008, 07:11 AM
#1 | ||||||
| Trojan Horse Hello all  Yesterday while browsing, a little popup appeared ( the dreaded yellow triangle) to tell me my comp is infected and there is an installer.exe on my desktop that I can't get rid of. My AVG pops up and says threat detected while opening c36kw092\install[1]Trojan horse SHeur.BHNQ. ANy help would be greatly appreaciated! Here is my Hijack This log: Logfile of HijackThis v1.99.1 Scan saved at 6:11:30 AM, on 5/5/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16640) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\Nexon\Mabinogi\npkcmsvc.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\WINDOWS\system32\WgaTray.exe C:\WINDOWS\system32\ctfmon.exe C:\Documents and Settings\priya\Application Data\qblua.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe C:\Program Files\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?linkid=677 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME\TomTomHOME.exe" -s O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Microsoft Windows Adapter 5.1.3214] C:\Documents and Settings\priya\Application Data\qblua.exe O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O16 - DPF: {775879E2-7309-4619-BB02-AADE41F4B690} (CPlayFirstdreamControl Object) - http://www.shockwave.com/content/dre...b.1.0.0.10.cab O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6...ws-i586-jc.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab O16 - DPF: {EA6246B4-F380-443F-8727-9AEA3371146C} (CPlayFirstWeddingDashControl Object) - http://www.shockwave.com/content/wed...h.1.0.0.47.cab O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\Nexon\Mabinogi\npkcmsvc.exe O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe |
| |
05-May-2008, 10:36 PM
#2 | ||||||
| Wow no replies at all? Mabye I didn't pose the question right......I have some sort of virus or spyware on the computer and it won't go away no matter how many scans or cleanups I run. I included the HiJack This Log, please help.... |
10-May-2008, 07:57 PM
#3 | |||||
| Ahh bella6100, You added your own response here and gave this the appearance of a thread with a reply. I only took a look on a hunch. Infection is showing here. If you have not yet resolved the issues let's get a more current and detailed look, and then start some repairs. To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs. Download Deckard's System Scanner (dss.exe) to your Desktop. Note: You must be logged onto an account with administrator privileges. Making sure dss.exe is directly on your desktop, go to Start - Run, and copy/paste the following (then press OK): "%userprofile%\desktop\dss.exe" /config When the DSS Configuration display opens click the "Check All" button (if the "Uncheck All" button shows, click that, then click "Check All"). Next, Under Main Log, uncheck the following: System Restore Temp Cleanup Process Modules Then under Options, place a check next to the following: Backup Registry Hives Don't make any other changes at this time. Then click the "Scan!" button to start the scan. Once the scan has completed a textbox will appear - copy/paste those contents back here (main.txt). Also a second text file, extra.txt, will show as minimized in your Task Bar. Maximize/Open this, and copy/paste those contents back here along with the main.txt please. (The logs can also be found in the C:\Deckard\System Scanner folder) You can use extra posts here if needed for that. |
13-May-2008, 09:46 PM
#4 | ||||||
| hey thanks so much for your response. Here are the scan results: main.txt: Deckard's System Scanner v20071014.68 Run by priya on 2008-05-13 20:42:56 Computer is in Normal Mode. -------------------------------------------------------------------------------- Backed up registry hives. -- HijackThis (run as priya.exe) ----------------------------------------------- Unable to find log (file not found); running clone. -- HijackThis Clone ------------------------------------------------------------ Emulating logfile of Trend Micro HijackThis v2.0.2 Scan saved at 2008-05-13 20:43:22 Platform: Windows XP Service Pack 2 (5.01.2600) MSIE: Internet Explorer (7.00.6000.16640) Boot mode: Normal Running processes: C:\WINDOWS\system32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\AVG\AVG8\avgwdsvc.exe C:\Nexon\Mabinogi\npkcmsvc.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\Program Files\AVG\AVG8\avgam.exe C:\Program Files\AVG\AVG8\avgrsx.exe C:\Program Files\AVG\AVG8\avgemc.exe C:\WINDOWS\system32\WgaTray.exe C:\Program Files\AVG\AVG8\avgnsx.exe C:\Program Files\Windows Live\Messenger\usnsvc.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe C:\Documents and Settings\priya\Desktop\dss.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?linkid=677 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME\TomTomHOME.exe" -s O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/get...irector/sw.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://download.microsoft.com/downlo...eckControl.cab O16 - DPF: {775879E2-7309-4619-BB02-AADE41F4B690} (CPlayFirstdreamControl Object) - http://www.shockwave.com/content/dre...b.1.0.0.10.cab O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.6.0_03) - http://javadl-esd.sun.com/update/1.6...ws-i586-jc.cab O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.macromedia.com/get.../ultrashim.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab O16 - DPF: {EA6246B4-F380-443F-8727-9AEA3371146C} (CPlayFirstWeddingDashControl Object) - http://www.shockwave.com/content/wed...h.1.0.0.47.cab O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll O20 - AppInit_DLLs: avgrsstx.dll O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG8\avgemc.exe O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG8\avgwdsvc.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\Nexon\Mabinogi\npkcmsvc.exe O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe -- End of file - 6191 bytes -- File Associations ----------------------------------------------------------- All associations okay. -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------- R2 npkcrypt - c:\nexon\maplestory\npkcrypt.sys <Not Verified; INCA Internet Co., Ltd.; nProtect KeyCrypt Driver> S3 XDva031 - c:\windows\system32\xdva031.sys (file missing) -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled -------------------- R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service> R2 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe" <Not Verified; Viewpoint Corporation; Viewpoint Manager> -- Device Manager: Disabled ---------------------------------------------------- No disabled devices found. -- Scheduled Tasks ------------------------------------------------------------- 2008-05-12 20:18:12 422 --ah----- C:\WINDOWS\Tasks\User_Feed_Synchronization-{A87BD64A-FE06-4FB4-AF3D-4B70C45809FF}.job 2008-05-10 18:35:03 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job -- Files created between 2008-04-13 and 2008-05-13 ----------------------------- 2008-05-05 22:58:49 0 d-------- C:\Program Files\MSXML 6.0 2008-05-05 18:38:46 0 d--h----- C:\$AVG8.VAULT$ 2008-05-05 18:32:23 0 d-------- C:\WINDOWS\system32\drivers\Avg 2008-05-05 18:32:17 0 d-------- C:\Program Files\AVG 2008-05-05 18:32:16 0 d-------- C:\Documents and Settings\All Users\Application Data\avg8 2008-05-04 17:54:39 0 d-------- C:\Program Files\Lavasoft 2008-05-04 17:54:38 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft 2008-05-04 17:54:13 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard 2008-05-04 17:07:19 0 d--h----- C:\WINDOWS\PIF 2008-05-04 09:40:35 2828 --ahs---- C:\Documents and Settings\All Users\Application Data\KGyGaAvL.sys 2008-05-04 09:40:35 88 -r-hs---- C:\Documents and Settings\All Users\Application Data\1F630D2472.sys 2008-05-04 09:40:21 0 d-------- C:\Documents and Settings\priya\Application Data\Corel 2008-05-04 08:55:28 0 d-------- C:\Documents and Settings\priya\.gimp-2.4 2008-05-04 08:40:54 0 d-------- C:\Program Files\Paint.NET 2008-04-27 09:48:12 0 d-------- C:\Documents and Settings\All Users\Application Data\TomTom 2008-04-23 06:01:32 0 d-------- C:\Documents and Settings\Administrator\Favorites 2008-04-23 06:01:32 0 d-------- C:\Documents and Settings\Administrator\Desktop 2008-04-23 06:01:32 0 d--hs---- C:\Documents and Settings\Administrator\Cookies 2008-04-23 06:01:32 0 dr-h----- C:\Documents and Settings\Administrator\Application Data 2008-04-23 06:01:32 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft 2008-04-23 06:01:31 0 d--h----- C:\Documents and Settings\Administrator\Templates 2008-04-23 06:01:31 0 dr------- C:\Documents and Settings\Administrator\Start Menu 2008-04-23 06:01:31 0 dr-h----- C:\Documents and Settings\Administrator\SendTo 2008-04-23 06:01:31 0 d--h----- C:\Documents and Settings\Administrator\Recent 2008-04-23 06:01:31 0 d--h----- C:\Documents and Settings\Administrator\PrintHood 2008-04-23 06:01:31 413696 --a------ C:\Documents and Settings\Administrator\NTUSER.DAT 2008-04-23 06:01:31 0 d--h----- C:\Documents and Settings\Administrator\NetHood 2008-04-23 06:01:31 0 d-------- C:\Documents and Settings\Administrator\My Documents 2008-04-23 06:01:31 0 d--h----- C:\Documents and Settings\Administrator\Local Settings 2008-04-21 18:32:03 0 d-------- C:\Documents and Settings\priya\Application Data\Viewpoint 2008-04-20 08:40:18 1160 --a------ C:\WINDOWS\mozver.dat 2008-04-15 20:47:53 0 d-------- C:\Program Files\uTorrent 2008-04-15 20:47:47 0 d-------- C:\Documents and Settings\priya\Application Data\uTorrent 2008-04-14 05:45:14 0 d-------- C:\WINDOWS\pss -- Find3M Report --------------------------------------------------------------- 2008-05-11 22:07:19 0 d-------- C:\Documents and Settings\priya\Application Data\LimeWire 2008-05-05 21:39:30 33 --a------ C:\Documents and Settings\priya\Application Data\install.ini 2008-05-04 17:54:13 0 d-------- C:\Program Files\Common Files 2008-04-27 09:43:47 0 d-------- C:\Program Files\TomTom HOME 2008-04-20 08:40:27 0 d-------- C:\Documents and Settings\priya\Application Data\Adobe 2008-04-14 05:47:23 0 d-------- C:\Program Files\Yahoo! 2008-04-08 22:45:43 0 d-------- C:\Program Files\Common Files\AOL 2008-04-06 22:32:07 0 d-------- C:\Documents and Settings\priya\Application Data\OpenOffice.org2 2008-04-01 20:36:47 0 d-------- C:\Program Files\Viewpoint 2008-03-22 10:26:23 0 d-------- C:\Documents and Settings\priya\Application Data\mIRC 2008-03-22 10:01:11 0 d-------- C:\Program Files\mIRC 2008-03-22 09:31:29 0 d-------- C:\Program Files\LimeWire 2008-03-16 13:08:16 0 d-------- C:\Program Files\Windows Live 2008-03-16 13:07:25 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller -- Registry Dump --------------------------------------------------------------- *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [06/29/2007 06:24 AM] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 02:11 AM] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [10/10/2007 08:51 PM] "TomTomHOME.exe"="C:\Program Files\TomTom HOME\TomTomHOME.exe" [03/14/2007 04:52 PM] "AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [05/05/2008 06:32 PM] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [10/18/2007 11:34 AM] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 05:00 AM] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ VIA RAID TOOL.lnk - C:\Program Files\VIA\RAID\raid_tool.exe [10/27/2007 7:24:05 PM] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableRegistryTools"=0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "appinit_dlls"=avgrsstx.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawser vice] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^D-Link AirPlus DWL-120+ Wireless USB Adapter.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\D-Link AirPlus DWL-120+ Wireless USB Adapter.lnk backup=C:\WINDOWS\pss\D-Link AirPlus DWL-120+ Wireless USB Adapter.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] "C:\iTunesHelper.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan] SOUNDMAN.EXE [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{60eea9c3-840c-11dc-a8ca-806d6172696f}] AutoRun\command- E:\Autorun.exe root.ini [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{82cb7624-dc19-11dc-a984-00508d70ba15}] AutoRun\command- F:\InstallTomTomHOME.exe -- End of Deckard's System Scanner: finished at 2008-05-13 20:43:54 ------------ |
13-May-2008, 09:46 PM
#5 | ||||||
| Deckard's System Scanner v20071014.68 Extra logfile - please post this as an attachment with your post. -------------------------------------------------------------------------------- -- System Information ---------------------------------------------------------- Microsoft Windows XP Professional (build 2600) SP 2.0 Architecture: X86; Language: English CPU 0: Intel(R) Celeron(R) CPU 2.40GHz Percentage of Memory in Use: 21% Physical Memory (total/avail): 2815.48 MiB / 2200.27 MiB Pagefile Memory (total/avail): 4707.41 MiB / 4241.64 MiB Virtual Memory (total/avail): 2047.88 MiB / 1928.93 MiB A: is Removable (No Media) C: is Fixed (NTFS) - 31.48 GiB total, 9.77 GiB free. D: is CDROM (CDFS) E: is CDROM (CDFS) \\.\PHYSICALDRIVE0 - Maxtor 6L120P0 - 31.49 GiB - 1 partition \PARTITION0 (bootable) - Installable File System - 31.48 GiB - C: -- Security Center ------------------------------------------------------------- AUOptions is scheduled to auto-install. Windows Internal Firewall is enabled. FirstRunDisabled is set. AV: AVG Anti-Virus v8.0 (AVG Technologies) [HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPoli cy\DomainProfile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enable d:@xpsp2res.dll,-22019" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger" "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)" [HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPoli cy\StandardProfile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enable d:@xpsp2res.dll,-22019" "C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe" "C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe" "C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" "C:\\Nexon\\MapleStory\\MapleStory.exe"="C:\\Nexon\\MapleStory\\MapleStory. exe:*:Enabled:MapleStory" "C:\\Nexon\\MapleStory\\Patcher.exe"="C:\\Nexon\\MapleStory\\Patcher.exe:*: Enabled:Patcher MFC ?? ????" "C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger" "C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire" "C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:µTorrent" "C:\\Program Files\\mIRC\\mirc.exe"="C:\\Program Files\\mIRC\\mirc.exe:*:Enabled:mIRC" "C:\\Program Files\\GameFlier\\GhostOnline\\game.exe"="C:\\Program Files\\GameFlier\\GhostOnline\\game.exe:*:Enabled:game" "C:\\WINDOWS\\system32\\rtcshare.exe"="C:\\WINDOWS\\system32\\rtcshare.exe: *:Enabled:RTC App Sharing" "C:\\iTunes.exe"="C:\\iTunes.exe:*:Enabled:iTunes" "C:\\Documents and Settings\\priya\\Desktop\\Songs\\OdinMs\\OdinMS.exe"="C:\\Documents and Settings\\priya\\Desktop\\Songs\\OdinMs\\OdinMS.exe:*:Enabled:MapleStory" "C:\\Nexon\\MapleStory\\OdinMS.exe"="C:\\Nexon\\MapleStory\\OdinMS.exe:*:En abled:MapleStory" "C:\\Documents and Settings\\priya\\Desktop\\Songs\\MapleStory\\OdinMS.exe"="C:\\Documents and Settings\\priya\\Desktop\\Songs\\MapleStory\\OdinMS.exe:*:Enabled:MapleStor y" "C:\\Documents and Settings\\priya\\Desktop\\Songs\\New Folder\\WoW-BurningCrusade-enUS-Installer-downloader.exe"="C:\\Documents and Settings\\priya\\Desktop\\Songs\\New Folder\\WoW-BurningCrusade-enUS-Installer-downloader.exe:*:Enabled:Blizzard Downloader" "C:\\Documents and Settings\\priya\\Desktop\\Songs\\New Folder\\World of Warcraft\\Repair.exe"="C:\\Documents and Settings\\priya\\Desktop\\Songs\\New Folder\\World of Warcraft\\Repair.exe:*:Enabled:Blizzard Repair Utility" "C:\\Nexon\\MapleStory\\OdinMS_nodc.exe"="C:\\Nexon\\MapleStory\\OdinMS_nod c.exe:*:Enabled:MapleStory" "C:\\Nexon\\MapleStory\\odinms_new.exe"="C:\\Nexon\\MapleStory\\odinms_new. exe:*:Enabled:MapleStory" "C:\\Nexon\\MapleStory\\LocalMS.exe"="C:\\Nexon\\MapleStory\\LocalMS.exe:*: Enabled:MapleStory" "C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer" "C:\\Program Files\\LocalMS\\LocalMS.exe"="C:\\Program Files\\LocalMS\\LocalMS.exe:*:Enabled:MapleStory" "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger" "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)" "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader" "C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe" "C:\\Program Files\\AVG\\AVG8\\avgemc.exe"="C:\\Program Files\\AVG\\AVG8\\avgemc.exe:*:Enabled:avgemc.exe" "C:\\Program Files\\AVG\\AVG8\\avgnsx.exe"="C:\\Program Files\\AVG\\AVG8\\avgnsx.exe:*:Enabled:avgnsx.exe" -- Environment Variables ------------------------------------------------------- ALLUSERSPROFILE=C:\Documents and Settings\All Users APPDATA=C:\Documents and Settings\priya\Application Data CLASSPATH=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip CLIENTNAME=Console CommonProgramFiles=C:\Program Files\Common Files COMPUTERNAME=BCM-B4E4E5E0A1F ComSpec=C:\WINDOWS\system32\cmd.exe FP_NO_HOST_CHECK=NO HOMEDRIVE=C: HOMEPATH=\Documents and Settings\priya LOGONSERVER=\\BCM-B4E4E5E0A1F NUMBER_OF_PROCESSORS=1 OS=Windows_NT Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\QuickTime\QTSystem\ PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH PROCESSOR_ARCHITECTURE=x86 PROCESSOR_IDENTIFIER=x86 Family 15 Model 3 Stepping 4, GenuineIntel PROCESSOR_LEVEL=15 PROCESSOR_REVISION=0304 ProgramFiles=C:\Program Files PROMPT=$P$G QTJAVA=C:\Program Files\QuickTime\QTSystem\QTJava.zip SESSIONNAME=Console SystemDrive=C: SystemRoot=C:\WINDOWS TEMP=C:\DOCUME~1\priya\LOCALS~1\Temp TMP=C:\DOCUME~1\priya\LOCALS~1\Temp USERDOMAIN=BCM-B4E4E5E0A1F USERNAME=priya USERPROFILE=C:\Documents and Settings\priya windir=C:\WINDOWS -- User Profiles --------------------------------------------------------------- bcm (admin) priya (admin) Administrator (new local, admin) -- Add/Remove Programs --------------------------------------------------------- --> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf µTorrent --> "C:\Program Files\uTorrent\uTorrent.exe" /UNINSTALL Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF} Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe Adobe Reader 8.1.1 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81100000003} Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log Apple Mobile Device Support --> MsiExec.exe /I{3EBD3749-304E-4A4C-9575-C00E5F015217} Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4} AVG 8.0 --> C:\Program Files\AVG\AVG8\setup.exe /UNINSTALL D-Link AirPlus USB --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9C039633-4B58-4649-B8A5-5E08ABAA0ED7}\Setup.exe" -l0x9 DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN Fraps --> "C:\Fraps\uninstall.exe" HijackThis 1.99.1 --> C:\Program Files\HijackThis\HijackThis.exe /uninstall Java(TM) 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020} Java(TM) 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030} LimeWire 4.16.6 --> "C:\Program Files\LimeWire\uninstall.exe" MapleStory --> MsiExec.exe /I{A4722257-521C-48E6-9F8D-11B286645AD3} Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d} mIRC --> C:\Program Files\mIRC\uninstall.exe _?=C:\Program Files\mIRC Mozilla Firefox (2.0.0.12) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe MSN --> C:\Program Files\MSN\MsnInstaller\msninst.exe /Action:ARP MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E} OpenOffice.org 2.3 --> MsiExec.exe /I{2F29D6D2-824E-4FEF-8AED-7013F39F642A} QuickTime --> MsiExec.exe /I{95A890AA-B3B1-44B6-9C18-A8F7AB3EE7FC} Realtek AC'97 Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" REMOVE TomTom HOME --> C:\Program Files\InstallShield Installation Information\{CE325D55-FCAF-4273-BB79-069BB8747270}\setup.exe -runfromtemp -l0x0009 -removeonly -removeonly Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Media Player\mtsAxInstaller.exe /u Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320} Windows Live Messenger --> MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0} Windows Live Sign-in Assistant --> MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986} WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe -- Application Event Log ------------------------------------------------------- Event Record #/Type2683 / Success Event Submitted/Written: 05/13/2008 08:23:29 PM Event ID/Source: 12001 / usnjsvc Event Description: The Messenger Sharing USN Journal Reader service started successfully. Event Record #/Type2674 / Success Event Submitted/Written: 05/12/2008 09:35:52 PM Event ID/Source: 12001 / usnjsvc Event Description: The Messenger Sharing USN Journal Reader service started successfully. Event Record #/Type2673 / Error Event Submitted/Written: 05/12/2008 06:39:55 PM Event ID/Source: 1000 / Application Error Event Description: Faulting application avgscanx.exe, version 8.0.0.80, faulting module avgcorex.dll, version 8.0.0.88, fault address 0x001988bf. Processing media-specific event for [avgscanx.exe!ws!] Event Record #/Type2650 / Success Event Submitted/Written: 05/11/2008 04:24:12 PM Event ID/Source: 12001 / usnjsvc Event Description: The Messenger Sharing USN Journal Reader service started successfully. Event Record #/Type2645 / Error Event Submitted/Written: 05/10/2008 09:02:23 AM Event ID/Source: 1000 / Application Error Event Description: Faulting application iexplore.exe, version 7.0.6000.16640, faulting module mshtml.dll, version 7.0.6000.16640, fault address 0x000cdc85. Processing media-specific event for [iexplore.exe!ws!] -- Security Event Log ---------------------------------------------------------- No Errors/Warnings found. -- System Event Log ------------------------------------------------------------ Event Record #/Type7692 / Warning Event Submitted/Written: 05/13/2008 07:29:03 PM Event ID/Source: 36 / W32Time Event Description: The time service has not been able to synchronize the system time for 49152 seconds because none of the time providers has been able to provide a usable time stamp. The system clock is unsynchronized. Event Record #/Type7670 / Warning Event Submitted/Written: 05/12/2008 07:19:15 PM Event ID/Source: 36 / W32Time Event Description: The time service has not been able to synchronize the system time for 49152 seconds because none of the time providers has been able to provide a usable time stamp. The system clock is unsynchronized. Event Record #/Type7648 / Warning Event Submitted/Written: 05/11/2008 10:02:29 PM Event ID/Source: 4226 / Tcpip Event Description: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts. Event Record #/Type7647 / Warning Event Submitted/Written: 05/11/2008 08:11:49 PM Event ID/Source: 36 / W32Time Event Description: The time service has not been able to synchronize the system time for 49152 seconds because none of the time providers has been able to provide a usable time stamp. The system clock is unsynchronized. Event Record #/Type7644 / Warning Event Submitted/Written: 05/11/2008 07:40:31 AM Event ID/Source: 4226 / Tcpip Event Description: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts. -- End of Deckard's System Scanner: finished at 2008-05-13 20:43:54 ------------ |
13-May-2008, 11:02 PM
#6 | |||||
| The one infection entry does not show any longer there. But enough like an SDBot type infection we will go ahead with some known repairs for that. There is also an E drive autoloading function that is pretty suspect there. Do you run game DVD's or something similar off the E drive that would require preset autoloading? To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs. Download SDFix.exe and save it to your desktop. Then disconnect from net access. If cable/dsl physically disconnect the modem cable, if dial-up disconnect the phone line. This will keep infection from reinstalling right now. =================================================== Reboot into Safe Mode (at startup tap the F8 key and select Safe Mode). In Safe Mode, click the SDFix.exe and allow it to extract to it's own folder (C:\SDFix). Navigate to that folder and double click RunThis.bat to start the script. Next type Y to begin the script. Once the fix has run it will prompt you to restart your computer. Press any key to restart at this time. Your system will take longer that normal to restart as the fixtool will be running and removing files. When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons. Then open the C:\SDFix folder and copy and paste the contents of the results file Report.txt back here. ============================= After the reboot reconnect to net access and Download Malwarebytes' Anti-Malware from Here or Here. Double Click mbam-setup.exe to install the application. * Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. * If an update is found, it will download and install the latest version. * Once the program has loaded, select "Perform Quick Scan", then click Scan. * The scan may take some time to finish,so please be patient. * When the scan is complete, click OK, then Show Results to view the results. * Make sure that everything is checked, and click Remove Selected. * When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. * The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM. * Copy and Paste the entire report in your next reply. If it calls for a reboot to complete the repairs do that as well then. ============================ Then still making sure dss.exe is directly on your desktop, go to Start - Run, and copy/paste the following (then press OK): "%userprofile%\desktop\dss.exe" /config When the DSS Configuration display opens click the "Check All" button. Next, under Main Log, again uncheck the following: System Restore Temp Cleanup Process Modules Then under Extra Log, uncheck all the boxes except this one: Security Center Don't make any other changes at this time. Then click the "Scan!" button to start the scan. Once the scan has completed a textbox will appear - copy/paste those contents back here please (main.txt). (The logs can also be found in the C:\Deckard\System Scanner folder) Post that along with the Malwarebytes log and the SDFix report.txt log please. |
13-May-2008, 11:55 PM
#7 | ||||||
| The only cd thing I have that is prompting the autorun is ABIT VIA Chipset Series MB...to be honest I don't even know what that is for.... SDFix: Version 1.182 Run by Administrator on Tue 05/13/2008 at 10:43 PM Microsoft Windows XP [Version 5.1.2600] Running From: C:\SDFix Checking Services : Restoring Windows Registry Values Restoring Windows Default Hosts File Rebooting Checking Files : No Trojan Files Found Removing Temp Files ADS Check : Final Check : catchme 0.3.1359.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-05-13 22:50:03 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden services & system hive ... scanning hidden registry entries ... scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 Remaining Services : Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameter s\firewallpolicy\standardprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enable d:@xpsp2res.dll,-22019" "C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe" "C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe" "C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" "C:\\Nexon\\MapleStory\\MapleStory.exe"="C:\\Nexon\\MapleStory\\MapleStory. exe:*:Enabled:MapleStory" "C:\\Nexon\\MapleStory\\Patcher.exe"="C:\\Nexon\\MapleStory\\Patcher.exe:*: Enabled:Patcher MFC ?? ????" "C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger" "C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire" "C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:æTorrent" "C:\\Program Files\\mIRC\\mirc.exe"="C:\\Program Files\\mIRC\\mirc.exe:*:Enabled:mIRC" "C:\\Program Files\\GameFlier\\GhostOnline\\game.exe"="C:\\Program Files\\GameFlier\\GhostOnline\\game.exe:*:Enabled:game" "C:\\WINDOWS\\system32\\rtcshare.exe"="C:\\WINDOWS\\system32\\rtcshare.exe: *:Enabled:RTC App Sharing" "C:\\iTunes.exe"="C:\\iTunes.exe:*:Enabled:iTunes" "C:\\Documents and Settings\\priya\\Desktop\\Songs\\OdinMs\\OdinMS.exe"="C:\\Documents and Settings\\priya\\Desktop\\Songs\\OdinMs\\OdinMS.exe:*:Enabled:MapleStory" "C:\\Nexon\\MapleStory\\OdinMS.exe"="C:\\Nexon\\MapleStory\\OdinMS.exe:*:En abled:MapleStory" "C:\\Documents and Settings\\priya\\Desktop\\Songs\\MapleStory\\OdinMS.exe"="C:\\Documents and Settings\\priya\\Desktop\\Songs\\MapleStory\\OdinMS.exe:*:Enabled:MapleStor y" "C:\\Documents and Settings\\priya\\Desktop\\Songs\\New Folder\\WoW-BurningCrusade-enUS-Installer-downloader.exe"="C:\\Documents and Settings\\priya\\Desktop\\Songs\\New Folder\\WoW-BurningCrusade-enUS-Installer-downloader.exe:*:Enabled:Blizzard Downloader" "C:\\Documents and Settings\\priya\\Desktop\\Songs\\New Folder\\World of Warcraft\\Repair.exe"="C:\\Documents and Settings\\priya\\Desktop\\Songs\\New Folder\\World of Warcraft\\Repair.exe:*:Enabled:Blizzard Repair Utility" "C:\\Nexon\\MapleStory\\OdinMS_nodc.exe"="C:\\Nexon\\MapleStory\\OdinMS_nod c.exe:*:Enabled:MapleStory" "C:\\Nexon\\MapleStory\\odinms_new.exe"="C:\\Nexon\\MapleStory\\odinms_new. exe:*:Enabled:MapleStory" "C:\\Nexon\\MapleStory\\LocalMS.exe"="C:\\Nexon\\MapleStory\\LocalMS.exe:*: Enabled:MapleStory" "C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer" "C:\\Program Files\\LocalMS\\LocalMS.exe"="C:\\Program Files\\LocalMS\\LocalMS.exe:*:Enabled:MapleStory" "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger" "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)" "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader" "C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe" "C:\\Program Files\\AVG\\AVG8\\avgemc.exe"="C:\\Program Files\\AVG\\AVG8\\avgemc.exe:*:Enabled:avgemc.exe" "C:\\Program Files\\AVG\\AVG8\\avgnsx.exe"="C:\\Program Files\\AVG\\AVG8\\avgnsx.exe:*:Enabled:avgnsx.exe" [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameter s\firewallpolicy\domainprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enable d:@xpsp2res.dll,-22019" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger" "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)" Remaining Files : File Backups: - C:\SDFix\backups\backups.zip Files with Hidden Attributes : Sun 4 May 2008 88 ..SHR --- "C:\Documents and Settings\All Users\Application Data\1F630D2472.sys" Sun 4 May 2008 2,828 A.SH. --- "C:\Documents and Settings\All Users\Application Data\KGyGaAvL.sys" Sat 27 Oct 2007 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak" Wed 7 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\ BIT1.tmp" Sat 27 Oct 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fe95c915e785c18bf9cc0792fb5a73df\ BIT1.tmp" Finished! Last edited by bella6100 : 14-May-2008 12:18 AM. |
14-May-2008, 12:14 AM
#8 | ||||||
| Malwarebytes' Anti-Malware 1.12 Database version: 745 Scan type: Quick Scan Objects scanned: 52420 Time elapsed: 10 minute(s), 58 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) extra.txt Deckard's System Scanner v20071014.68 Extra logfile - please post this as an attachment with your post. -------------------------------------------------------------------------------- -- Security Center ------------------------------------------------------------- AUOptions is scheduled to auto-install. Windows Internal Firewall is enabled. FirstRunDisabled is set. AV: AVG Anti-Virus v8.0 (AVG Technologies) [HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPoli cy\DomainProfile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enable d:@xpsp2res.dll,-22019" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger" "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)" [HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPoli cy\StandardProfile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enable d:@xpsp2res.dll,-22019" "C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe" "C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe" "C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" "C:\\Nexon\\MapleStory\\MapleStory.exe"="C:\\Nexon\\MapleStory\\MapleStory. exe:*:Enabled:MapleStory" "C:\\Nexon\\MapleStory\\Patcher.exe"="C:\\Nexon\\MapleStory\\Patcher.exe:*: Enabled:Patcher MFC ?? ????" "C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger" "C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire" "C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:µTorrent" "C:\\Program Files\\mIRC\\mirc.exe"="C:\\Program Files\\mIRC\\mirc.exe:*:Enabled:mIRC" "C:\\Program Files\\GameFlier\\GhostOnline\\game.exe"="C:\\Program Files\\GameFlier\\GhostOnline\\game.exe:*:Enabled:game" "C:\\WINDOWS\\system32\\rtcshare.exe"="C:\\WINDOWS\\system32\\rtcshare.exe: *:Enabled:RTC App Sharing" "C:\\iTunes.exe"="C:\\iTunes.exe:*:Enabled:iTunes" "C:\\Documents and Settings\\priya\\Desktop\\Songs\\OdinMs\\OdinMS.exe"="C:\\Documents and Settings\\priya\\Desktop\\Songs\\OdinMs\\OdinMS.exe:*:Enabled:MapleStory" "C:\\Nexon\\MapleStory\\OdinMS.exe"="C:\\Nexon\\MapleStory\\OdinMS.exe:*:En abled:MapleStory" "C:\\Documents and Settings\\priya\\Desktop\\Songs\\MapleStory\\OdinMS.exe"="C:\\Documents and Settings\\priya\\Desktop\\Songs\\MapleStory\\OdinMS.exe:*:Enabled:MapleStor y" "C:\\Documents and Settings\\priya\\Desktop\\Songs\\New Folder\\WoW-BurningCrusade-enUS-Installer-downloader.exe"="C:\\Documents and Settings\\priya\\Desktop\\Songs\\New Folder\\WoW-BurningCrusade-enUS-Installer-downloader.exe:*:Enabled:Blizzard Downloader" "C:\\Documents and Settings\\priya\\Desktop\\Songs\\New Folder\\World of Warcraft\\Repair.exe"="C:\\Documents and Settings\\priya\\Desktop\\Songs\\New Folder\\World of Warcraft\\Repair.exe:*:Enabled:Blizzard Repair Utility" "C:\\Nexon\\MapleStory\\OdinMS_nodc.exe"="C:\\Nexon\\MapleStory\\OdinMS_nod c.exe:*:Enabled:MapleStory" "C:\\Nexon\\MapleStory\\odinms_new.exe"="C:\\Nexon\\MapleStory\\odinms_new. exe:*:Enabled:MapleStory" "C:\\Nexon\\MapleStory\\LocalMS.exe"="C:\\Nexon\\MapleStory\\LocalMS.exe:*: Enabled:MapleStory" "C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer" "C:\\Program Files\\LocalMS\\LocalMS.exe"="C:\\Program Files\\LocalMS\\LocalMS.exe:*:Enabled:MapleStory" "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger" "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)" "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader" "C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe" "C:\\Program Files\\AVG\\AVG8\\avgemc.exe"="C:\\Program Files\\AVG\\AVG8\\avgemc.exe:*:Enabled:avgemc.exe" "C:\\Program Files\\AVG\\AVG8\\avgnsx.exe"="C:\\Program Files\\AVG\\AVG8\\avgnsx.exe:*:Enabled:avgnsx.exe" -- End of Deckard's System Scanner: finished at 2008-05-13 23:11:40 ------------ main.txt Deckard's System Scanner v20071014.68 Run by priya on 2008-05-13 23:11:14 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- HijackThis (run as priya.exe) ----------------------------------------------- Logfile of HijackThis v1.99.1 Scan saved at 11:11:17 PM, on 5/13/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16640) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\Nexon\Mabinogi\npkcmsvc.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\PROGRA~1\AVG\AVG8\avgam.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\PROGRA~1\AVG\AVG8\avgnsx.exe C:\PROGRA~1\AVG\AVG8\avgemc.exe C:\WINDOWS\system32\WgaTray.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Documents and Settings\priya\desktop\dss.exe C:\PROGRA~1\HIJACK~1\priya.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?linkid=677 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME\TomTomHOME.exe" -s O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O16 - DPF: {775879E2-7309-4619-BB02-AADE41F4B690} (CPlayFirstdreamControl Object) - http://www.shockwave.com/content/dre...b.1.0.0.10.cab O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6...ws-i586-jc.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab O16 - DPF: {EA6246B4-F380-443F-8727-9AEA3371146C} (CPlayFirstWeddingDashControl Object) - http://www.shockwave.com/content/wed...h.1.0.0.47.cab O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL O20 - AppInit_DLLs: avgrsstx.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\Nexon\Mabinogi\npkcmsvc.exe O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe -- File Associations ----------------------------------------------------------- All associations okay. -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------- R2 npkcrypt - c:\nexon\maplestory\npkcrypt.sys <Not Verified; INCA Internet Co., Ltd.; nProtect KeyCrypt Driver> R3 catchme - c:\docume~1\priya\locals~1\temp\catchme.sys (file missing) S3 XDva031 - c:\windows\system32\xdva031.sys (file missing) -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled -------------------- R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service> R2 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe" <Not Verified; Viewpoint Corporation; Viewpoint Manager> -- Device Manager: Disabled ---------------------------------------------------- No disabled devices found. -- Scheduled Tasks ------------------------------------------------------------- 2008-05-13 21:14:09 422 --ah----- C:\WINDOWS\Tasks\User_Feed_Synchronization-{A87BD64A-FE06-4FB4-AF3D-4B70C45809FF}.job 2008-05-10 18:35:03 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job -- Files created between 2008-04-13 and 2008-05-13 ----------------------------- 2008-05-13 22:57:47 0 d-------- C:\Documents and Settings\priya\Application Data\Malwarebytes 2008-05-13 22:57:35 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-05-13 22:57:34 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware 2008-05-13 22:39:51 0 d-------- C:\WINDOWS\ERUNT 2008-05-05 22:58:49 0 d-------- C:\Program Files\MSXML 6.0 2008-05-05 18:38:46 0 d--h----- C:\$AVG8.VAULT$ 2008-05-05 18:32:23 0 d-------- C:\WINDOWS\system32\drivers\Avg 2008-05-05 18:32:17 0 d-------- C:\Program Files\AVG 2008-05-05 18:32:16 0 d-------- C:\Documents and Settings\All Users\Application Data\avg8 2008-05-04 17:54:39 0 d-------- C:\Program Files\Lavasoft 2008-05-04 17:54:38 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft 2008-05-04 17:54:13 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard 2008-05-04 17:07:19 0 d--h----- C:\WINDOWS\PIF 2008-05-04 09:40:35 2828 --ahs---- C:\Documents and Settings\All Users\Application Data\KGyGaAvL.sys 2008-05-04 09:40:35 88 -r-hs---- C:\Documents and Settings\All Users\Application Data\1F630D2472.sys 2008-05-04 09:40:21 0 d-------- C:\Documents and Settings\priya\Application Data\Corel 2008-05-04 08:55:28 0 d-------- C:\Documents and Settings\priya\.gimp-2.4 2008-05-04 08:40:54 0 d-------- C:\Program Files\Paint.NET 2008-04-27 09:48:12 0 d-------- C:\Documents and Settings\All Users\Application Data\TomTom 2008-04-23 06:01:32 0 d-------- C:\Documents and Settings\Administrator\Favorites 2008-04-23 06:01:32 0 d-------- C:\Documents and Settings\Administrator\Desktop 2008-04-23 06:01:32 0 d--hs---- C:\Documents and Settings\Administrator\Cookies 2008-04-23 06:01:32 0 dr-h----- C:\Documents and Settings\Administrator\Application Data 2008-04-23 06:01:32 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft 2008-04-23 06:01:31 0 d--h----- C:\Documents and Settings\Administrator\Templates 2008-04-23 06:01:31 0 dr------- C:\Documents and Settings\Administrator\Start Menu 2008-04-23 06:01:31 0 dr-h----- C:\Documents and Settings\Administrator\SendTo 2008-04-23 06:01:31 0 d--h----- C:\Documents and Settings\Administrator\Recent 2008-04-23 06:01:31 0 d--h----- C:\Documents and Settings\Administrator\PrintHood 2008-04-23 06:01:31 524288 --a------ C:\Documents and Settings\Administrator\NTUSER.DAT 2008-04-23 06:01:31 0 d--h----- C:\Documents and Settings\Administrator\NetHood 2008-04-23 06:01:31 0 d-------- C:\Documents and Settings\Administrator\My Documents 2008-04-23 06:01:31 0 d--h----- C:\Documents and Settings\Administrator\Local Settings 2008-04-21 18:32:03 0 d-------- C:\Documents and Settings\priya\Application Data\Viewpoint 2008-04-20 08:40:18 1160 --a------ C:\WINDOWS\mozver.dat 2008-04-15 20:47:53 0 d-------- C:\Program Files\uTorrent 2008-04-15 20:47:47 0 d-------- C:\Documents and Settings\priya\Application Data\uTorrent 2008-04-14 05:45:14 0 d-------- C:\WINDOWS\pss -- Find3M Report --------------------------------------------------------------- 2008-05-11 22:07:19 0 d-------- C:\Documents and Settings\priya\Application Data\LimeWire 2008-05-05 21:39:30 33 --a------ C:\Documents and Settings\priya\Application Data\install.ini 2008-05-04 17:54:13 0 d-------- C:\Program Files\Common Files 2008-04-27 09:43:47 0 d-------- C:\Program Files\TomTom HOME 2008-04-20 08:40:27 0 d-------- C:\Documents and Settings\priya\Application Data\Adobe 2008-04-14 05:47:23 0 d-------- C:\Program Files\Yahoo! 2008-04-08 22:45:43 0 d-------- C:\Program Files\Common Files\AOL 2008-04-06 22:32:07 0 d-------- C:\Documents and Settings\priya\Application Data\OpenOffice.org2 2008-04-01 20:36:47 0 d-------- C:\Program Files\Viewpoint 2008-03-22 10:26:23 0 d-------- C:\Documents and Settings\priya\Application Data\mIRC 2008-03-22 10:01:11 0 d-------- C:\Program Files\mIRC 2008-03-22 09:31:29 0 d-------- C:\Program Files\LimeWire 2008-03-16 13:08:16 0 d-------- C:\Program Files\Windows Live 2008-03-16 13:07:25 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller -- Registry Dump --------------------------------------------------------------- *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [06/29/2007 06:24 AM] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/2007 02:11 AM] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [10/10/2007 08:51 PM] "TomTomHOME.exe"="C:\Program Files\TomTom HOME\TomTomHOME.exe" [03/14/2007 04:52 PM] "AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [05/05/2008 06:32 PM] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [10/18/2007 11:34 AM] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 05:00 AM] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ VIA RAID TOOL.lnk - C:\Program Files\VIA\RAID\raid_tool.exe [10/27/2007 7:24:05 PM] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableRegistryTools"=0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "appinit_dlls"=avgrsstx.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawser vice] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^D-Link AirPlus DWL-120+ Wireless USB Adapter.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\D-Link AirPlus DWL-120+ Wireless USB Adapter.lnk backup=C:\WINDOWS\pss\D-Link AirPlus DWL-120+ Wireless USB Adapter.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] "C:\iTunesHelper.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan] SOUNDMAN.EXE [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{60eea9c2-840c-11dc-a8ca-806d6172696f}] AutoRun\command- D:\autoplay.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{60eea9c3-840c-11dc-a8ca-806d6172696f}] AutoRun\command- E:\Autorun.exe root.ini [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{82cb7624-dc19-11dc-a984-00508d70ba15}] AutoRun\command- F:\InstallTomTomHOME.exe -- End of Deckard's System Scanner: finished at 2008-05-13 23:11:40 ------------ |
14-May-2008, 06:25 AM
#9 | |||||
| The drives show as CD-ROM, which would not be jump off points for autorun type infections. The one unknown file showing earlier, qblua.exe, no longer shows, so although our two scans located nothing some change done there seems to have stopped or removed that. Go here and run the Kaspersky online scan, and post back the log it creates (it requires IE). To use the scan, accept the agreement and make sure you allow the ActiveX object to download and install (check the "yellow bar" at the top of IE if needed to allow this). Once the download has completed click Next, then Scan Settings, then make sure the "extended option" is checked (leave all others as they are) and click OK. Then click "My Computer" to begin the scan. Save the Report as a text file and post that back here. To save it as a text file, still with the page in Internet Explorer, go to the top of the page and select File - Save As... Then make sure in the "Save as type" drop down you change it to "Text File(*.txt)". Post back that log please. |
14-May-2008, 07:38 PM
|
