how-to block ads
|
Action_Man
Currently Appearing As
Premium
join:2003-07-22
England
edit:
April 13th, @02:16PM
| [Trojan] HJT log : A little help please.
I think i have met most of the criteria for posting (i hope).
I have the latest updates from Windows(XP).
I have Windows Firewall running.
I have done online scans.
I have AVG running, and have so for several years.
I have Spybot SD resident running.
If i run Spybot and do a full scan, my computer usually goes to a blue screen of death for some unknown reason.
The problem i`m having at the moment is that AVG keeps picking up on virus`s, mainly trojan horses. They arent causing a great problem, but obviously i would like this to stop.
One other slight problem is that my adsl modem keeps initialising itself, and cutting me off from the internet, but this maybe my isp, i dont know.
Anyway here is the Hijackthis log : -
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:11:24, on 13/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\spoolsv.exe
F:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
F:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
F:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
F:\PROGRA~1\Grisoft\AVG7\avgemc.exe
F:\Program Files\Microsoft IntelliPoint\point32.exe
F:\WINDOWS\system32\RunDll32.exe
F:\PROGRA~1\Grisoft\AVG7\avgcc.exe
F:\WINDOWS\system32\rundll32.exe
F:\WINDOWS\system32\RUNDLL32.EXE
F:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
F:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
F:\WINDOWS\System32\nvsvc32.exe
F:\windows\System32\PnkBstrA.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
F:\WINDOWS\system32\svchost.exe
F:\Program Files\GIGABYTE\VGA Utility Manager\Utility.exe
F:\WINDOWS\system32\wscntfy.exe
F:\Program Files\Common Files\Teleca Shared\Generic.exe
F:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
F:\Program Files\Mozilla Firefox\firefox.exe
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = »www.btopenworld.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BTopenworld
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {22D8E815-4A5E-4dfb-845E-AAB64207F5BD} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: (no name) - {92085AD4-F48A-450d-BD93-B28CC7DF67CE} - (no file)
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "F:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\windows\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [IntelliPoint] "F:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [C6501Sound] RunDll32 c6501.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [AVG7_CC] F:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [IMJPMIG8.1] "F:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] F:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] F:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] F:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE F:\windows\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "F:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [Adobe Photo Downloader] "F:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "F:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\RunServices: [tk] F:\windows\System32\tk.exe
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] F:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] F:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] F:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: GIGABYTE VGA Utility.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: eBay Search - res://F:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - »messenger.zone.msn.com/binary/Me···1267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - »go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - »www.update.microsoft.com/microso···69248809
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - »www.nvidia.com/content/DriverDow···lab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - »www.update.microsoft.com/microso···69228778
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - »messenger.zone.msn.com/binary/Me···1267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - »messenger.zone.msn.com/binary/ZI···2846.cab
O16 - DPF: {BF6BBE9A-0656-4598-A0CD-32DAC03959B5} (Image Uploader 3.0 Control) - »www.tescophoto.com/wpp/tesco//ap···ader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{35D0F5A8-55A1-4A1F-8B09-483A09054769}: NameServer = 194.74.65.69 62.6.40.178
O23 - Service: Adobe LM Service - Adobe Systems - F:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - F:\Program Files\Kontiki\KService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - F:\windows\System32\PnkBstrA.exe
O23 - Service: Start BT in service - Unknown owner - F:\Program Files\IVT Corporation\BlueSoleil\StartSkysolSvc.exe
And here is selection of the types of trojans i`m getting :-
--
»www.supermacro.net/
»www.flickr.com/photos/action_man/ | |
Action_Man
Currently Appearing As
Premium
join:2003-07-22
England
| One more thing, my network icon has been removed from the notification area, i know how to get it back but it wont let me, i suspect it doesent want me to see the activity ...
--
»www.supermacro.net/
»www.flickr.com/photos/action_man/ | |
bcastner
Premium,MVM
join:2002-09-25
Chevy Chase, MD
clubs: 
 ·Verizon Online DSL
| reply to Action_Man
I can deal with every issue in your screenshot but Virut, as it is a file injector. If it has not gotten very far, it is possible, (no great hopes, now), possible, this computer can be recovered. Most malware removal folks when they see Virut recomment a clean reinstall. I happen to agree with them.
Lets see how it goes; I am not optomistic. In a later session we will have to deal with Virut by itself.
First Steps
:!: The following instructions are only for this Forum member. Please do not use these instructions on another computer system. You can seriously damage your system by following the instructions below without guided assistance. You assuredly will make a cleanup of your system more difficult.
TeaTimer is an excellent tool for the prevention of spyware but it can sometimes prevent HijackThis from fixing certain things. Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.
• Open Spybot Search & Destroy.
• In the Mode menu click "Advanced mode" if not already selected.
• Choose Yes at the Warning prompt.
• Expand the Tools menu.
• Click Resident.
• Uncheck the Resident "TeaTimer" (Protection of overall system settings) active. box.
• In the File menu click Exit to exit Spybot Search & Destroy.
• Download and Unzip to your Desktop: »www.techsupportforum.com/sectool···imer.zip
• Double click ResetTeaTimer.bat to remove all entries set by TeaTimer.
Please download ATF Cleaner
It does not require any installation.. It is set up to clean Windows TEMP folders, as well as IE, FireFox and Opera, Temporary Internet Files and Cookies.
• Double-click ATF-Cleaner.exe to run the program.
First Step:
• Under Main choose: Select All
• Click the Empty Selected button.
Next, if you use Firefox (and some Mozilla-based browsers)
• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
Next, if you use the Opera browser
• Click Opera at the top and choose: Select All
• Click the Empty Selected button. :!: Click Exit on the Main menu to close the program.
Reconfigure Windows XP to show hidden files:
To enable the viewing of Hidden files follow these steps:
• Close all programs so that you are at your desktop.
• Double-click on the My Computer icon.
• Select the Tools menu and click Folder Options.
• After the new window appears select the View tab.
• Put a checkmark in the checkbox labeled Display the contents of system folders.
• Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
• Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
• Remove the checkmark from the checkbox labeled Hide protected operating system files.
• Press the Apply button and then the OK button and exit My Computer.
• Now your computer is configured to show all hidden files.
Malware Removal Steps
1. Open HijackThis again, System scan only. Checkmark these items:
O2 - BHO: (no name) - {22D8E815-4A5E-4dfb-845E-AAB64207F5BD} - (no file)
O3 - Toolbar: (no name) - {92085AD4-F48A-450d-BD93-B28CC7DF67CE} - (no file)
O4 - HKLM\..\RunServices: [tk] F:\windows\System32\tk.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
Click "Fix checked" and when the log panel clears exit HijackThis.
2. Download SDFix and save it to your Desktop.
Double clickSDFix.exe and it will extract the files to the Windows Directory, C:\SDFix.
Please then reboot your computer in Safe Mode by doing the following :
• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press [Enter].
• Choose your usual account.
• Open the extracted SDFix folder and double click RunThis.ba to start the script.
• Type Y[ to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display ]Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
• For now, simply close Notepad.
3. Please download MalwareBytes Anti-malware (MBAM) from one of the following links:
Once downloaded, close all programs and Windows on your computer (including this one.)
Double-click on the icon on your desktop named Download_mbam-setup.exe. This will start the installation of MBAM onto your computer.
When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure you leave both the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware checked. Then click on the Finish button.
MBAM will now automatically start and you will see a message stating that you should update the program before performing a scan. As MBAM will automatically update itself after the install, you can press the OK button to close that box and you will now be at the main program.
On the Scanner tab, make sure the the Perform quick scan option is selected and then click on the Scan button to start scanning your computer.
MBAM will now start scanning your computer for malware. This process can take quite a while, so we suggest you go and do something else and periodically check on the status of the scan.
When the scan is finished a message box will appear that it has completed scanning successfully. Click OK. Now click Show Results. Make sure all entries have a checkmark at their far left. You should now click on the Remove Selected button to remove all the listed malware. MBAM will now delete all of the files and registry keys and add them to the programs quarantine.
When MBAM has finished removing the malware, it will open the scan log and display it in Notepad. Review the log as desired, and then close the Notepad window. Remember where you saved the log file, as we will want to see it later.
4. Download and Run -- ComboFix©
Download this file -- to your Desktop -- from any of these sources:
• Disconnect from the Internet.
• Disable your Antivirus software -- this includes any Script Blocking Feature it may have.
Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
• A window will open with a warning. Accept any disclaimers to start the fix. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.
A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.
5. Run HijackThis again, and save the log file.
Submit to the Forum:
• The contents of C:\SDFix\Report.txt;
• The contents of your MBAM log;
• The contents of C:\Combofix.txt;
• The new HijackThis log.
--
============
MS-MVP 2004 - -2008, ASAP Member
Users Helping Users
| |
Action_Man
Currently Appearing As
Premium
join:2003-07-22
England
| reply to Action_Man
I think these are the text files you have asked for, i wont get an answer from you this evening i know, its 12:30am here, so i will check back tomorrow, thank you for all the help ...
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:04:02, on 14/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
F:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
F:\PROGRA~1\Grisoft\AVG7\avgemc.exe
F:\Program Files\Autodesk\3ds Max 2008\mentalray\satellite\raysat_3dsMax2008_32server.exe
F:\WINDOWS\System32\nvsvc32.exe
F:\windows\System32\PnkBstrA.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\wscntfy.exe
F:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
F:\WINDOWS\system32\rundll32.exe
F:\Program Files\Microsoft IntelliPoint\point32.exe
F:\WINDOWS\system32\RunDll32.exe
F:\WINDOWS\system32\RUNDLL32.EXE
F:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
F:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\GIGABYTE\VGA Utility Manager\Utility.exe
F:\Program Files\Common Files\Teleca Shared\Generic.exe
F:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
F:\WINDOWS\explorer.exe
F:\WINDOWS\system32\NOTEPAD.EXE
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = »go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = »go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = »www.btopenworld.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {22D8E815-4A5E-4dfb-845E-AAB64207F5BD} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "F:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\windows\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [IntelliPoint] "F:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [C6501Sound] RunDll32 c6501.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [AVG7_CC] F:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [IMJPMIG8.1] "F:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] F:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] F:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] F:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE F:\windows\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "F:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [Adobe Photo Downloader] "F:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "F:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\RunServices: [tk] F:\windows\System32\tk.exe
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] F:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] F:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] F:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: GIGABYTE VGA Utility.lnk = ?
O8 - Extra context menu item: eBay Search - res://F:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - »messenger.zone.msn.com/binary/Me···1267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - »go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - »www.update.microsoft.com/microso···69248809
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - »www.nvidia.com/content/DriverDow···lab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - »www.update.microsoft.com/microso···69228778
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - »messenger.zone.msn.com/binary/Me···1267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - »messenger.zone.msn.com/binary/ZI···2846.cab
O16 - DPF: {BF6BBE9A-0656-4598-A0CD-32DAC03959B5} (Image Uploader 3.0 Control) - »www.tescophoto.com/wpp/tesco//ap···ader.cab
O23 - Service: Adobe LM Service - Adobe Systems - F:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - F:\Program Files\Kontiki\KService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - F:\windows\System32\PnkBstrA.exe
O23 - Service: Start BT in service - Unknown owner - F:\Program Files\IVT Corporation\BlueSoleil\StartSkysolSvc.exe
ComboFix 08-04-13.1 - gordon 2008-04-13 23:58:19.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.624 [GMT 1:00]
Running from: F:\Documents and Settings\gordon\Desktop\ComboFix.exe
* Created a new restore point
[color=red]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/color]
.
((((((((((((((((((((((((( Files Created from 2008-03-13 to 2008-04-13 )))))))))))))))))))))))))))))))
.
2008-04-13 23:43 . 2008-04-13 23:43 d-------- F:\Program Files\Malwarebytes' Anti-Malware
2008-04-13 23:43 . 2008-04-13 23:43 d-------- F:\Program Files\Common Files\Download Manager
2008-04-13 23:43 . 2008-04-13 23:43 d-------- F:\Documents and Settings\gordon\Application Data\Malwarebytes
2008-04-13 23:43 . 2008-04-13 23:43 d-------- F:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-13 23:22 . 2008-04-13 23:22 d-------- F:\WINDOWS\ERUNT
2008-04-13 23:15 . 2008-04-13 23:36 d-------- F:\SDFix
2008-04-13 19:10 . 2008-04-13 19:10 d-------- F:\Program Files\Trend Micro
2008-04-12 17:31 . 2008-04-12 17:31 279 --a------ F:\WINDOWS\wininit.ini
2008-04-12 15:12 . 2008-04-12 15:12 d-------- F:\Program Files\Disc2Phone
2008-04-12 14:18 . 2008-04-12 14:18 d-------- F:\Documents and Settings\gordon\Application Data\Teleca
2008-04-12 14:18 . 2008-04-12 14:18 d-------- F:\Documents and Settings\gordon\Application Data\Sony Ericsson
2008-04-12 14:15 . 2008-04-12 14:15 d-------- F:\Documents and Settings\All Users\Application Data\Sony Ericsson
2008-04-12 14:14 . 2008-04-12 14:15 d-------- F:\Program Files\Common Files\Teleca Shared
2008-04-12 14:14 . 2008-04-12 14:15 d-------- F:\Program Files\Common Files\Sony Ericsson Shared
2008-04-12 14:14 . 2008-04-12 14:15 d-------- F:\Documents and Settings\All Users\Application Data\Teleca
2008-04-12 13:57 . 2008-04-12 13:57 d-------- F:\WINDOWS\Provisioning
2008-04-12 13:57 . 2008-04-12 14:02 d-------- F:\WINDOWS\PeerNet
2008-04-12 13:57 . 2008-04-12 14:01 d-------- F:\WINDOWS\ehome
2008-04-12 13:24 . 2004-08-04 13:00 562,176 --a--c--- F:\WINDOWS\system32\dllcache\fxsst.dll
2008-04-12 13:23 . 2004-08-04 13:00 2,134,528 --a--c--- F:\WINDOWS\system32\dllcache\smtpsnap.dll
2008-04-12 13:22 . 2004-08-04 13:00 221,184 --a------ F:\WINDOWS\system32\wmpns.dll
2008-04-12 13:20 . 2004-08-04 13:00 124,800 --a------ F:\WINDOWS\system32\drivers\fltMgr.sys
2008-04-12 13:20 . 2004-08-04 13:00 124,800 --a--c--- F:\WINDOWS\system32\dllcache\fltmgr.sys
2008-04-12 13:20 . 2004-08-04 13:00 81,920 --a--c--- F:\WINDOWS\system32\dllcache\msado27.tlb
2008-04-12 13:20 . 2004-08-04 13:00 22,528 --a------ F:\WINDOWS\system32\fltMc.exe
2008-04-12 13:20 . 2004-08-04 13:00 22,528 --a--c--- F:\WINDOWS\system32\dllcache\fltmc.exe
2008-04-12 13:20 . 2004-08-04 13:00 18,944 --a--c--- F:\WINDOWS\system32\dllcache\hscupd.exe
2008-04-12 13:20 . 2004-08-04 13:00 18,432 --a--c--- F:\WINDOWS\system32\dllcache\iedw.exe
2008-04-12 13:20 . 2004-08-04 13:00 16,896 --a------ F:\WINDOWS\system32\fltlib.dll
2008-04-12 13:20 . 2004-08-04 13:00 16,896 --a--c--- F:\WINDOWS\system32\dllcache\fltlib.dll
2008-04-12 13:06 . 2004-08-04 13:00 10,096,640 --a--c--- F:\WINDOWS\system32\dllcache\hwxcht.dll
2008-04-12 12:22 . 2008-04-12 12:22 d-------- F:\Program Files\LSoft Technologies
2008-04-12 10:36 . 2006-05-15 14:35 90,800 -ra------ F:\WINDOWS\system32\drivers\se27unic.sys
2008-04-12 10:36 . 2006-05-15 14:35 88,688 -ra------ F:\WINDOWS\system32\drivers\SE27mgmt.sys
2008-04-12 10:36 . 2006-05-15 14:35 18,704 -ra------ F:\WINDOWS\system32\drivers\se27nd5.sys
2008-04-12 10:36 . 2006-05-15 14:35 6,240 -ra------ F:\WINDOWS\system32\drivers\SE27cmnt.sys
2008-04-12 10:36 . 2006-05-15 14:35 6,240 -ra------ F:\WINDOWS\system32\drivers\SE27cm.sys
2008-04-12 10:36 . 2006-05-15 14:36 5,872 -ra------ F:\WINDOWS\system32\drivers\se27wh.sys
2008-04-12 10:36 . 2006-05-15 14:35 4,128 -ra------ F:\WINDOWS\system32\drivers\se27cr.sys
2008-04-12 10:35 . 2006-05-15 14:35 97,184 -ra------ F:\WINDOWS\system32\drivers\SE27mdm.sys
2008-04-12 10:35 . 2006-05-15 14:35 86,560 -ra------ F:\WINDOWS\system32\drivers\SE27obex.sys
2008-04-12 10:35 . 2006-05-15 14:35 9,360 -ra------ F:\WINDOWS\system32\drivers\SE27mdfl.sys
2008-04-12 10:34 . 2006-05-15 14:35 61,600 -ra------ F:\WINDOWS\system32\drivers\SE27bus.sys
2008-04-12 10:34 . 2006-05-15 14:36 5,872 -ra------ F:\WINDOWS\system32\drivers\SE27whnt.sys
2008-04-12 10:30 . 2008-04-12 13:27 4,512 --a------ F:\WINDOWS\imsins.BAK
2008-04-11 11:11 . 2008-04-11 12:03 d-------- F:\Documents and Settings\gordon\.housecall6.6
2008-04-10 22:36 . 2008-04-10 22:36 d-------- F:\Program Files\Enigma Software Group
2008-04-10 19:31 . 2008-04-10 19:31 d-------- F:\Documents and Settings\All Users\Application Data\PC Tools
2008-04-10 19:23 . 2008-04-10 19:23 d-------- F:\Program Files\CCleaner
2008-04-10 16:59 . 2008-04-10 16:59 d-------- F:\Documents and Settings\gordon\Application Data\True Sword
2008-04-10 16:58 . 2008-04-10 18:10 d-------- F:\Program Files\True Sword 4
2008-04-09 20:28 . 2004-08-04 13:00 162,304 --a------ F:\WINDOWS\system32\wuaucpl.cpl
2008-04-09 20:28 . 2004-08-04 13:00 162,304 --a--c--- F:\WINDOWS\system32\dllcache\wuaucpl.cpl
2008-04-09 20:28 . 2007-07-30 19:18 34,136 --a------ F:\WINDOWS\system32\wucltui.dll.mui
2008-04-09 20:28 . 2007-07-30 19:19 25,944 --a------ F:\WINDOWS\system32\wuaucpl.cpl.mui
2008-04-09 20:28 . 2007-07-30 19:19 25,944 --a------ F:\WINDOWS\system32\wuapi.dll.mui
2008-04-09 20:28 . 2007-07-30 19:18 20,312 --a------ F:\WINDOWS\system32\wuaueng.dll.mui
2008-04-07 23:10 . 2008-04-07 23:10 d-------- F:\WINDOWS\system32\SuperAdBlocker.com
2008-04-07 22:32 . 2008-04-07 22:32 d-------- F:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-07 22:31 . 2008-04-12 16:57 d-------- F:\Program Files\SUPERAntiSpyware
2008-04-07 22:31 . 2008-04-12 16:57 d-------- F:\Documents and Settings\gordon\Application Data\SUPERAntiSpyware.com
2008-04-07 21:28 . 2008-04-07 21:29 d-------- F:\Program Files\XoftSpySE
2008-04-07 13:52 . 2008-04-07 13:52 80,384 --a------ F:\WINDOWS\system32\rxuybwm.exe
2008-04-07 10:27 . 2008-04-07 10:27 80,384 --a------ F:\WINDOWS\system32\nwahgi.exe
2008-04-06 21:17 . 2008-04-06 21:13 691,545 --a------ F:\WINDOWS\unins000.exe
2008-04-06 21:17 . 2008-04-06 21:17 2,546 --a------ F:\WINDOWS\unins000.dat
2008-04-04 17:28 . 2008-04-04 17:28 152,954 -rahs---- F:\WINDOWS\system32\servupdate.exe
2008-04-04 16:15 . 2008-04-04 16:15 d-------- F:\Documents and Settings\gordon\Application Data\Flickr
2008-03-16 22:43 . 2008-03-16 22:43 d-------- F:\Program Files\iTunes
2008-03-16 22:43 . 2008-03-16 22:43 d-------- F:\Program Files\iPod
2008-03-16 22:43 . 2008-03-16 22:43 d-------- F:\Program Files\Apple Software Update
2008-03-16 22:43 . 2008-03-16 22:43 d-------- F:\Documents and Settings\All Users\Application Data\Apple
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-13 19:59 --------- d-s---w F:\Program Files\HLSW
2008-04-13 18:26 22,328 ----a-w F:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-04-13 18:25 103,736 ----a-w F:\WINDOWS\system32\PnkBstrB.exe
2008-04-12 18:25 12,464 ----a-w F:\WINDOWS\system32\drivers\secdrv.sys
2008-04-12 15:57 --------- d-----w F:\Program Files\Common Files\Wise Installation Wizard
2008-04-12 15:54 --------- d---a-w F:\Documents and Settings\All Users\Application Data\TEMP
2008-04-12 15:48 --------- d-----w F:\Program Files\Common Files\Adobe
2008-04-12 15:31 --------- d-----w F:\Documents and Settings\gordon\Application Data\AVG7
2008-04-12 13:14 --------- d-----w F:\Program Files\Sony Ericsson
2008-04-12 13:09 --------- d-----w F:\Documents and Settings\All Users\Application Data\Avg7
2008-04-12 10:14 --------- d-----w F:\Program Files\Microsoft IntelliPoint
2008-04-12 09:28 --------- d-----w F:\Program Files\LGGSM
2008-04-10 19:48 --------- d-----w F:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-09 10:46 --------- d-----w F:\Documents and Settings\gordon\Application Data\Uniblue
2008-04-06 20:21 --------- d-----w F:\Program Files\Spybot - Search & Destroy
2008-04-06 15:16 --------- d-----w F:\Program Files\TweakNow RegCleaner Std
2008-04-06 15:10 --------- d-----w F:\Program Files\HP
2008-04-04 17:19 --------- d-----w F:\Documents and Settings\All Users\Application Data\Kontiki
2008-03-13 13:39 --------- d-----w F:\Documents and Settings\gordon\Application Data\LimeWire
2008-03-08 22:01 --------- d-----w F:\Program Files\VstPlugins
2008-03-08 19:33 --------- d-----w F:\Program Files\Image-Line
2008-03-03 17:18 --------- d-----w F:\Program Files\FinalBurner
2008-02-27 19:07 --------- d-----w F:\Documents and Settings\gordon\Application Data\gtk-2.0
2008-02-23 13:46 --------- d--h--w F:\Program Files\InstallShield Installation Information
2008-02-22 21:57 --------- d-----w F:\Program Files\Trillian
2008-02-22 14:46 --------- d-----w F:\Documents and Settings\gordon\Application Data\.RawTherapee
2008-02-22 14:45 --------- d-----w F:\Program Files\Raw Therapee
2008-02-22 12:26 --------- d-----w F:\Program Files\LG Electronics
2008-02-22 00:03 --------- d-----w F:\Documents and Settings\All Users\Application Data\River Past G5
2008-02-10 22:07 737,280 ----a-w F:\WINDOWS\iun6002.exe
2008-01-17 20:06 35,363 ----a-w F:\WINDOWS\system32\windrvNT.sys
2007-12-06 16:28 20 ---h--w F:\Documents and Settings\All Users\Application Data\PKP_DLea.DAT
2007-11-01 21:43 0 ----a-w F:\Documents and Settings\All Users\Application Data\PKP_DLbz.DAT
2007-03-14 00:29 32,768 --sha-w F:\Program Files\Thumbs.db
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="F:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]
"SpybotSD TeaTimer"="F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpeedTouch USB Diagnostics"="F:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-01-26 20:38 866816]
"NvCplDaemon"="F:\windows\System32\NvCpl.dll" [2007-05-10 23:03 8429568]
"nwiz"="nwiz.exe" [2007-05-10 23:03 1626112 F:\WINDOWS\system32\nwiz.exe]
"Cmaudio"="cmicnfg.cpl" []
"IntelliPoint"="F:\Program Files\Microsoft IntelliPoint\point32.exe" [2004-06-03 02:50 204800]
"C6501Sound"="c6501.cpl" []
"AVG7_CC"="F:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-02-07 12:55 579072]
"IMJPMIG8.1"="F:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 13:00 208952]
"MSPY2002"="F:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 13:00 59392]
"PHIME2002ASync"="F:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 13:00 455168]
"PHIME2002A"="F:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 13:00 455168]
"NvMediaCenter"="F:\windows\System32\NvMcTray.dll" [2007-05-10 23:03 81920]
"Sony Ericsson PC Suite"="F:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2006-11-24 01:06 487424]
"Adobe Photo Downloader"="F:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46 57344]
"Adobe Reader Speed Launcher"="F:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"tk"="F:\windows\System32\tk.exe" [ ]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="F:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-07 12:55 219136]
F:\Documents and Settings\gordon\Start Menu\Programs\Startup\
Adobe Gamma.lnk - F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50 113664]
GIGABYTE VGA Utility.lnk - F:\Documents and Settings\gordon\Application Data\Microsoft\Installer\{D27BDB5D-3B4C-44F0-A648-BD00B0E79B39}\Utility.exe2_D27BDB5D3B4C44F0A648BD00B0E79B39.exe [2007-11-14 18:34:56 40960]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
""= 0
"NoFileAssociate"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"F:\\windows\\System32\\servupdate.exe"=
"F:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"F:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"F:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"F:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"F:\\WINDOWS\\system32\\sessmgr.exe"=
"F:\\Program Files\\HLSW\\hlsw_1_0_0_19-beta.exe"=
R0 uliagpkx;ULi AGP Bus Filter Driver;F:\WINDOWS\system32\DRIVERS\agpkx.sys [2005-05-03 17:31]
R3 CHSBXX33;CHSBXX33;F:\WINDOWS\system32\Drivers\CHSBXX33.sys [2002-05-27 15:34]
R3 cm102u32;C-Media CM6501 Like Sound Interface;F:\WINDOWS\system32\drivers\c6501.sys [2006-07-11 07:05]
R3 Ma730Pt;MA730 Bluetooth VCOM Driver;F:\WINDOWS\system32\DRIVERS\Ma730Pt.sys [2006-09-21 13:23]
R3 Ma730Vad;MA730 Bluetooth Audio;F:\WINDOWS\system32\DRIVERS\Ma730Vad.sys [2005-11-22 15:32]
S3 mam4410m;mam4410m;F:\WINDOWS\system32\Drivers\mam4410m.sys [2005-06-16 19:13]
S3 mam4410u;mam4410u;F:\WINDOWS\system32\Drivers\mam4410u.sys [2007-03-19 15:39]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;F:\WINDOWS\system32\DRIVERS\wg111v2.sys [2005-10-24 15:18]
S3 Start BT in service;Start BT in service;F:\Program Files\IVT Corporation\BlueSoleil\StartSkysolSvc.exe [2007-04-21 14:54]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\AUTORUN.EXE
.
Contents of the 'Scheduled Tasks' folder
"2007-10-15 18:41:00 F:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- F:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2008-04-13 22:31:48 F:\WINDOWS\Tasks\XoftSpySE 2.job"
- F:\Program Files\XoftSpySE\XoftSpy.exe
"2008-04-07 20:28:48 F:\WINDOWS\Tasks\XoftSpySE.job"
- F:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************
catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, »www.gmer.net
Rootkit scan 2008-04-14 00:00:05
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: F:\WINDOWS\explorer.exe
-> F:\WINDOWS\system32\nview.dll
.
Completion time: 2008-04-14 0:00:46
ComboFix-quarantined-files.txt 2008-04-13 23:00:34
Pre-Run: 56,534,892,544 bytes free
Post-Run: 56,521,650,176 bytes free
SDFix: Version 1.170
Run by gordon on 13/04/2008 at 23:24
Microsoft Windows XP [Version 5.1.2600]
Running From: F:\SDFix
Checking Services :
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting
Checking Files :
Trojan Files Found:
F:\WINDOWS\system32\i - Deleted
Removing Temp Files
ADS Check :
Final Check :
catchme 0.3.1351.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, »www.gmer.net
Rootkit scan 2008-04-13 23:32:24
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 8
Remaining Services :
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"F:\\windows\\System32\\servupdate.exe"="F:\\windows\\System32\\servupdate.exe:*:Enabled:Windows USB Monitor"
"F:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="F:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"F:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="F:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"F:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="F:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
"F:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"="F:\\Program Files\\Grisoft\\AVG7\\avgemc.exe:*:Enabled:avgemc.exe"
"F:\\WINDOWS\\system32\\sessmgr.exe"="F:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"F:\\Program Files\\HLSW\\hlsw_1_0_0_19-beta.exe"="F:\\Program Files\\HLSW\\hlsw_1_0_0_19-beta.exe:*:Enabled:MFC-Anwendung HLSW"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
Remaining Files :
File Backups: - F:\SDFix\backups\backups.zip
Files with Hidden Attributes :
Sat 12 Apr 2008 332 ..SH. --- "F:\BOOT.BAK"
Mon 28 Jan 2008 1,404,240 A.SHR --- "F:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "F:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Fri 4 Apr 2008 152,954 A.SHR --- "F:\WINDOWS\system32\servupdate.exe"
Wed 5 Jan 2005 2,045 A..H. --- "F:\WINDOWS\system32\whlprd32a.dll"
Wed 15 Aug 2007 4,348 A.SH. --- "F:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sun 5 Feb 2006 4,348 A.SH. --- "F:\Documents and Settings\All Users\DRM\DRMv1.key.bak"
Thu 9 Aug 2007 400 A.SH. --- "F:\Documents and Settings\All Users\DRM\v2ks.bla.bak"
Thu 9 Aug 2007 48 A.SH. --- "F:\Documents and Settings\All Users\DRM\v2ks.sec.bak"
Finished!
--
»www.supermacro.net/
»www.flickr.com/photos/action_man/ | |
bcastner
Premium,MVM
join:2002-09-25
Chevy Chase, MD
clubs:
·Verizon Online DSL
| reply to Action_Man
TeaTimer is an excellent tool for the prevention of spyware but it can sometimes prevent HijackThis from fixing certain things. Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.
• Open Spybot Search & Destroy.
• In the Mode menu click "Advanced mode" if not already selected.
• Choose Yes at the Warning prompt.
• Expand the Tools menu.
• Click Resident.
• Uncheck the Resident "TeaTimer" (Protection of overall system settings) active. box.
• In the File menu click Exit to exit Spybot Search & Destroy.
• Download and Unzip to your Desktop: »www.techsupportforum.com/sectool···imer.zip
• Double click ResetTeaTimer.bat to remove all entries set by TeaTimer.
1. Open HijackThis again, System scan only. Checkmark these items:
O2 - BHO: (no name) - {22D8E815-4A5E-4dfb-845E-AAB64207F5BD} - (no file)
O4 - HKLM\..\RunServices: [tk] F:\windows\System32\tk.exe
Click "Fix checked" and when the log panel clears exit HijackThis.
2. Download -- but do not yet run -- ComboFix©
Download this file -- to your Desktop -- [/b]from any of these sources:
Right-click on the header of the Code box below, where on the right side it says: "Copy to clipboard":
Open a new Notepad session - (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .
• Disconnect from the Internet.
• Disable your Antivirus. If the Antivirus software you use has any Script Blocking features, be certain to disable these as well.
Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
• A window will open with a warning. Accept any Disclaimers to start the fix.
Using your mouse, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown in this little picture:
When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.
•!• A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.
3. Run the BitDefender Online Scanner using Internet Explorer (Only):
»www.bitdefender.com/scan8/ie.htm
• Read the 'END USER SOFTWARE LICENSE AGREEMENT' then click 'I agree'.
• You'll be prompted to install the activex control,please do so.
• Once installed, Disable your current Antivirus program, then click the 'Click here to scan' button.
• The virus signatures will then load.
• The scan will take quite some time so please be patient.
• Once the scan has finished select the 'Detected Problems' tab.
• Click on 'Click here to export scan'.
• Save the file as an HTML file to your desktop.
• Re-enable your Antivirus program.
• Click on the saved file and allow it to open with IE.
• Go to 'Edit', 'Select All' then Copy and Paste that log result into a new Notepad session, with a filename you can easily locate later.
Post back to the Forum a brand new HijackThis log, and the results of your BitDefender scan.
--
============
MS-MVP 2004 - -2008, ASAP Member
Users Helping Users
| |
Action_Man
Currently Appearing As
Premium
join:2003-07-22
England
| reply to Action_Man
F:\WINDOWS\system32\svchost.exe
F:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
F:\Program Files\Microsoft IntelliPoint\point32.exe
F:\WINDOWS\system32\RunDll32.exe
F:\WINDOWS\system32\rundll32.exe
F:\WINDOWS\system32\RUNDLL32.EXE
F:\WINDOWS\system32\ctfmon.exe
F:\WINDOWS\system32\wscntfy.exe
F:\Program Files\GIGABYTE\VGA Utility Manager\Utility.exe
F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
F:\WINDOWS\explorer.exe
F:\Program Files\Grisoft\AVG7\avgcc.exe
F:\Program Files\Mozilla Firefox\firefox.exe
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = »go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = »go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = »www.btopenworld.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "F:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\windows\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [IntelliPoint] "F:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [C6501Sound] RunDll32 c6501.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [AVG7_CC] F:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [IMJPMIG8.1] "F:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] F:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] F:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] F:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE F:\windows\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "F:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] F:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] F:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] F:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: GIGABYTE VGA Utility.lnk = ?
O8 - Extra context menu item: eBay Search - res://F:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - F:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - F:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - »messenger.zone.msn.com/binary/Me···1267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - »go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - »download.bitdefender.com/resourc···can8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - »www.update.microsoft.com/microso···69248809
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - »www.nvidia.com/content/DriverDow···lab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - »www.update.microsoft.com/microso···69228778
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - »messenger.zone.msn.com/binary/Me···1267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - »messenger.zone.msn.com/binary/ZI···2846.cab
O16 - DPF: {BF6BBE9A-0656-4598-A0CD-32DAC03959B5} (Image Uploader 3.0 Control) - »www.tescophoto.com/wpp/tesco//ap···ader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{35D0F5A8-55A1-4A1F-8B09-483A09054769}: NameServer = 194.74.65.69 62.6.40.178
O23 - Service: Adobe LM Service - Adobe Systems - F:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - F:\Program Files\Kontiki\KService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - F:\windows\System32\PnkBstrA.exe
O23 - Service: Start BT in service - Unknown owner - F:\Program Files\IVT Corporation\BlueSoleil\StartSkysolSvc.exe
BitDefender Online Scanner
Scan report generated at: Mon, Apr 14, 2008 - 11:28:57
Scan path: C:\;E:\;F:\;
Statistics
Time
00:52:55
Files
198765
Folders
12428
Boot Sectors
4
Archives
1713
Packed Files
199
Results
Identified Viruses
6
Infected Files
6
Suspect Files
0
Warnings
0
Disinfected
0
Deleted Files
6
Engines Info
Virus Definitions
35250
Engine build
AVCORE v1.0 (build 2422) (i386) (Sep 25 2007 08:26:36)
Scan plugins
3
Archive plugins
10
Unpack plugins
3
E-mail plugins
1
System plugins
1
Scan Settings
First Action
Disinfect
Second Action
Delete
Heuristics
Yes
Enable Warnings
Yes
Scanned Extensions
*;
Exclude Extensions
Scan Emails
Yes
Scan Archives
Yes
Scan Packed
Yes
Scan Files
Yes
Scan Boot
Yes
Scanned File
Status
C:\WINDOWS\system32\.pif
Infected with: Generic.Botget.81CA81B0
C:\WINDOWS\system32\.pif
Deleted
C:\WINDOWS\system32\1.bat
Infected with: Generic.Botget.E657EBC4
C:\WINDOWS\system32\1.bat
Deleted
C:\WINDOWS\system32\c.bat
Infected with: Generic.Botget.B61E09E3
C:\WINDOWS\system32\c.bat
Deleted
C:\WINDOWS\system32\o
Infected with: Generic.Botget.A12F6AD5
C:\WINDOWS\system32\o
Deleted
F:\$VAULT$.AVG\20273875.FIL
Infected with: Win32.Msblast.A.damaged
F:\$VAULT$.AVG\20273875.FIL
Deleted
F:\WINDOWS\system32\servupdate.exe
Infected with: Packer.PrivateExeProtector.A
F:\WINDOWS\system32\servupdate.exe
Disinfection failed
F:\WINDOWS\system32\servupdate.exe
Deleted
--
»www.supermacro.net/
»www.flickr.com/photos/action_man/ | |
bcastner
Premium,MVM
join:2002-09-25
Chevy Chase, MD
clubs:
·Verizon Online DSL
| reply to Action_Man
Open Acrobat if you have the Full Version installed Click Help and run the Upgrade applet found there. If no update is offered: Use the Preferences, Internet submenu of Acrobat and uncheck to integrate with your Browser. Close Acrobat.
Whether you had the Full Version of Acrobat or not, download and install Adobe Reader 8.1.1 and use this as the integrated PDF Reader insider your browser: »www.adobe.com/products/acrobat/r···ep2.html
Clean-up & Prevention:
• Right click "My Computer", Properties, and then click the System Restore tab. Checkmark the box at the top to stop System Restore on all drives. Click the "Apply" button. Agree to the deletion of old Restore Points. Then uncheck the box at the top and again click the "Apply" button. Finally, click the "OK" button. This will create a new Restore Point reflecting your clean system state.
• Click Start, then click Run.
Enter into the command box that opens: combofix /u and then click OK.
(If we have renamed this file, please use the current name for the program in this instruction.)
• Run ATF Cleaner  , and checkmark "Empty Recycle Bin", click "Empty Selected" and exit the program. You can delete or keep this utility as you wish.
• Use Control Panel, Add or Remove Programs, and Uninstall any entry related to an On-Line scanner we may have used.
If you find any files or folders created during this cleanup operation remaining, please feel free to delete them.
• Configure your Antivirus software to check for updates daily, at a time in which you are sure the computer will be on.
• If I asked you to Disable something like TeaTimer or another malware blocker, please go ahead an re-enable them if you wish.
• Download and Install Windows Defender by Microsoft (free):
• Download and install Comodo BOClean (free):
• Download, install, and keep updated Spyware Blaster (free):
• Download, install, and keep updated SpyBot S&D (free) if you have not yet done so:
Tutorial:
• Download, install, and keep updated AdAware 2007 by Lavasoft (free), if you have not done so:
Tutorial:
• Refer to my first set of instructions above, and reconfigure Hidden Files and Folders to your choosing.
Best wishes.
Bill Castner
--
============
MS-MVP 2004 - -2008, ASAP Member
Users Helping Users
| |
Action_Man
Currently Appearing As
Premium
join:2003-07-22
England
| I have done everything you have asked, and all seemed ok for a little while, until a short while ago, when i noticed this folder on my desktop, i know i dident put it there, i dont even gamble  .
Here is an image of it ...
And also my net connection icon is still missing, but maybe thats another issue ...
--
»www.supermacro.net/
»www.flickr.com/photos/action_man/ | |
bcastner
Premium,MVM
join:2002-09-25
Chevy Chase, MD
clubs: | reply to Action_Man
Why not delete the PDF and the Folder? | |
Action_Man
Currently Appearing As
Premium
join:2003-07-22
England
| I thought i might keep it as evidence .
Anyway i will inform you of anymore unusualities .
And thank you very much for your assistance, hopefully i`m back to normal now ...
Gordon
--
»www.supermacro.net/
»www.flickr.com/photos/action_man/ | |
-
|
