Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Intel.DLL infected with Win32: Trojan-gen. {Other}

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Intel.DLL infected with Win32: Trojan-gen. {Other}

Unread postby twidget » August 24th, 2007, 10:56 pm

I have a PC running Windows XP Professional, fully up to date. Last week, avast! started telling me at startup, "C:\WINDOWS\Intel.DLL contains a sample of the Win32: Trojan-gen. {Other} virus" and I've been dutifully moving it to the chest.

I've run more than a handful of anti-virus and anti-spyware programs over the last several days. I've logged in under Safe Mode and deleted the infected file. Everything I've tried has failed to work.

Please help me.
twidget
Active Member
 
Posts: 9
Joined: August 24th, 2007, 10:45 pm
Advertisement
Register to Remove

Unread postby twidget » August 25th, 2007, 5:51 pm

If it helps any, here's what I'm seeing:

Image
twidget
Active Member
 
Posts: 9
Joined: August 24th, 2007, 10:45 pm

Unread postby Elrond » August 25th, 2007, 6:29 pm

I'm Elrond, I'll be glad to help you with your computer problems.

As an introduction, please note that I am not Superhuman, I do not know everything, but what I do know has taken me years to learn. I am happy to pass on this information to you, but please bear in mind that I am also fallible.

Please only use this topic for your replies on this problem. Do not start another thread.

Please note that all instructions given are customized for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.


These things need to be properly researched and a complete fix for many malware problems can take some time and be spread over a number of posts, so please be patient and try to see it through to the end.

Before we start: Please be aware that removing Malware is a hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

In light of this it would be wise for you to back up any files and folders that you don't want to lose before we start.

Please observe these rules while we work:
  • Perform all actions in the order given.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
  • Stick with it till you're given the all clear.
  • REMEMBER, ABSENCE OF SYMPTOMS DOES NOT MEAN THE INFECTION IS ALL GONE.
If you can do these things, everything should go smoothly.
  • Please note that you should have Administrator rights to perform the fixes. (XP accounts are Administrator by default) Also note that multiple identity PC’s (family PC’s) present a different problem; please tell me if your PC has more than one individual’s setting, but continue with the fix.Please let me know if you are using a computer with multiple accounts, as this can affect the instructions given.
It may be helpful to you to print out or take a copy of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.



Download and Run HijackThis
Download HJTInstall.exe to your Desktop.

  • Doubleclick HJTInstall.exe to install it.
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed, it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Copy/Paste the log to your next reply please.

Don't use the Analyse This button, its findings are dangerous if misinterpreted.
Don't have Hijackthis fix anything yet. Most of what it finds will be harmless or even required

DO NOT MAKE ANY CHANGES OR CLICK "FIX CHECKED" UNTIL WE CHECK THE LOG, AS SOME OF THE FILES ARE LEGIT AND VITAL TO YOUR COMPUTER'S HEALTH

Please post the HijackThis log in this topic.
User avatar
Elrond
Admin/Teacher Emeritus
 
Posts: 8818
Joined: February 17th, 2005, 9:14 pm
Location: Jerusalem

Unread postby twidget » August 25th, 2007, 9:39 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:38:09 PM, on 8/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\Program Files\Pidgin\pidgin.exe
C:\PROGRA~1\MOZILL~2\THUNDE~1.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [IETI] C:\Program Files\Skype\Phone\IEPlugin\unins000.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [IETI] C:\Program Files\Skype\Phone\IEPlugin\unins000.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - https://public.webex.com/client/T25L/webex/ieatgpc.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: Remote Procedure Call (RPC) MO (RPCSE) - Unknown owner - C:\Program.exe (file missing)

--
End of file - 9685 bytes
twidget
Active Member
 
Posts: 9
Joined: August 24th, 2007, 10:45 pm

Unread postby Elrond » August 26th, 2007, 3:14 am

Download SDFix and save it to your desktop.

Restart the computer. When the BIOS has finished loading (before Windows starts loading) start rapidly tapping the "F8". A menu opens. Select "Safe Mode". The computer will start in safe mode.
This can be tricky. If Windows starts up in normal mode, repeat the process. If you have a keyboard with a "F Lock" key click it so that the "F" light above it is on when you start tapping the "F8" key. The startup in safe mode takes some time and while it is doing so it shows you a black screen with the words "Safe Mode"

Run SDFix
  • In Safe Mode, right click the SDFix.zip folder and choose Extract All,
  • Open the extracted folder and double click RunThis.bat to start the script.
  • Type Y to begin the script.
  • It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • Your system will take longer that normal to restart as the fixtool will be running and removing files.
  • When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
  • Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log


Download Deckard's System Scanner (DSS)
  • Close all applications and windows.
  • Double-click on dss.exe to run it, and follow the prompts.
  • When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
  • Make sure Format->Word Wrap is unchecked
  • Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and extra.txt in your reply


Once complete, please post the SdFix log and both DSS logs, you won't need to produce a new HijackThis log as DSS produces one for you.
User avatar
Elrond
Admin/Teacher Emeritus
 
Posts: 8818
Joined: February 17th, 2005, 9:14 pm
Location: Jerusalem

Unread postby twidget » August 26th, 2007, 4:40 am

SDFix: Version 1.100

Run by Charles on Sun 08/26/2007 at 03:22 AM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\DOCUME~1\Charles\Desktop\SDFix\SDFix

Safe Mode:
Checking Services:

Name:
RpcSe

ImagePath:
C:\Program Files\Intel\Intel

RpcSe - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

No Trojan Files Found




Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\mqsvc.exe"="C:\\WINDOWS\\system32\\mqsvc.exe:*:Enabled:Message Queuing"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\X-Chat 2\\xchat.exe"="C:\\Program Files\\X-Chat 2\\xchat.exe:*:Enabled:X-Chat IRC Client"
"C:\\Program Files\\eMule\\emule.exe"="C:\\Program Files\\eMule\\emule.exe:*:Enabled:eMule"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\\Program Files\\uTorrent\\utorrent.exe"="C:\\Program Files\\uTorrent\\utorrent.exe:*:Enabled:æTorrent"
"C:\\Documents and Settings\\Charles\\Local Settings\\Temp\\ElectronicArts_Patcher_000.exe"="C:\\Documents and Settings\\Charles\\Local Settings\\Temp\\ElectronicArts_Patcher_000.exe:*:Enabled:ElectronicArts_Patcher_000"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox"
"C:\\Program Files\\Electronic Arts\\Command & Conquer 3\\RetailExe\\1.4\\cnc3game.dat"="C:\\Program Files\\Electronic Arts\\Command & Conquer 3\\RetailExe\\1.4\\cnc3game.dat:*:Enabled:Command & Conquer 3 Tiberium Wars"
"C:\\Program Files\\xampp\\apache\\bin\\apache.exe"="C:\\Program Files\\xampp\\apache\\bin\\apache.exe:*:Enabled:Apache HTTP Server"
"C:\\Program Files\\Warcraft III\\Warcraft III.exe"="C:\\Program Files\\Warcraft III\\Warcraft III.exe:*:Enabled:Warcraft III"
"C:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe"="C:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe:*:Enabled:QuickBooks 2007 Data Manager"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\Call of Duty Game of the Year Edition\\CoDMP.exe"="C:\\Program Files\\Call of Duty Game of the Year Edition\\CoDMP.exe:*:Enabled:CoDMP"
"C:\\Program Files\\EA GAMES\\MOHAA\\MOHAA.exe"="C:\\Program Files\\EA GAMES\\MOHAA\\MOHAA.exe:*:Enabled:Medal of Honor Allied Assault"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype. The whole world can talk for free."

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\mqsvc.exe"="C:\\WINDOWS\\system32\\mqsvc.exe:*:Enabled:Message Queuing"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files:
---------------


Files with Hidden Attributes:

C:\Documents and Settings\Charles\My Documents\My Music\iTunes\iTunes Music\Podcasts\boagworld.com_ web design\AlbumArtSmall.jpg
C:\Documents and Settings\Charles\My Documents\My Music\iTunes\iTunes Music\Podcasts\boagworld.com_ web design\Folder.jpg
C:\Documents and Settings\Charles\My Documents\My Music\iTunes\iTunes Music\Podcasts\boagworld.com_ Web Design Podcast\AlbumArtSmall.jpg
C:\Documents and Settings\Charles\My Documents\My Music\iTunes\iTunes Music\Podcasts\boagworld.com_ Web Design Podcast\Folder.jpg
C:\Documents and Settings\Charles\My Documents\My Music\iTunes\iTunes Music\Podcasts\CNET.com\AlbumArtSmall.jpg
C:\Documents and Settings\Charles\My Documents\My Music\iTunes\iTunes Music\Podcasts\CNET.com\Folder.jpg
C:\Documents and Settings\Charles\My Documents\My Music\iTunes\iTunes Music\Podcasts\Web Design Podcast from Boagworld.com\AlbumArtSmall.jpg
C:\Documents and Settings\Charles\My Documents\My Music\iTunes\iTunes Music\Podcasts\Web Design Podcast from Boagworld.com\Folder.jpg
C:\Program Files\Intel\Intel.com
C:\Program Files\Common Files\Motorola Shared\MotPCSDrivers\difxapi.dll
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Picasa2\setup.exe
C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp
C:\Documents and Settings\Charles\My Documents\My Music\iTunes\iTunes Music\Downloads\Podcasts\BIY #337 - Tobit 12_1-14_15, Proverb.tmp\AlbumArtSmall.jpg
C:\Documents and Settings\Charles\My Documents\My Music\iTunes\iTunes Music\Downloads\Podcasts\BIY #337 - Tobit 12_1-14_15, Proverb.tmp\Folder.jpg
C:\Documents and Settings\Charles\My Documents\My Music\iTunes\iTunes Music\Downloads\Podcasts\BIY #338 - Judith 1_1-4_15, Proverbs.tmp\AlbumArtSmall.jpg
C:\Documents and Settings\Charles\My Documents\My Music\iTunes\iTunes Music\Downloads\Podcasts\BIY #338 - Judith 1_1-4_15, Proverbs.tmp\Folder.jpg
C:\Documents and Settings\Charles\My Documents\My Music\iTunes\iTunes Music\Downloads\Podcasts\Podcast Brothers 07-20-07 Podcast Br.tmp\AlbumArtSmall.jpg
C:\Documents and Settings\Charles\My Documents\My Music\iTunes\iTunes Music\Downloads\Podcasts\Podcast Brothers 07-20-07 Podcast Br.tmp\Folder.jpg
C:\Documents and Settings\Charles\My Documents\My Music\iTunes\iTunes Music\Downloads\Podcasts\Show 5 _ the .net magazine podcast.tmp\AlbumArtSmall.jpg
C:\Documents and Settings\Charles\My Documents\My Music\iTunes\iTunes Music\Downloads\Podcasts\Show 5 _ the .net magazine podcast.tmp\Folder.jpg

Finished

Deckard's System Scanner v20070819.64
Run by Charles on 2007-08-26 03:35:52
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Charles.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:34:42 AM, on 8/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Documents and Settings\Charles\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Charles.exe
C:\WINDOWS\system32\cidaemon.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [IETI] C:\Program Files\Skype\Phone\IEPlugin\unins000.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [IETI] C:\Program Files\Skype\Phone\IEPlugin\unins000.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - https://public.webex.com/client/T25L/webex/ieatgpc.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe

--
End of file - 9375 bytes

-- Files created between 2007-07-26 and 2007-08-26 -----------------------------

2007-08-26 03:21:32 0 d-------- C:\WINDOWS\ERUNT
2007-08-25 12:10:04 0 dr-h----- C:\Documents and Settings\Charles\Recent
2007-08-24 15:14:38 0 d-------- C:\Documents and Settings\Charles\DoctorWeb
2007-08-24 13:02:03 0 d-------- C:\Documents and Settings\Administrator\Application Data\Adobe
2007-08-24 13:00:27 0 d-------- C:\Documents and Settings\Administrator\Application Data\Talkback
2007-08-24 12:59:47 0 d-------- C:\Documents and Settings\Administrator\Application Data\Mozilla
2007-08-24 12:32:29 0 d-------- C:\Documents and Settings\Administrator\DoctorWeb
2007-08-24 12:27:54 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-08-24 12:27:45 0 d-------- C:\Program Files\SUPERAntiSpyware
2007-08-24 12:27:45 0 d-------- C:\Documents and Settings\Charles\Application Data\SUPERAntiSpyware.com
2007-08-23 21:09:11 0 d-------- C:\Program Files\Common Files\Skype
2007-08-21 02:23:47 21312 --a------ C:\WINDOWS\choice.exe
2007-08-21 02:21:04 0 d-------- C:\Program Files\SpywareBlaster
2007-08-21 02:11:47 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-08-20 13:57:22 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2007-08-20 13:57:07 0 d-------- C:\Documents and Settings\Administrator\Application Data\Subversion
2007-08-20 13:56:09 0 d--h----- C:\Documents and Settings\Administrator\Templates
2007-08-20 13:56:09 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2007-08-20 13:56:09 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2007-08-20 13:56:09 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2007-08-20 13:56:09 786432 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2007-08-20 13:56:09 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2007-08-20 13:56:09 0 d-------- C:\Documents and Settings\Administrator\My Documents
2007-08-20 13:56:09 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2007-08-20 13:56:09 0 d-------- C:\Documents and Settings\Administrator\Favorites
2007-08-20 13:56:09 0 d-------- C:\Documents and Settings\Administrator\Desktop
2007-08-20 13:56:09 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2007-08-20 13:56:09 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2007-08-20 13:56:09 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2007-08-20 13:56:01 0 d--hs---- C:\WINDOWS\CSC
2007-08-20 12:47:18 0 d-------- C:\Program Files\Trend Micro
2007-08-19 20:59:15 0 d-------- C:\Program Files\Illustrate
2007-08-18 01:53:44 0 d-------- C:\Documents and Settings\Charles\Application Data\Opera
2007-08-11 19:11:46 0 d-------- C:\Program Files\TortoiseSVN
2007-08-10 20:10:43 0 d-------- C:\Program Files\iPod
2007-08-04 09:31:28 0 d-------- C:\Program Files\Common Files\Palo Alto Software
2007-08-04 09:31:15 0 d-------- C:\Program Files\Quicken
2007-08-03 07:28:40 0 d-------- C:\Program Files\MediaJoin
2007-08-03 07:28:37 0 d-------- C:\Documents and Settings\All Users\Application Data\{9E3A8735-9ABB-468A-A982-A50862FC9AB3}
2007-08-03 07:28:23 0 d-------- C:\Documents and Settings\Charles\Application Data\Seven Zip
2007-07-26 04:13:07 0 d-------- C:\Documents and Settings\Charles\Application Data\gtk-2.0


-- Find3M Report ---------------------------------------------------------------

2007-08-25 23:44:10 0 d-------- C:\Documents and Settings\Charles\Application Data\.purple
2007-08-25 23:44:07 0 d-------- C:\Documents and Settings\Charles\Application Data\Skype
2007-08-25 23:39:02 0 d-------- C:\Documents and Settings\Charles\Application Data\X-Chat 2
2007-08-25 20:33:45 0 d-------- C:\Documents and Settings\Charles\Application Data\uTorrent
2007-08-25 07:51:34 0 d-------- C:\Program Files\eMule
2007-08-25 06:59:03 120 --a------ C:\drmHeader.bin
2007-08-24 15:02:36 0 d-------- C:\Program Files\RegVac Registry Cleaner
2007-08-24 12:27:27 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-23 21:09:11 0 d-------- C:\Program Files\Common Files
2007-08-16 17:58:22 0 d-------- C:\Program Files\Mozilla Thunderbird
2007-08-10 20:10:55 0 d-------- C:\Program Files\iTunes
2007-08-10 20:09:43 0 d-------- C:\Program Files\Apple Software Update
2007-08-04 09:31:16 0 d-------- C:\Documents and Settings\Charles\Application Data\Intuit
2007-08-03 18:30:12 180224 --a------ C:\WINDOWS\system32\RemoteControl.dll <Not Verified; ; Pamela Remote Control Dynamic Link Library>
2007-08-03 06:49:38 0 d-------- C:\Documents and Settings\Charles\Application Data\Adobe
2007-08-03 06:47:45 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-08-03 06:46:22 0 d-------- C:\Program Files\Common Files\Adobe
2007-08-02 16:11:17 0 d-------- C:\Documents and Settings\Charles\Application Data\webex
2007-08-02 00:24:57 0 d-------- C:\Program Files\Picasa2
2007-07-31 18:09:52 0 d-------- C:\Documents and Settings\Charles\Application Data\tunebite
2007-07-25 10:38:27 202314 --a------ C:\WINDOWS\system32\atasnt40.dll <Not Verified; WebEx Communications, Inc; WebEx Application Sharing>
2007-07-17 03:55:51 0 d-------- C:\Documents and Settings\Charles\Application Data\Audacity
2007-07-16 19:35:58 0 d-------- C:\Documents and Settings\Charles\Application Data\.gaim
2007-07-16 19:35:47 0 d-------- C:\Program Files\Pidgin
2007-07-16 19:29:23 0 d-------- C:\Program Files\Skype
2007-07-14 22:33:45 0 d-------- C:\Program Files\Intuit
2007-07-14 22:29:49 0 d-------- C:\Program Files\Common Files\Intuit
2007-07-14 01:28:10 0 d-------- C:\Program Files\QuickTime
2007-07-07 03:21:09 0 d-------- C:\Documents and Settings\Charles\Application Data\Apple Computer
2007-07-06 10:19:21 0 d-------- C:\Program Files\MP3ToIpodAudioBookConverter
2007-07-03 09:51:02 0 d-------- C:\Program Files\EA GAMES
2007-07-01 06:16:22 0 d-------- C:\Program Files\Singles
2007-06-30 23:55:17 0 d-------- C:\Program Files\Monopoly 3D
2007-06-29 13:26:21 0 d-------- C:\Program Files\Safari
2007-06-29 13:24:49 0 d-------- C:\Program Files\Common Files\Apple
2007-06-29 12:26:28 0 d-------- C:\Program Files\Bonjour
2007-06-12 03:27:56 62744 --ah----- C:\WINDOWS\system32\mlfcache.dat
2007-05-31 01:44:55 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2007-05-31 01:44:54 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2007-05-31 01:44:54 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2007-05-31 01:44:54 740442 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsmqIntCert"="regsvr32 /s mqrt.dll" []
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [09/03/2004 06:15 PM]
"nwiz"="nwiz.exe" [09/03/2004 06:15 PM C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [09/03/2004 06:15 PM]
"SoundMan"="SOUNDMAN.EXE" [11/15/2004 05:20 AM C:\WINDOWS\SOUNDMAN.EXE]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [07/27/2007 05:03 PM]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 11:50 AM]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [07/19/2005 05:32 PM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [06/29/2007 06:24 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [07/31/2007 06:44 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 07:00 AM]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [06/21/2007 02:06 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"IETI"=C:\Program Files\Skype\Phone\IEPlugin\unins000.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [3/8/2007 5:47:54 PM]
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [3/8/2007 5:47:54 PM]
hp psc 2000 Series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [4/9/2003 6:41:38 PM]
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [4/9/2003 7:11:12 PM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 01:55 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 01:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc p2psvc p2pimsvc p2pgasvc PNRPSvc




-- End of Deckard's System Scanner: finished at 2007-08-26 03:36:36 ------------

I found no extra.txt file.
twidget
Active Member
 
Posts: 9
Joined: August 24th, 2007, 10:45 pm

Unread postby twidget » August 26th, 2007, 4:45 am

That seems to have fixed everything. What did I have?
twidget
Active Member
 
Posts: 9
Joined: August 24th, 2007, 10:45 pm

Unread postby Elrond » August 26th, 2007, 10:42 am

That was a SDBot type Trojan. I am not sure that you are clean.

I see that you are using Emule and uTorrent. Both of them are p-2-P filesharing programs. Although both are clean in themselvs you are taking a large risk by having them on your computer. A lot of files on the P-2-P systems are infected and it is one of the most common reasons for infections that we see. Sometimes the infections are so bad that the only really viable alternative is to reformat the computer.
If you decide to keep them please do not use them until we have finnished checking and if necessary cleaning up the computer.

I would like you to restart the computer because there seems to be program that is waiting on a restart.


Open "HijackThis". Click on "Open Misc.Tool Section".
Use the scroll bar on the right and scroll down to "Open Uninstall Manager". Click it.
On the right you will find "Save List". Click it.
The log that you just saved will appear.
Use "Copy" and "Paste" to add it to your next post.


Go here to run an online scannner from Kaspersky.

  • Click on "Kaspersky Online Scanner"
  • A new smaller window will pop up. Press on "Accept". After reading the contents.
  • Now Kaspersky will update the anti-virus database. Let it run.
  • Click on "Next">"Scan Settings", and make sure the database is set to "extended". And check both the scan options. Then click OK.
  • Then click on "My Computer", and the scan will start.
  • Once finished, save the log as "KAV.txt" to the desktop.



Run a HijackThis scan and post the log together the "Uninstall Manager" land Kaspersky logs.
User avatar
Elrond
Admin/Teacher Emeritus
 
Posts: 8818
Joined: February 17th, 2005, 9:14 pm
Location: Jerusalem

Unread postby twidget » August 26th, 2007, 5:41 pm

You were right: I have 3 viruses and 19 "infected objects"

123 Audio Video Merger
7-Zip 4.44 beta
Ad-Aware SE Personal
Adobe Acrobat 8 Professional - English, Français, Deutsch
Adobe Audition 2.0
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Encore DVD FC
Adobe ExtendScript Toolkit 1.0
Adobe ExtendScript Toolkit 1.0
Adobe Flash Player ActiveX
Adobe Help Center 2.0
Adobe Illustrator CS
Adobe Photoshop 7.0
Adobe Premiere Pro FC
Adobe Production Studio
Adobe Stock Photos 1.0
Adobe SVG Viewer 3.0
Adobe Video Suite Extras
Any Video Converter 1.2.1
Apple Mobile Device Support
Apple Software Update
Aspell English Dictionary-0.50-2
Audacity 1.3.3 (Unicode)
AudioShell 1.2
Avanquest update
avast! Antivirus
AVI MPEG WMV RM to MP3 Converter 1.0.1
Camtasia Studio 4
CCleaner (remove only)
DivX Codec
DivX Converter
DivX Web Player
FeedDemon
FeedStation
FileZilla (remove only)
Flash Renamer 5.02
FreeMind
GigaVox Media Levelator 1.1
GNU Aspell 0.50-3
GTK+ Runtime 2.10.11 rev b (remove only)
HijackThis 2.0.2
HP Photo and Imaging 2.0 - All-in-One
HP Photo and Imaging 2.0 - All-in-One Drivers
HP Photo and Imaging 2.0 - hp psc 2100 series
hp psc 2100 series
InCD
iTunes
J2SE Runtime Environment 5.0 Update 11
Logitech QuickCam Software
Logitech® Camera Driver
Macromedia Dreamweaver MX
Macromedia Extension Manager
Marvell Miniport Driver
MediaJoin
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft User-Mode Driver Framework Feature Pack 1.0
Motorola Driver Installation
Motorola Phone Tools
Mozilla Firefox (2.0.0.6)
Mozilla Thunderbird (2.0.0.6)
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 Parser and SDK
MSXML 6.0 Parser (KB933579)
Nero Suite
NVIDIA Drivers
Pamela Pro 3.5
Picasa 2
Pidgin
Power Video Converter 1.4.17
QuickBooks Pro 2007
QuickBooks Product Listing Service
Quicken 2006
QuickTime
Real Alternative 1.51
RegVac Registry Cleaner 4.02 (Registered Version)
Safari
SecondLife (remove only)
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Excel 2007 (KB936509)
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Office 2007 (KB934062)
Security Update for Office 2007 (KB936514)
Security Update for Publisher 2007 (KB936646)
Security Update for the 2007 Microsoft Office System (KB936960)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows XP (KB923789)
Skypeâ„¢ 3.5
Spybot - Search & Destroy 1.4
SupportSoft Assisted Service
Tag&Rename 3.2.5 rc 1
TortoiseSVN 1.4.4.9706 (32 bit)
Update for Office 2007 (KB932080)
Update for Office 2007 (KB934391)
Update for Office 2007 (KB934393)
Update for Outlook 2007 (KB937608)
Update for Outlook 2007 Junk Email Filter (kb936644)
Update for Word 2007 (KB934173)
Virtual Earth 3D (Beta)
Vodei Multimedia Processor 2.10
WinAVIVideoConverter
Windows Imaging Component
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
WinFF v0.29
X-Chat 2.6.8-1
Zune Desktop Theme

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, August 26, 2007 4:36:55 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 26/08/2007
Kaspersky Anti-Virus database records: 391731
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 118174
Number of viruses found: 3
Number of infected objects: 19
Number of suspicious objects: 0
Duration of the scan process: 02:25:03

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Charles\Application Data\Thunderbird\Profiles\8b61r74m.Default User\Mail\Local Folders\Inbox/[From sadmin@datasystemstech.com][Date Mon, 29 Jan 2007 21:56:53 -0500]/text/[From "Luis R. Bell" <Luis@csi.com>][Date Sat, 11 Aug 2007 20:06:23 +0300]/html/[From "Houston U. Woodward" <Houston@kcmsd.net>][Date Fri, 10 Aug 2007 20:42:34 +0300]/html/[From "Daniel K. Basil" <rcfkw@lucyham.com>][Date Sat, 11 Aug 2007 18:14:23 -0400]/UNNAMED/[From "Reuben R. Conley" <Reuben@prudent ... /[From Hathaway" <vykclubwebsiteb ... /[From <hslee@irco.com>][Date Mon, 13 Aug 2007 04:17:24 ... /isit.exe Infected: Trojan-Downloader.Win32.Agent.brk skipped
C:\Documents and Settings\Charles\Application Data\Thunderbird\Profiles\8b61r74m.Default User\Mail\Local Folders\Inbox/[From sadmin@datasystemstech.com][Date Mon, 29 Jan 2007 21:56:53 -0500]/text/[From "Luis R. Bell" <Luis@csi.com>][Date Sat, 11 Aug 2007 20:06:23 +0300]/html/[From "Houston U. Woodward" <Houston@kcmsd.net>][Date Fri, 10 Aug 2007 20:42:34 +0300]/html/[From "Daniel K. Basil" <rcfkw@lucyham.com>][Date Sat, 11 Aug 2007 18:14:23 -0400]/UNNAMED/[From "Reuben R. Conley" <Reuben@prudent ... /[From Hathaway" <vykclubwebsiteb ... /[From <hslee@irco.com>][Date Mon, 13 Aug 2007 04:17:24 -0400]/UNNAMED Infected: Trojan-Downloader.Win32.Agent.brk skipped
C:\Documents and Settings\Charles\Application Data\Thunderbird\Profiles\8b61r74m.Default User\Mail\Local Folders\Inbox/[From sadmin@datasystemstech.com][Date Mon, 29 Jan 2007 21:56:53 -0500]/text/[From "Luis R. Bell" <Luis@csi.com>][Date Sat, 11 Aug 2007 20:06:23 +0300]/html/[From "Houston U. Woodward" <Houston@kcmsd.net>][Date Fri, 10 Aug 2007 20:42:34 +0300]/html/[From "Daniel K. Basil" <rcfkw@lucyham.com>][Date Sat, 11 Aug 2007 18:14:23 -0400]/UNNAMED/[From "Reuben R. Conley" <Reuben@prudent ... /[From Hathaway" <vykclubwebsitebuilderbug@clubwebsitebuilder.com>][Date 12 Aug 2007 11:04:06 -0900]/UNNAMED Infected: Trojan-Downloader.Win32.Agent.brk skipped
C:\Documents and Settings\Charles\Application Data\Thunderbird\Profiles\8b61r74m.Default User\Mail\Local Folders\Inbox/[From sadmin@datasystemstech.com][Date Mon, 29 Jan 2007 21:56:53 -0500]/text/[From "Luis R. Bell" <Luis@csi.com>][Date Sat, 11 Aug 2007 20:06:23 +0300]/html/[From "Houston U. Woodward" <Houston@kcmsd.net>][Date Fri, 10 Aug 2007 20:42:34 +0300]/html/[From "Daniel K. Basil" <rcfkw@lucyham.com>][Date Sat, 11 Aug 2007 18:14:23 -0400]/UNNAMED/[From "Reuben R. Conley" <Reuben@prudentialdoss.com>] ... /[From ... /[From American.Airlines@aa.com][Date Sat, 11 Aug 2007 21:50:34 -0500 (CDT)]/UNNAMED Infected: Trojan-Downloader.Win32.Agent.brk skipped
C:\Documents and Settings\Charles\Application Data\Thunderbird\Profiles\8b61r74m.Default User\Mail\Local Folders\Inbox/[From sadmin@datasystemstech.com][Date Mon, 29 Jan 2007 21:56:53 -0500]/text/[From "Luis R. Bell" <Luis@csi.com>][Date Sat, 11 Aug 2007 20:06:23 +0300]/html/[From "Houston U. Woodward" <Houston@kcmsd.net>][Date Fri, 10 Aug 2007 20:42:34 +0300]/html/[From "Daniel K. Basil" <rcfkw@lucyham.com>][Date Sat, 11 Aug 2007 18:14:23 -0400]/UNNAMED/[From "Reuben R. Conley" <Reuben@prudentialdoss.com>] ... /[From "Helene B. Cassidy" <Helene@adtastik.net>][Date Sat, 11 Aug 2007 15:29:36 -0700]/UNNAMED Infected: Trojan-Downloader.Win32.Agent.brk skipped
C:\Documents and Settings\Charles\Application Data\Thunderbird\Profiles\8b61r74m.Default User\Mail\Local Folders\Inbox/[From sadmin@datasystemstech.com][Date Mon, 29 Jan 2007 21:56:53 -0500]/text/[From "Luis R. Bell" <Luis@csi.com>][Date Sat, 11 Aug 2007 20:06:23 +0300]/html/[From "Houston U. Woodward" <Houston@kcmsd.net>][Date Fri, 10 Aug 2007 20:42:34 +0300]/html/[From "Daniel K. Basil" <rcfkw@lucyham.com>][Date Sat, 11 Aug 2007 18:14:23 -0400]/UNNAMED/[From "Reuben R. Conley" <Reuben@prudentialdoss.com>][Date Sun, 12 Aug 2007 01:28:00 -2100]/html Infected: Trojan-Downloader.Win32.Agent.brk skipped
C:\Documents and Settings\Charles\Application Data\Thunderbird\Profiles\8b61r74m.Default User\Mail\Local Folders\Inbox/[From sadmin@datasystemstech.com][Date Mon, 29 Jan 2007 21:56:53 -0500]/text/[From "Luis R. Bell" <Luis@csi.com>][Date Sat, 11 Aug 2007 20:06:23 +0300]/html/[From "Houston U. Woodward" <Houston@kcmsd.net>][Date Fri, 10 Aug 2007 20:42:34 +0300]/html/[From "Daniel K. Basil" <rcfkw@lucyham.com>][Date Sat, 11 Aug 2007 18:14:23 -0400]/UNNAMED Infected: Trojan-Downloader.Win32.Agent.brk skipped
C:\Documents and Settings\Charles\Application Data\Thunderbird\Profiles\8b61r74m.Default User\Mail\Local Folders\Inbox/[From sadmin@datasystemstech.com][Date Mon, 29 Jan 2007 21:56:53 -0500]/text/[From "Luis R. Bell" <Luis@csi.com>][Date Sat, 11 Aug 2007 20:06:23 +0300]/html/[From "Houston U. Woodward" <Houston@kcmsd.net>][Date Fri, 10 Aug 2007 20:42:34 +0300]/html Infected: Trojan-Downloader.Win32.Agent.brk skipped
C:\Documents and Settings\Charles\Application Data\Thunderbird\Profiles\8b61r74m.Default User\Mail\Local Folders\Inbox/[From sadmin@datasystemstech.com][Date Mon, 29 Jan 2007 21:56:53 -0500]/text/[From "Luis R. Bell" <Luis@csi.com>][Date Sat, 11 Aug 2007 20:06:23 +0300]/html Infected: Trojan-Downloader.Win32.Agent.brk skipped
C:\Documents and Settings\Charles\Application Data\Thunderbird\Profiles\8b61r74m.Default User\Mail\Local Folders\Inbox/[From sadmin@datasystemstech.com][Date Mon, 29 Jan 2007 21:56:53 -0500]/text Infected: Trojan-Downloader.Win32.Agent.brk skipped
C:\Documents and Settings\Charles\Application Data\Thunderbird\Profiles\8b61r74m.Default User\Mail\Local Folders\Inbox Mail Berkeley mbox: infected - 10 skipped
C:\Documents and Settings\Charles\Application Data\Thunderbird\Profiles\8b61r74m.Default User\Mail\Local Folders\Sent/[From "Charles W. Stricklin"][Date Tue, 3 May 2005 17:34:00 -0600]/UNNAMED/[From "Charles W. Stricklin"][Date Tue, 3 May 2005 17:59:00 -0600]/UNNAMED/[From "Charles W. Stricklin" <charles@charlesstricklin.com>][Date Wed, 22 Jun 2005 05:43:58 -0500]/text/[From "Charles W. Stricklin" <charles@charlesstricklin.com>][Date Tue, 29 Nov 2005 06:01:49 -0600]/text/[From "Charles W. Stric ... /[From "Charles W. Stricklin" <charles@charlesstricklin.com>][Date Fri, 03 Feb 2006 23:00:55 -0600]/Message Infected: Trojan-Spy.HTML.Bayfraud.kh skipped
C:\Documents and Settings\Charles\Application Data\Thunderbird\Profiles\8b61r74m.Default User\Mail\Local Folders\Sent/[From "Charles W. Stricklin"][Date Tue, 3 May 2005 17:34:00 -0600]/UNNAMED/[From "Charles W. Stricklin"][Date Tue, 3 May 2005 17:59:00 -0600]/UNNAMED/[From "Charles W. Stricklin" <charles@charlesstricklin.com>][Date Wed, 22 Jun 2005 05:43:58 -0500]/text/[From "Charles W. Stricklin" <charles@charlesstricklin.com>][Date Tue, 29 Nov 2005 06:01:49 -0600]/text/[From "Charles W. Stricklin" <charles@charlesstricklin.com>][Date Sat, 28 Jan 2006 13:02:39 -0600]/text Infected: Trojan-Spy.HTML.Bayfraud.kh skipped
C:\Documents and Settings\Charles\Application Data\Thunderbird\Profiles\8b61r74m.Default User\Mail\Local Folders\Sent/[From "Charles W. Stricklin"][Date Tue, 3 May 2005 17:34:00 -0600]/UNNAMED/[From "Charles W. Stricklin"][Date Tue, 3 May 2005 17:59:00 -0600]/UNNAMED/[From "Charles W. Stricklin" <charles@charlesstricklin.com>][Date Wed, 22 Jun 2005 05:43:58 -0500]/text/[From "Charles W. Stricklin" <charles@charlesstricklin.com>][Date Tue, 29 Nov 2005 06:01:49 -0600]/text Infected: Trojan-Spy.HTML.Bayfraud.kh skipped
C:\Documents and Settings\Charles\Application Data\Thunderbird\Profiles\8b61r74m.Default User\Mail\Local Folders\Sent/[From "Charles W. Stricklin"][Date Tue, 3 May 2005 17:34:00 -0600]/UNNAMED/[From "Charles W. Stricklin"][Date Tue, 3 May 2005 17:59:00 -0600]/UNNAMED/[From "Charles W. Stricklin" <charles@charlesstricklin.com>][Date Wed, 22 Jun 2005 05:43:58 -0500]/text Infected: Trojan-Spy.HTML.Bayfraud.kh skipped
C:\Documents and Settings\Charles\Application Data\Thunderbird\Profiles\8b61r74m.Default User\Mail\Local Folders\Sent/[From "Charles W. Stricklin"][Date Tue, 3 May 2005 17:34:00 -0600]/UNNAMED/[From "Charles W. Stricklin"][Date Tue, 3 May 2005 17:59:00 -0600]/UNNAMED Infected: Trojan-Spy.HTML.Bayfraud.kh skipped
C:\Documents and Settings\Charles\Application Data\Thunderbird\Profiles\8b61r74m.Default User\Mail\Local Folders\Sent/[From "Charles W. Stricklin"][Date Tue, 3 May 2005 17:34:00 -0600]/UNNAMED Infected: Trojan-Spy.HTML.Bayfraud.kh skipped
C:\Documents and Settings\Charles\Application Data\Thunderbird\Profiles\8b61r74m.Default User\Mail\Local Folders\Sent Mail Berkeley mbox: infected - 6 skipped
C:\Documents and Settings\Charles\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Charles\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Charles\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Charles\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Charles\Local Settings\History\History.IE5\MSHist012007082620070827\index.dat Object is locked skipped
C:\Documents and Settings\Charles\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Charles\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Charles\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Charles\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\Program Files\Intel\Intel Infected: Backdoor.Win32.Hupigon.bde skipped
C:\System Volume Information\catalog.wci\00000002.ps1 Object is locked skipped
C:\System Volume Information\catalog.wci\00000002.ps2 Object is locked skipped
C:\System Volume Information\catalog.wci\00010011.ci Object is locked skipped
C:\System Volume Information\catalog.wci\cicat.fid Object is locked skipped
C:\System Volume Information\catalog.wci\cicat.hsh Object is locked skipped
C:\System Volume Information\catalog.wci\CiCL0001.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiP10000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiP20000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiPT0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiSL0001.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiSP0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiST0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiVP0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\INDEX.000 Object is locked skipped
C:\System Volume Information\catalog.wci\propstor.bk1 Object is locked skipped
C:\System Volume Information\catalog.wci\propstor.bk2 Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{D441BD9A-B777-434E-9DA1-683AF4FA2324}\RP5\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{369CCF9B-1646-4E0F-95CF-EC5D2FED9A66}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\MsDtc\MSDTC.LOG Object is locked skipped
C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log Object is locked skipped
C:\WINDOWS\system32\msmq\storage\QMLog Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_17c.dat Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_6d8.dat Object is locked skipped
C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.
twidget
Active Member
 
Posts: 9
Joined: August 24th, 2007, 10:45 pm

Unread postby twidget » August 26th, 2007, 8:37 pm

It was Win32.Hupigon.bde in Intel.dll, but I had other stuff that devastated my Thunderbird Inbox and Sent folders. (I wonder if those e-mails are still around, or if they're gone, too?)
twidget
Active Member
 
Posts: 9
Joined: August 24th, 2007, 10:45 pm

Unread postby Elrond » August 27th, 2007, 12:49 am

The stuff in those mail are still there. You have a slew of infected mail.

However the one that really disturbs me is this. Win32.Hupigon.bde.
It is a Backdoor Trojan which means that it can do more or less anything it wants on your computer. This gives intruders complete control of your computer, logging key strokes, stealing information, etc. :(
You are strongly advised to do the following immediately!:
  • Disconnect infected computer from the internet and from any networked computers until the computer can be cleaned.
  • Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.
  • From a clean computer, change *all* of your online passwords -- for ISP login, email, banks, financial accounts, PayPal, eBay, online companies, and any online forums or groups you belong to.
      Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.
Because of its backdoor functionality, your PC is very likely compromised and there is no way to be sure it can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. However, if you do not have the resources to reinstall your OS and would like me to attempt to clean your machine, I will be happy to do so.

To help you make a more informed decision, please read the following articles:

Should you have any questions, please feel free to ask

Please let me know your decision and we'll get started with clean up if that's what you choose.
User avatar
Elrond
Admin/Teacher Emeritus
 
Posts: 8818
Joined: February 17th, 2005, 9:14 pm
Location: Jerusalem

Unread postby twidget » August 28th, 2007, 6:05 pm

I ran the Kaspersky AV program and it now says my computer is clean. Should I assume it's not and reinstall Windows?
twidget
Active Member
 
Posts: 9
Joined: August 24th, 2007, 10:45 pm

Unread postby Elrond » August 29th, 2007, 1:57 pm

Before you ran Kaspersky again did you do anything else?
If it diaspeared without you doing anything I would be seriously worried. :(

The hupigion family of backdoor trojans are nasty and full of tricks..

We can probably get the computer clean but it will take some work before I am sure that there is nothing left of the infection and even then I will never be able to guarantee that nothing has been changed in that computer because while it was infected those behind the infection can have done anything with it. It is as if they were sitting in front of the keayboard typing and when you were typing they were standing and looking over your shoulder.
I know that this is not an easy call. If you are useing the computer for a lot of financial data or banking I personally woukd reformat if you have everything that is needed for it. Before you decide to reformat have a look at this which is a tutorial for reformatting.
User avatar
Elrond
Admin/Teacher Emeritus
 
Posts: 8818
Joined: February 17th, 2005, 9:14 pm
Location: Jerusalem

Unread postby twidget » August 29th, 2007, 3:30 pm

After I ran the scanner and it turned up viruses, I downloaded the software and ran it. I will, however, be using my Labor Day weekend to reformat and reinstall most everything. :(

I'm also planning on buying the full version of this AV software since it obviously is more robust than anything else I've used in the past.
twidget
Active Member
 
Posts: 9
Joined: August 24th, 2007, 10:45 pm

Unread postby askey127 » September 14th, 2007, 6:52 am

Glad we could be of assistance.

This topic is now closed. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.
If you are the topic starter, you will need a valid, working link to the closed topic, along with the user name used.
The user name must match the one in the linked thread linked to avoid having the email deleted.

You can help support this site from this link :
Donations For Malware Removal

Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. See Nellie2's blog here or post in our dedicated forum here
The infection you had was Backdoor Hupigon
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13903
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: pgmigg and 42 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware