Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

log file 24/11/07

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

log file 24/11/07

Unread postby andrewgrizz » November 23rd, 2007, 12:10 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:37:44, on 24/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\htpatch.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\System32\khooker.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\inKline Global\PC Booster\pcbooster.exe
C:\Program Files\Ashampoo\Ashampoo FireWall\FireWall.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virginmedia.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: IE7Pro - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IE7Pro\IE7Pro.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [PC Booster] C:\Program Files\inKline Global\PC Booster\pcbooster.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Ashampoo FireWall] "C:\Program Files\Ashampoo\Ashampoo FireWall\FireWall.exe" -TRAY
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IE7Pro\IE7Pro.dll
O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IE7Pro\IE7Pro.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 1786011000
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee - (no file)
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

--
End of file - 6327 bytes
Last edited by andrewgrizz on November 24th, 2007, 9:40 am, edited 1 time in total.
andrewgrizz
Regular Member
 
Posts: 35
Joined: November 23rd, 2007, 11:35 am
Advertisement
Register to Remove

Re: hijack this log 23/11/07

Unread postby Scotty » November 23rd, 2007, 5:04 pm

Hi! Welcome to the MWR forums.
My name is Scotty. I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can take a while to research.

Please be patient as my posts to you have to be checked before I reply, so they make take longer.

The top of your HijackThis log is cut off. Could you post a full new one, please? Then follow the instructions below.


Please make a uninstall list using HijackThis
To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.
5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here in a reply.
User avatar
Scotty
Retired Graduate
 
Posts: 4138
Joined: August 4th, 2006, 5:31 am
Location: Haggistown, Kiltland

Re: log file 24/11/07

Unread postby andrewgrizz » November 24th, 2007, 9:43 am

Adobe Reader 8.1.1
AVG 7.5
CCleaner (remove only)
Convert Doc
Easy Start Button
ERUNT 1.1j
Eusing Free Registry Cleaner
Glary Utilities 2.3.1.92
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 2.0.2
IE7Pro
Java(TM) 6 Update 3
Microsoft .NET Framework (English)
Microsoft .NET Framework (English) v1.0.3705
Microsoft .NET Framework 1.0 Hotfix (KB928367)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Windows Journal Viewer
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 Parser and SDK
Nero 7 Premium
Nero 7 Premium
neroxml
NET Installation Assistance for VB6 App (Runtime Only)
PC Booster
PC Pitstop Optimize 1.0v
Realtek AC'97 Audio
Remove DivX Codec
Revo Uninstaller 1.34
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
SiS 650
SiS 900 PCI Fast Ethernet Adapter Driver
Spybot - Search & Destroy 1.4
Synaptics Pointing Device Driver
Unlocker 1.8.5
Viewpoint Media Player
Windows Imaging Component
Windows Installer Clean Up
Windows Live installer
Windows Live Messenger
Windows Live Photo Gallery Beta
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 2
WinRAR archiver
andrewgrizz
Regular Member
 
Posts: 35
Joined: November 23rd, 2007, 11:35 am

Re: log file 24/11/07

Unread postby Scotty » November 24th, 2007, 4:49 pm

Hi

I see that Viewpoint Media Player is installed. Viewpoint, Viewpoint Manager, Viewpoint Media Player are Viewpoint components which are installed as a side effect of installing other software, most notably AOL and AOL Instant Messenger (AIM). Viewpoint Manager is responsible for managing and updating Viewpoint Media Player’s components. You can disable this using the Viewpoint Manager Control Panel found in the Windows Control Panel menu. By selecting Disable auto‑updating for the Viewpoint Manager ‑‑ the player will no longer attempt to check for updates. Anything that is installed without your consent is suspect. Read what Viewpoint says and make your own decision.
To provide a satisfying consumer experience and to operate effectively, the Viewpoint Media Player periodically sends information to servers at Viewpoint. Each installation of the Viewpoint Media Player is identifiable to Viewpoint via a Customer Unique Identifier (CUID), an alphanumeric identifier embedded in the Viewpoint Media Player. The Viewpoint Media Player randomly generates the CUID during installation and uses it to indicate a unique installation of the product. A CUID is never connected to a user's name, email address, or other personal contact information. CUIDs are used for the sole purpose of filtering redundant information. Each of these information exchanges occurs anonymously.

Viewpoint Manager is considered as foistware instead of malware since it is installed without user's approval but doesn't spy or do anything "bad". This may change, read Viewpoint to Plunge Into Adware.
I recommend that you remove the Viewpoint products; however, decide for yourself. To uninstall the the Viewpoint components (Viewpoint, Viewpoint Manager, Viewpoint Media Player):
  1. Click Start, point to Settings, and then click Control Panel.
  2. In Control Panel, double-click Add or Remove Programs.
  3. In Add or Remove Programs, highlight Viewpoint Media Player , click Remove.



Please do an online scan with Kaspersky Online Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:

      + Extended(If available otherwise Standard)
    • Scan Options:

      + Scan Archives
      + Scan Mail Bases
  • Click OK
  • Now under select a target to scan select My Computer
  • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

With the exception of Internet Explorer, which is needed for the Kaspersky Scan, keep ALL programs closed until the scan is complete.
User avatar
Scotty
Retired Graduate
 
Posts: 4138
Joined: August 4th, 2006, 5:31 am
Location: Haggistown, Kiltland

Re: log file 24/11/07

Unread postby Scotty » November 24th, 2007, 5:37 pm

Also

Download and Save ComboFix

  • Download this file from below:

    Here
  • Save it to your Desktop.
  • Disconnect from the Internet, than disable your anti-virus and any real-time anti-spyware monitors that are running.
  • Then double click combofix.exe & follow the prompts.
  • When finished, it shall produce a log for you. Post that log in your next reply with a new HijackThis log.

Note 1: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Note 2:Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task-Manager use the Processes tab (press ctrl alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

In your next reply post:
ComboFix.txt
New HijackThis log taken after the above scan has run
User avatar
Scotty
Retired Graduate
 
Posts: 4138
Joined: August 4th, 2006, 5:31 am
Location: Haggistown, Kiltland

Re: log file 24/11/07

Unread postby andrewgrizz » November 25th, 2007, 2:30 pm

ComboFix 07-11-19.3 - andrew 2007-11-25 18:01:28.1 - NTFSx86
Running from: C:\Documents and Settings\andrew\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\jjllm.ini
C:\WINDOWS\system32\jjllm.ini2
C:\WINDOWS\system32\mlljj.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\pskill.exe

.
((((((((((((((((((((((((( Files Created from 2007-10-25 to 2007-11-25 )))))))))))))))))))))))))))))))
.

2007-11-25 12:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-25 12:34 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-11-25 01:56 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-11-25 01:56 <DIR> d-------- C:\Documents and Settings\andrew\Application Data\AVG7
2007-11-25 01:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-24 23:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-11-24 23:15 8,192 -----c--- C:\WINDOWS\system32\dllcache\bitsprx2.dll
2007-11-24 23:15 7,168 -----c--- C:\WINDOWS\system32\dllcache\bitsprx4.dll
2007-11-24 23:15 7,168 -----c--- C:\WINDOWS\system32\dllcache\bitsprx3.dll
2007-11-24 23:15 7,168 --------- C:\WINDOWS\system32\bitsprx4.dll
2007-11-24 18:55 <DIR> d-------- C:\Program Files\IObit
2007-11-24 18:29 <DIR> d-------- C:\Program Files\Ashampoo
2007-11-24 14:37 1,008 -rahs---- C:\WINDOWS\system32\drivers\OP_CACHE.ATR
2007-11-24 14:37 504 -rahs---- C:\WINDOWS\system32\drivers\OP_CACHE.IDX
2007-11-24 14:30 19,656 -rahs---- C:\WINDOWS\system32\OP_CACHE.ATR
2007-11-24 14:30 9,828 -rahs---- C:\WINDOWS\system32\OP_CACHE.IDX
2007-11-23 23:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-23 18:29 <DIR> d-------- C:\Program Files\Microsoft Visual Studio 8
2007-11-23 18:26 <DIR> d-------- C:\Program Files\delete
2007-11-23 17:06 <DIR> d-------- C:\Documents and Settings\andrew\Application Data\GlarySoft
2007-11-23 15:43 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-22 21:08 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2007-11-22 21:05 <DIR> d-------- C:\WINDOWS\system32\rMa18yy
2007-11-22 21:03 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-22 17:58 <DIR> d-------- C:\Program Files\Abacast
2007-11-22 16:04 <DIR> d-------- C:\Program Files\LimeWire
2007-11-21 22:50 <DIR> d-------- C:\Program Files\Glary Utilities
2007-11-18 14:03 16 --a------ C:\WINDOWS\popcinfot.dat
2007-11-18 14:03 0 --a------ C:\WINDOWS\popcreg.dat
2007-11-17 14:55 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-11-17 14:55 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-11-17 14:55 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-11-17 14:55 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-11-17 14:52 <DIR> d-------- C:\Program Files\Alwil Software
2007-11-17 14:52 801,144 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-11-17 14:52 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2007-11-17 14:52 94,416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-11-17 14:52 92,848 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-11-17 12:51 <DIR> d-------- C:\Program Files\EZBackitup
2007-11-14 14:45 <DIR> d-------- C:\Program Files\Microsoft.NET
2007-11-14 14:40 <DIR> d-------- C:\WINDOWS\SHELLNEW
2007-11-14 14:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-11-14 14:35 <DIR> dr-h----- C:\MSOCache
2007-11-14 10:40 <DIR> d-------- C:\Program Files\Windows Installer Clean Up
2007-11-14 10:40 <DIR> d-------- C:\Program Files\MSECACHE
2007-11-13 21:09 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-11-13 16:07 25,992 --a------ C:\WINDOWS\system32\pgdfgsvc.exe
2007-11-12 19:03 233,472 --a------ C:\WINDOWS\system32\JkDefragScreenSaver.exe
2007-11-12 19:03 110,592 --a------ C:\WINDOWS\system32\JkDefragScreenSaver.scr
2007-11-11 15:52 <DIR> d-------- C:\Program Files\Nero
2007-11-11 15:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
2007-11-10 19:46 <DIR> d-------- C:\Program Files\CDBurnerXP
2007-11-09 19:29 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-11-09 19:28 23,392 --a------ C:\WINDOWS\system32\nscompat.tlb
2007-11-09 19:28 16,832 --a------ C:\WINDOWS\system32\amcompat.tlb
2007-11-06 22:33 188 --a------ C:\WINDOWS\system32\MsiExec.exe.log
2007-11-06 20:42 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2007-11-06 20:20 <DIR> d-------- C:\Documents and Settings\andrew\Incomplete
2007-11-06 19:52 <DIR> d-------- C:\Documents and Settings\andrew\Application Data\Scribus
2007-11-06 19:33 <DIR> d-------- C:\Program Files\QuickTime
2007-11-06 19:28 <DIR> d-------- C:\WINDOWS\OPTIONS
2007-11-06 19:28 <DIR> d-------- C:\WINDOWS\msapps
2007-11-06 19:28 <DIR> d-------- C:\My Music
2007-11-06 19:28 <DIR> d-------- C:\Documents and Settings\andrew\.thinkfree
2007-11-06 19:28 <DIR> d-------- C:\Documents and Settings\andrew\.tfo3
2007-11-06 19:27 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-11-06 17:12 1,358,192 --a------ C:\WINDOWS\system32\D3DCompiler_35.dll
2007-11-06 17:12 1,124,720 --a------ C:\WINDOWS\system32\D3DCompiler_34.dll
2007-11-06 17:12 1,123,696 --a------ C:\WINDOWS\system32\D3DCompiler_33.dll
2007-11-05 12:07 <DIR> d-------- C:\Program Files\Common Files\Adobe
2007-11-03 21:14 70,721 --a------ C:\WINDOWS\hpqins01.dat
2007-11-01 22:52 <DIR> d-------- C:\Program Files\RegistryFix
2007-11-01 16:40 26 --a------ C:\WINDOWS\SW_Win2146X32.DLL
2007-11-01 16:37 <DIR> d-------- C:\WINDOWS\system32\Resource
2007-11-01 16:37 <DIR> d-------- C:\Program Files\Softinterface, Inc
2007-11-01 16:37 2,167,977 --a------ C:\WINDOWS\system32\ConvertDoc.hlp
2007-11-01 16:37 1,568,768 --a------ C:\WINDOWS\system32\beconvlib.dll
2007-11-01 16:37 405,504 --a------ C:\WINDOWS\system32\PDFConverterX.ocx
2007-11-01 16:37 245,760 --a------ C:\WINDOWS\system32\WordConverterX2.ocx
2007-11-01 16:37 204,800 --a------ C:\WINDOWS\system32\bprgcomm.dll
2007-11-01 16:37 140,288 --a------ C:\WINDOWS\system32\comdlg32.ocx
2007-11-01 16:37 131,072 --a------ C:\WINDOWS\system32\CSVSpecialProcessing.dll
2007-11-01 16:37 61,440 --a------ C:\WINDOWS\system32\beconv.dll
2007-11-01 16:37 53,248 --a------ C:\WINDOWS\system32\RegisterExe.exe
2007-11-01 16:37 5,527 --a------ C:\WINDOWS\system32\CONVERTDOC.CNT
2007-11-01 15:09 244,416 --a------ C:\WINDOWS\system32\msflxgrd.ocx
2007-11-01 15:09 229,376 --a------ C:\WINDOWS\system32\putree.ocx
2007-11-01 15:09 118,784 --a------ C:\WINDOWS\system32\pudrglst.ocx
2007-11-01 15:09 114,688 --a------ C:\WINDOWS\system32\Pupxpman.exe
2007-11-01 15:09 73,728 --a------ C:\WINDOWS\system32\puslide.ocx
2007-11-01 15:09 45,056 --a------ C:\WINDOWS\system32\pupxptwk.exe
2007-11-01 15:09 38,943 --a------ C:\WINDOWS\system32\PWRUPXP.UND
2007-11-01 15:09 36,864 --a------ C:\WINDOWS\system32\WebOffer.exe
2007-11-01 15:09 15,392 --a------ C:\WINDOWS\system32\pwrupic.icl
2007-11-01 15:04 160,217 --a------ C:\WINDOWS\system32\PowerToysLicense.rtf
2007-10-30 13:59 <DIR> d-------- C:\Documents and Settings\andrew\Application Data\Printer Info Cache
2007-10-30 13:58 <DIR> d-------- C:\Documents and Settings\andrew\Application Data\Image Zone Express
2007-10-29 19:13 <DIR> d-------- C:\Program Files\Primo Software
2007-10-29 18:05 <DIR> d-------- C:\Program Files\Real
2007-10-27 14:01 <DIR> d-------- C:\Documents and Settings\andrew\Application Data\Business Logic

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-24 18:26 312 --sha-r C:\WINDOWS\Fonts\OP_CACHE.ATR
2007-11-24 18:26 156 --sha-r C:\WINDOWS\Fonts\OP_CACHE.IDX
2007-11-24 18:05 --------- d-----w C:\Documents and Settings\LocalService\Application Data\McAfee.com Personal Firewall
2007-11-24 18:04 --------- d-----w C:\Documents and Settings\andrew\Application Data\uTorrent
2007-11-24 18:03 --------- d-----w C:\Documents and Settings\andrew\Application Data\LimeWire
2007-11-24 18:02 --------- d-----w C:\Documents and Settings\andrew\Application Data\IE7Pro
2007-11-24 18:02 --------- d-----w C:\Documents and Settings\andrew\Application Data\Ahead
2007-11-24 18:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2007-11-24 17:52 --------- d-----w C:\Program Files\Common Files\AOL
2007-11-24 17:49 --------- d-----w C:\Program Files\SiS Compatible VGA V2.14a
2007-11-24 14:30 --------- d-----w C:\Program Files\uTorrent
2007-11-24 14:30 --------- d-----w C:\Program Files\SiSLan
2007-11-24 14:30 --------- d-----w C:\Program Files\Realtek AC97
2007-11-24 14:30 --------- d-----w C:\Program Files\PCB
2007-11-24 14:30 --------- d-----w C:\Program Files\IE7Pro
2007-11-24 14:30 --------- d-----w C:\Program Files\Eusing Free Registry Cleaner
2007-11-24 14:30 --------- d-----w C:\Program Files\Common Files\Motive
2007-11-24 14:30 --------- d-----w C:\Program Files\CCleaner
2007-11-24 14:30 --------- d-----w C:\Program Files\AvRack
2007-11-22 14:00 --------- d-----w C:\Program Files\Windows Media Bonus Pack for Windows XP
2007-11-22 14:00 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-11-22 14:00 --------- d-----w C:\Program Files\HighMAT CD Writing Wizard
2007-11-20 22:12 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-11 15:57 --------- d-----w C:\Program Files\Common Files\Ahead
2007-11-09 11:30 --------- d-----w C:\Program Files\blcorp
2007-11-06 19:28 --------- d-----w C:\Program Files\DivX
2007-11-06 19:27 --------- d-----w C:\Program Files\Common Files\Real
2007-11-03 21:25 94,784 ----a-w C:\WINDOWS\twain.dll
2007-11-03 21:25 577,536 ----a-w C:\WINDOWS\soundman.exe
2007-11-03 21:25 50,688 ----a-w C:\WINDOWS\twain_32.dll
2007-11-03 21:25 49,680 ----a-w C:\WINDOWS\twunk_16.exe
2007-11-03 21:25 46,352 ----a-w C:\WINDOWS\setdebug.exe
2007-11-03 21:25 33,792 ----a-w C:\WINDOWS\Q330994.exe
2007-11-03 21:25 33,792 ----a-w C:\WINDOWS\ieuninst.exe
2007-11-03 21:25 32,866 ----a-w C:\WINDOWS\slrundll.exe
2007-11-03 21:25 315,392 ----a-w C:\WINDOWS\alcupd.exe
2007-11-03 21:25 28,672 ----a-w C:\WINDOWS\htpatch.exe
2007-11-03 21:25 25,600 ----a-w C:\WINDOWS\twunk_32.exe
2007-11-03 21:25 224,256 ----a-w C:\WINDOWS\regedit.exe
2007-11-03 21:25 217,088 ----a-w C:\WINDOWS\Alcrmv.exe
2007-11-03 21:25 155,136 ----a-w C:\WINDOWS\notepad.exe
2007-11-03 21:25 15,360 ----a-w C:\WINDOWS\TASKMAN.EXE
2007-11-03 21:25 10,752 ----a-w C:\WINDOWS\hh.exe
2007-11-03 21:24 90,112 ----a-w C:\WINDOWS\unvise32.exe
2007-11-03 21:24 45,056 ----a-w C:\WINDOWS\winio.dll
2007-11-03 21:24 3,072 ----a-w C:\WINDOWS\winio.sys
2007-11-03 21:24 283,648 ----a-w C:\WINDOWS\winhlp32.exe
2007-11-03 21:24 256,192 ----a-w C:\WINDOWS\winhelp.exe
2007-11-03 21:24 18,944 ----a-w C:\WINDOWS\vmmreg32.dll
2007-10-30 13:08 --------- d-----w C:\Documents and Settings\andrew\Application Data\HP
2007-10-16 14:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\HP
2007-10-14 19:54 --------- d-----w C:\Program Files\Common Files\SRS Labs Shared
2007-10-14 16:48 359,808 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2007-10-12 12:25 --------- d-----w C:\Program Files\Java
2007-10-11 20:25 --------- d-----w C:\Program Files\Windows Live
2007-10-11 20:23 --------- d-----w C:\Program Files\Realtek Sound Manager
2007-10-11 20:20 --------- d-----w C:\Program Files\BroadJump(2)
2007-10-10 22:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\SRS Labs
2007-10-10 22:23 --------- d-----w C:\Program Files\SRS Labs
2007-10-10 16:43 584,704 ----a-w C:\WINDOWS\WLXPGSS.SCR
2007-10-10 10:30 --------- d-----w C:\Program Files\Ahead
2007-10-08 23:03 --------- d-----w C:\Program Files\Common Files\Java
2007-10-08 21:29 --------- d-----w C:\Program Files\PCPitstop
2007-10-08 19:23 --------- d-----w C:\Program Files\inKline Global
2007-10-08 19:22 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-10-08 18:52 --------- d-----w C:\Program Files\MSXML 4.0
2007-10-08 18:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ahead
2007-10-08 18:06 --------- d-----w C:\Program Files\Microsoft SQL Server Compact Edition
2007-10-08 16:40 --------- d-----w C:\Program Files\VS Revo Group
2007-10-08 14:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Virgin Broadband
2007-10-07 18:32 --------- d-----w C:\Documents and Settings\andrew\Application Data\Virgin Broadband
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 19:03]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HTpatch"="C:\WINDOWS\htpatch.exe" [2007-11-03 21:25]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [2006-09-07 17:19]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-02-04 00:49]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-02-04 00:49]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"SiS KHooker"="C:\WINDOWS\System32\khooker.exe" [2007-11-03 21:46]
"PCTVOICE"="pctspk.exe" [2007-11-03 21:38 C:\WINDOWS\system32\pctspk.exe]
"PC Booster"="C:\Program Files\inKline Global\PC Booster\pcbooster.exe" [2005-12-28 10:39]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 15:57]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51]
"Ashampoo FireWall"="C:\Program Files\Ashampoo\Ashampoo FireWall\FireWall.exe" [2007-04-05 14:57]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-11-25 01:55]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:56]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-25 01:55]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
OP_CACHE.ATR [2007-11-24 18:01:53]
OP_CACHE.IDX [2007-11-24 18:01:53]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoInstrumentation"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BJCFD]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 07:56 15360 --a------ C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

R3 MTC0001_MPB;MPB device driver;C:\WINDOWS\system32\ntMPB.sys
S3 PRISM_A00;PRISM 802.11g Driver;C:\WINDOWS\system32\DRIVERS\PRISMA00.sys
S3 SRS_SSCFilter;SRS Labs Audio Sandbox (WDM);C:\WINDOWS\system32\drivers\srs_sscfilter_i386.sys

.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-25 18:12:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-25 18:16:55 - machine was rebooted
.
--- E O F ---
KASPERSKY ONLINE SCANNER REPORT
Sunday, November 25, 2007 5:51:33 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 25/11/2007
Kaspersky Anti-Virus database records: 465354
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\

Scan Statistics:
Total number of scanned objects: 85507
Number of viruses found: 6
Number of infected objects: 10
Number of suspicious objects: 0
Duration of the scan process: 05:05:27

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.2.Crwl Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.2.gthr Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\MSS.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\MSStmp.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010009.ci Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010009.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010009.wsb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000F.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010013.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010014.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010015.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\INDEX.000 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\CiPT0000.000 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\Used0000.000 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.000 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.chk1.gthr Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.chk2.gthr Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.Ntfy5.gthr Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\tmp.edb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Windows.edb Object is locked skipped
C:\Documents and Settings\andrew\Application Data\Microsoft\Internet Explorer\UserData\index.dat Object is locked skipped
C:\Documents and Settings\andrew\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\andrew\Local Settings\Application Data\Ahead\Nero Home\bl.db Object is locked skipped
C:\Documents and Settings\andrew\Local Settings\Application Data\Ahead\Nero Home\is2.db Object is locked skipped
C:\Documents and Settings\andrew\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\andrew\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\andrew\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\andrew\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\andrew\Local Settings\History\History.IE5\MSHist012007112520071126\index.dat Object is locked skipped
C:\Documents and Settings\andrew\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\andrew\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\andrew\ntuser.dat Object is locked skipped
C:\Documents and Settings\andrew\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Ntf5.tmp Object is locked skipped
C:\Ntf6.tmp Object is locked skipped
C:\System Recovery\OP_CACHE.ATR Object is locked skipped
C:\System Recovery\OP_CACHE.IDX Object is locked skipped
C:\System Volume Information\catalog.wci\00000002.ps1 Object is locked skipped
C:\System Volume Information\catalog.wci\00000002.ps2 Object is locked skipped
C:\System Volume Information\catalog.wci\00010002.ci Object is locked skipped
C:\System Volume Information\catalog.wci\cicat.fid Object is locked skipped
C:\System Volume Information\catalog.wci\cicat.hsh Object is locked skipped
C:\System Volume Information\catalog.wci\CiCL0001.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiP10000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiP20000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiPT0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiSL0001.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiSP0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiST0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiVP0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\INDEX.000 Object is locked skipped
C:\System Volume Information\catalog.wci\propstor.bk1 Object is locked skipped
C:\System Volume Information\catalog.wci\propstor.bk2 Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\OP_CACHE.ATR Object is locked skipped
C:\System Volume Information\OP_CACHE.IDX Object is locked skipped
C:\System Volume Information\_restore{1ECDAF7B-E276-4258-8067-2BBA1926186B}\RP218\A0067333.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.as skipped
C:\System Volume Information\_restore{1ECDAF7B-E276-4258-8067-2BBA1926186B}\RP218\A0067334.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.an skipped
C:\System Volume Information\_restore{1ECDAF7B-E276-4258-8067-2BBA1926186B}\RP218\A0067336.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.i skipped
C:\System Volume Information\_restore{1ECDAF7B-E276-4258-8067-2BBA1926186B}\RP218\A0067358.dll Infected: not-a-virus:AdWare.Win32.Mirar.k skipped
C:\System Volume Information\_restore{1ECDAF7B-E276-4258-8067-2BBA1926186B}\RP247\A0072847.exe Object is locked skipped
C:\System Volume Information\_restore{1ECDAF7B-E276-4258-8067-2BBA1926186B}\RP247\A0072848.exe Object is locked skipped
C:\System Volume Information\_restore{1ECDAF7B-E276-4258-8067-2BBA1926186B}\RP247\A0072849.dll Object is locked skipped
C:\System Volume Information\_restore{1ECDAF7B-E276-4258-8067-2BBA1926186B}\RP247\A0072850.exe Object is locked skipped
C:\System Volume Information\_restore{1ECDAF7B-E276-4258-8067-2BBA1926186B}\RP274\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Fonts\'\China Crack.zip/Crack.exe Infected: Trojan.Win32.Agent.cmn skipped
C:\WINDOWS\Fonts\'\China Crack.zip ZIP: infected - 1 skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{D71DA748-6724-4C04-BDF1-4686C31B31D0}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\pskill.exe Infected: not-a-virus:RiskTool.Win32.PsKill.e skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\TEMP\usgthrsvc\Perflib_Perfdata_6dc.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
F:\delete\commonfiles\hdaprop.dll Object is locked skipped
F:\delete\commonfiles\hdashcut.exe Object is locked skipped
F:\delete\commonfiles\hdaudbus.inf Object is locked skipped
F:\delete\commonfiles\hdaudbus.sys Object is locked skipped
F:\delete\commonfiles\hdaudio.inf Object is locked skipped
F:\delete\commonfiles\hdaudio.sys Object is locked skipped
F:\delete\commonfiles\hdaudres.dll Object is locked skipped
F:\delete\update\kb888111wxpsp2.cat Object is locked skipped
F:\delete\update\spcustom.dll Object is locked skipped
F:\delete\update\spmsg.dll Object is locked skipped
F:\delete\update\update.exe Object is locked skipped
F:\delete\update\update.inf Object is locked skipped
F:\delete\update\update.ver Object is locked skipped
F:\delete\update\updspapi.dll Object is locked skipped
F:\delete\winxpsp2\portcls.sys Object is locked skipped
F:\system backup\20071010_180618_andrew.nba/C/WINDOWS/system32/pskill.exe Infected: not-a-virus:RiskTool.Win32.PsKill.e skipped
F:\system backup\20071010_180618_andrew.nba Infected: not-a-virus:RiskTool.Win32.PsKill.e skipped
F:\system backup\backup november\C\WINDOWS\system32\pskill.exe Infected: not-a-virus:RiskTool.Win32.PsKill.e skipped
F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
F:\System Volume Information\OP_CACHE.ATR Object is locked skipped
F:\System Volume Information\OP_CACHE.IDX Object is locked skipped
F:\System Volume Information\_restore{1ECDAF7B-E276-4258-8067-2BBA1926186B}\RP247\A0072851.exe Object is locked skipped
F:\System Volume Information\_restore{1ECDAF7B-E276-4258-8067-2BBA1926186B}\RP247\A0072852.exe Object is locked skipped
G:\photo's\Desktop.ini Object is locked skipped
G:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
G:\System Volume Information\OP_CACHE.ATR Object is locked skipped
G:\System Volume Information\OP_CACHE.IDX Object is locked skipped
G:\System Volume Information\_restore{1ECDAF7B-E276-4258-8067-2BBA1926186B}\RP274\change.log Object is locked skipped

Scan process completed.
Adobe Reader 8.1.1
Advanced WindowsCare 2.55 Personal
Ashampoo FireWall 1.20
AVG 7.5
CCleaner (remove only)
Convert Doc
Easy Start Button
ERUNT 1.1j
Eusing Free Registry Cleaner
Glary Utilities 2.3.1.92
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 2.0.2
IE7Pro
Java(TM) 6 Update 3
Kaspersky Online Scanner
Microsoft .NET Framework (English)
Microsoft .NET Framework (English) v1.0.3705
Microsoft .NET Framework 1.0 Hotfix (KB928367)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Windows Journal Viewer
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 Parser and SDK
Nero 7 Premium
Nero 7 Premium
neroxml
NET Installation Assistance for VB6 App (Runtime Only)
PC Booster
PC Pitstop Optimize 1.0v
Realtek AC'97 Audio
Remove DivX Codec
Revo Uninstaller 1.34
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
SiS 650
SiS 900 PCI Fast Ethernet Adapter Driver
Spybot - Search & Destroy 1.4
Synaptics Pointing Device Driver
Unlocker 1.8.5
Windows Imaging Component
Windows Installer Clean Up
Windows Live installer
Windows Live Messenger
Windows Live Photo Gallery Beta
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 2
WinRAR archiver

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:27:47, on 25/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\htpatch.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\System32\khooker.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\inKline Global\PC Booster\pcbooster.exe
C:\Program Files\Ashampoo\Ashampoo FireWall\FireWall.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virginmedia.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: IE7Pro - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IE7Pro\IE7Pro.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [PC Booster] C:\Program Files\inKline Global\PC Booster\pcbooster.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Ashampoo FireWall] "C:\Program Files\Ashampoo\Ashampoo FireWall\FireWall.exe" -TRAY
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Global Startup: OP_CACHE.ATR
O4 - Global Startup: OP_CACHE.IDX
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IE7Pro\IE7Pro.dll
O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IE7Pro\IE7Pro.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 1786011000
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee - (no file)
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

--
End of file - 6362 bytes
All logs in post. hope for help in sorting problems if needed. thankyou
andrewgrizz
Regular Member
 
Posts: 35
Joined: November 23rd, 2007, 11:35 am

Re: log file 24/11/07

Unread postby Scotty » November 27th, 2007, 9:03 am

Hi

I'm afraid I have unpleasant news for you. You have a Dangerous infection on this machine.
The infection is delivered by a Backdoor Trojan.
It allows outsiders COMPLETE access to every keystroke, account, and password you use while on this machine, and complete access to any other data present...
IF this computer has been used for any kind of important data, my best recommendation is to Disconnect from Internet, Re-Format the entire drive and re-install your Operating system and Applications.

We can likely clean the infected files off the computer, and if you wish we will attempt to do so, but we cannot be sure that the infection didn't do something to your system to reduce the system security. In that instance, even after removal of the infection, you could be subject to another attack or takeover as soon as you re-connect to the Internet.

The Decision Whether to ReFormat or Not should be based on:
  • The use of the computer - this is the primary factor in the decision whether to re-format and re-install, or just disinfect.
  • The variety of malware - this influences the decision on whether to re-format and re-install, or just disinfect.
If the Computer has been used for any important data, you are strongly advised to do the following, immediately:
  • Disconnect the infected computer from the internet and from any networked computers until the computer can be cleaned.
  • Back up all important data on the machine. Do not back up any Applications (programs). Those should be re-installed from the original source CDs or websites.
  • If you have ever used this computer for shopping, banking, or any transactions relating to your financial well being:
    Call all of your banks, credit card companies, and financial institutions, informing them that you may be a victim of identity theft, and to put a watch on your accounts or change all your account numbers.
  • From a clean computer, change ALL your online passwords -- for ISP login, email, banks, financial accounts, PayPal, eBay, online companies, and any online forums or groups you belong to.
  • DO NOT change passwords or do any transactions while using the infected computer because the attacker will get the new password and transaction information.
  • Take any other steps you think appropriate for an attempted identity theft.
While you are deciding whether to ReFormat and Re-Install, a useful link is here: http://www.dslreports.com/faq/10063
Please let me know what you decide.
User avatar
Scotty
Retired Graduate
 
Posts: 4138
Joined: August 4th, 2006, 5:31 am
Location: Haggistown, Kiltland

Re: log file 24/11/07

Unread postby andrewgrizz » November 27th, 2007, 3:24 pm

thanks for the advice, i will re-install all system settings back to factory set using my installation disks. i can do a safe restore where all items installed will go into a folder called my old system i believe that is what it is called or similar. a new operating system will then be installed taking me back to the start. at present my avast home anti-virus as not found anything new nor has winpatrol 2007, but i will err onside of caution and re-install which will take me an hour or more. my system has pre-installed operating features and only come with recovery disc no windows discs. thanks. i hope this will fix any trouble makers hiding in the computer shadows. thanks for your help. :o
andrewgrizz
Regular Member
 
Posts: 35
Joined: November 23rd, 2007, 11:35 am

Re: log file 24/11/07

Unread postby Elrond » November 28th, 2007, 6:53 am

This topic is now closed. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
Elrond
Admin/Teacher Emeritus
 
Posts: 8818
Joined: February 17th, 2005, 9:14 pm
Location: Jerusalem
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 50 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware