Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

trojan horse downloader.obfuskated

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

trojan horse downloader.obfuskated

Unread postby iut044 » April 19th, 2008, 10:59 am

Hi having problems getting rid of trojan horse downloader.obfuskated .

Logfile of HijackThis v1.99.1
Scan saved at 15:50:49, on 19/04/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Documents and Settings\All Users\Application Data\jspknkli\lqlefsts.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\D-Tools\daemon.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Lexmark 2400 Series\lxcrmon.exe
C:\Program Files\Lexmark 2400 Series\ezprint.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe
C:\Program Files\Creative\SBAudigy\Taskbar\CTLTask.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\PromptCast\PromptCast.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\lxcrcoms.exe
C:\Program Files\Java\jre1.5.0_09\bin\jucheck.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\PROGRA~1\Grisoft\AVG7\avgwb.dat
C:\Program Files\HijackThis\hj.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.virgin.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Virgin.net
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://www.football365.com;http://www.m ... ;localhost
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,,winwork.exe
O2 - BHO: (no name) - P@þ - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - €@þ - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WinFast2KLoadDefault] rundll32.exe wf2kcpl.dll,DllLoadDefaultSettings
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [OPSE reminder] "C:\Program Files\ScanSoft\OmniPageSE2.0\EregEng\Ereg.exe" -r "C:\Program Files\ScanSoft\OmniPageSE2.0\EregEng\ereg.ini"
O4 - HKLM\..\Run: [lxcrmon.exe] "C:\Program Files\Lexmark 2400 Series\lxcrmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2400 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKCU\..\Run: [TaskTray] C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe
O4 - HKCU\..\Run: [Taskbar] C:\Program Files\Creative\SBAudigy\Taskbar\CTLTask.exe
O4 - HKCU\..\Run: [DownloadSoftware] rundll32.exe C:\WINDOWS\System32\MSA64CHK.dll,DllMostrar Matrix_HTML:DownloadSoftware:t
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [PromptCast] C:\Program Files\PromptCast\PromptCast.exe
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: -> TimelyWeb - C:\PROGRA~1\EldoS\TIMELY~1\IEPopupExtension.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: (no name) - {76DD9E77-F06C-4471-AB6C-CF03C5C6B5B0} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.virgin.net
O16 - DPF: JT's Blocks - http://download.games.yahoo.com/games/c ... blt1_x.cab
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/rap ... loader.cab
O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/games/c ... /jt0_x.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/ ... 1/chat.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/c ... /ct2_x.cab
O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/c ... grt5_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/c ... pote_x.cab
O16 - DPF: Yahoo! Towers 2.0 - http://download.games.yahoo.com/games/c ... ywt0_x.cab
O16 - DPF: {0835BC90-6ABC-4F52-A103-4FC3A61F2C33} (A18X Control) - http://www.albatross18.com/cabs/A18X.ocx
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/SU/ocx/12119/CTSUEng.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {1F996EAE-3D97-4862-AA0E-27F257C089DE} (blueyonder Game Launcher Control) - http://www.bygames.com/activex/launcher.ocx
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip.com/bestfriends/retro64_loader.dll
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/zenpuzzlegarden ... Loader.dll
O16 - DPF: {2A493D5F-8914-4D3E-8BF3-767F281862F4} (TraderMediaImgX Control) - http://sell.autotrader.co.uk/uk-ola/com ... MediaX.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/ ... acscom.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.c ... urrent.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.shockwave.com/content/ricoch ... Loader.cab
O16 - DPF: {4E7BD74F-2B8D-469E-89B3-BE29F5D3E32D} (MINICLIPTOOLBAR) - http://www.miniclip.com/toolbar/minicliptoolbar.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.com/r ... nPUpld.cab
O16 - DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} (CPlayFirstDinerDash2Control Object) - http://www.shockwave.com/content/dinerd ... 0.0.67.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 3355862896
O16 - DPF: {6D5FCFCB-FA6C-4CFB-9918-5F0A9F7365F2} - http://www.gigex.com/tv/igor/gigexagent.dll
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/softwar ... launch.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {77DD44BF-551D-4E3C-82CD-D637D5018D3C} - http://www.surveys.com/promptcast/Insta ... 0SETUP.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplat ... -devel.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {88C51E90-8E9C-4C96-8A45-574D88B63FAF} - http://acceso.masminutos.com/laaplicacion.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {9CCE3B43-4DE0-4236-A84E-108CA848EE6A} (WebCam Control) - http://webcamnow.com/broadcast/ActiveXWebCam.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnme ... loader.cab
O16 - DPF: {B516CA4E-A5BA-405C-AFCF-A97F08CC7429} (GoBit Games Player) - http://www.shockwave.com/content/burger ... yer_v4.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v ... b34246.cab
O16 - DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} (CPlayFirstddfotgControl Object) - http://www.shockwave.com/content/dinerd ... 0.0.33.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://www.arcadetown.com/swf/delicious ... player.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.telewest.co.uk/motive/files/ ... reQual.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.games.yahoo.com/games/w ... uncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://playgames.virginmedia.com/online ... der_v5.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {E522120B-0CF2-4C26-A8EA-50A7591F10F1} (blueyonder Game Launcher Control) - http://gaming.blueyonder.co.uk/activex/launcher.ocx
O16 - DPF: {EA6246B4-F380-443F-8727-9AEA3371146C} (CPlayFirstWeddingDashControl Object) - http://www.shockwave.com/content/weddin ... 0.0.47.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by15fd.bay15.hotmail.msn.com/act ... Atchmt.ocx
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/SU/ocx/12119/CTPID.cab
O16 - DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} (H2hPool Control) - http://www.worldwinner.com/games/v51/h2 ... 2hpool.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: lxcr_device - - C:\WINDOWS\System32\lxcrcoms.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
iut044
Active Member
 
Posts: 12
Joined: April 19th, 2008, 10:46 am
Advertisement
Register to Remove

Re: trojan horse downloader.obfuskated

Unread postby MWR 3 day Mod » April 22nd, 2008, 8:23 am

Hi, iut044

We are sorry to see your topic is over three days old and no one has yet been able to respond and offer help.

If you still require assistance, please post a link to your topic in our Waiting for help with malware removal? forum, and our staff will make an effort to assist you as promptly as possible. Only post a LINK to this topic, DO NOT post your DDS log!

Please do not reply to this topic.

If you haven't posted within two days in the "Waiting for help with malware removal?" forum, we will assume you have been able to get assistance in other ways and this topic will be closed.
MWR 3 day Mod
MRU Undergrad
MRU Undergrad
 
Posts: 2534
Joined: April 4th, 2008, 8:40 am

Re: trojan horse downloader.obfuskated

Unread postby chryssi2001 » April 22nd, 2008, 11:45 am

Hello iut044,

I will be assisting you with your malware issues.
Please be patient as I need some time to review your Hijackthis log and i will post back recommendations for repairs.

  • Whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
  • Continue to respond to this thread until I give you the All Clean! If you have any question or you're stuck in there please reply it to me. I will try my best to help you!
  • Please bookmark or favourite this page. In case you need it as reference or etc.
IMPORTANT NOTE:
If you are using Windows Vista you must right click on the desktop icon and choose Run as Administrator all tools.
-------------------------------------------------
I see you have automatic updates running, but the machine is only updated to Service Pack 1.
Why SP2 is not installed? Any special reason?

You should update to SP2, but NOT NOW. You can do if after your machine is clean.
-------------------------------------------------
Please post back a new Hijackthis log, and tell my why your system is not updated to SP2.
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: trojan horse downloader.obfuskated

Unread postby iut044 » April 22nd, 2008, 12:20 pm

I am quite low of hard drive space and maximum simultaneous connections effects the pefromance of bittorrent is why I not upgraded to sp2. Also windows task manager is not working "task manager has been dissabled by your adminstrator".
Logfile of HijackThis v1.99.1
Scan saved at 17:13:44, on 22/04/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Documents and Settings\All Users\Application Data\jspknkli\lqlefsts.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\D-Tools\daemon.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Lexmark 2400 Series\lxcrmon.exe
C:\Program Files\Lexmark 2400 Series\ezprint.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe
C:\Program Files\Creative\SBAudigy\Taskbar\CTLTask.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\PromptCast\PromptCast.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\lxcrcoms.exe
C:\Program Files\Java\jre1.5.0_09\bin\jucheck.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\HijackThis\hj.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.virgin.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Virgin.net
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://www.football365.com;http://www.m ... ;localhost
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,,winwork.exe
O2 - BHO: (no name) - P@þ - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - €@þ - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WinFast2KLoadDefault] rundll32.exe wf2kcpl.dll,DllLoadDefaultSettings
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [OPSE reminder] "C:\Program Files\ScanSoft\OmniPageSE2.0\EregEng\Ereg.exe" -r "C:\Program Files\ScanSoft\OmniPageSE2.0\EregEng\ereg.ini"
O4 - HKLM\..\Run: [lxcrmon.exe] "C:\Program Files\Lexmark 2400 Series\lxcrmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2400 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKCU\..\Run: [TaskTray] C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe
O4 - HKCU\..\Run: [Taskbar] C:\Program Files\Creative\SBAudigy\Taskbar\CTLTask.exe
O4 - HKCU\..\Run: [DownloadSoftware] rundll32.exe C:\WINDOWS\System32\MSA64CHK.dll,DllMostrar Matrix_HTML:DownloadSoftware:t
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [PromptCast] C:\Program Files\PromptCast\PromptCast.exe
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: -> TimelyWeb - C:\PROGRA~1\EldoS\TIMELY~1\IEPopupExtension.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: (no name) - {76DD9E77-F06C-4471-AB6C-CF03C5C6B5B0} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.virgin.net
O16 - DPF: JT's Blocks - http://download.games.yahoo.com/games/c ... blt1_x.cab
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/rap ... loader.cab
O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/games/c ... /jt0_x.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/ ... 1/chat.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/c ... /ct2_x.cab
O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/c ... grt5_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/c ... pote_x.cab
O16 - DPF: Yahoo! Towers 2.0 - http://download.games.yahoo.com/games/c ... ywt0_x.cab
O16 - DPF: {0835BC90-6ABC-4F52-A103-4FC3A61F2C33} (A18X Control) - http://www.albatross18.com/cabs/A18X.ocx
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/SU/ocx/12119/CTSUEng.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {1F996EAE-3D97-4862-AA0E-27F257C089DE} (blueyonder Game Launcher Control) - http://www.bygames.com/activex/launcher.ocx
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip.com/bestfriends/retro64_loader.dll
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/zenpuzzlegarden ... Loader.dll
O16 - DPF: {2A493D5F-8914-4D3E-8BF3-767F281862F4} (TraderMediaImgX Control) - http://sell.autotrader.co.uk/uk-ola/com ... MediaX.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/ ... acscom.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.c ... urrent.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.shockwave.com/content/ricoch ... Loader.cab
O16 - DPF: {4E7BD74F-2B8D-469E-89B3-BE29F5D3E32D} (MINICLIPTOOLBAR) - http://www.miniclip.com/toolbar/minicliptoolbar.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.com/r ... nPUpld.cab
O16 - DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} (CPlayFirstDinerDash2Control Object) - http://www.shockwave.com/content/dinerd ... 0.0.67.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 3355862896
O16 - DPF: {6D5FCFCB-FA6C-4CFB-9918-5F0A9F7365F2} - http://www.gigex.com/tv/igor/gigexagent.dll
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/softwar ... launch.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {77DD44BF-551D-4E3C-82CD-D637D5018D3C} - http://www.surveys.com/promptcast/Insta ... 0SETUP.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplat ... -devel.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {88C51E90-8E9C-4C96-8A45-574D88B63FAF} - http://acceso.masminutos.com/laaplicacion.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {9CCE3B43-4DE0-4236-A84E-108CA848EE6A} (WebCam Control) - http://webcamnow.com/broadcast/ActiveXWebCam.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnme ... loader.cab
O16 - DPF: {B516CA4E-A5BA-405C-AFCF-A97F08CC7429} (GoBit Games Player) - http://www.shockwave.com/content/burger ... yer_v4.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v ... b34246.cab
O16 - DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} (CPlayFirstddfotgControl Object) - http://www.shockwave.com/content/dinerd ... 0.0.33.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://www.arcadetown.com/swf/delicious ... player.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.telewest.co.uk/motive/files/ ... reQual.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.games.yahoo.com/games/w ... uncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://playgames.virginmedia.com/online ... der_v5.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {E522120B-0CF2-4C26-A8EA-50A7591F10F1} (blueyonder Game Launcher Control) - http://gaming.blueyonder.co.uk/activex/launcher.ocx
O16 - DPF: {EA6246B4-F380-443F-8727-9AEA3371146C} (CPlayFirstWeddingDashControl Object) - http://www.shockwave.com/content/weddin ... 0.0.47.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by15fd.bay15.hotmail.msn.com/act ... Atchmt.ocx
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/SU/ocx/12119/CTPID.cab
O16 - DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} (H2hPool Control) - http://www.worldwinner.com/games/v51/h2 ... 2hpool.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: lxcr_device - - C:\WINDOWS\System32\lxcrcoms.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
iut044
Active Member
 
Posts: 12
Joined: April 19th, 2008, 10:46 am

Re: trojan horse downloader.obfuskated

Unread postby chryssi2001 » April 22nd, 2008, 1:22 pm

Hello iut044,

I am quite low of hard drive space and maximum simultaneous connections effects the pefromance of bittorrent is why I not upgraded to sp2. Also windows task manager is not working "task manager has been dissabled by your adminstrator".

This is not a reason not to update your pc. You miss critical updates and you are open to infections.

Additional to not updating your pc, using a P2P Program like Bittorrent is like you invite infections.

Task manager is probably disabled by the infections.

If after reading my post you decide to clean your pc, which i do not recommend as there is no way to be sure your computer can ever again be trusted, you will need to uninstall BitTorrent, and remove or transfer files downloaded by it to an external Hard Drive.

We will need some empty space to download programs which will help us remove the infections from your pc in case you decide to clean it.
----------------------------------------------
Your computer has multiple infections, including a dialer.
Have a read >> here <<. It's a very bad one.

High risks are typically installed without user interaction through security exploits, and can severely compromise system security. Such risks may open illicit network connections, use polymorphic tactics to self-mutate, disable security software, modify system files, and install additional malware. These risks may also collect and transmit personally identifiable information (PII) without your consent and severely degrade the performance and stability of your computer


This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Dialer has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Dialer, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can attempt to clean this machine but i can't guarantee that it will be 100% secure afterwards.

Should you have any questions, please feel free to ask.

Please let us know what you have decided to do in your next post.
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: trojan horse downloader.obfuskated

Unread postby iut044 » April 22nd, 2008, 1:56 pm

Can you try clean the machine plz.
iut044
Active Member
 
Posts: 12
Joined: April 19th, 2008, 10:46 am

Re: trojan horse downloader.obfuskated

Unread postby chryssi2001 » April 22nd, 2008, 2:08 pm

Hello iut044,

Download and Run ComboFix
If you already have Combofix, please delete this copy and download it again as it's being updated regularly.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: trojan horse downloader.obfuskated

Unread postby iut044 » April 22nd, 2008, 2:50 pm

omboFix 08-04-20.5 - paul 2008-04-22 19:26:48.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.245 [GMT 1:00]Running from: C:\Documents and Settings\paul\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\paul\Application Data\searchtoolbarcorp
C:\Documents and Settings\paul\Application Data\searchtoolbarcorp\Toolbar Vision\PageHistory.txt
C:\Documents and Settings\paul\Application Data\searchtoolbarcorp\Toolbar Vision\WebHistory.txt
C:\Program Files\Common Files\{38BE6~1
C:\Program Files\Common Files\{38BE6~1\Uninst.exe
C:\Program Files\Common Files\{68BE6~1
C:\setup.exe
C:\WINDOWS\Downloaded Program Files\launcher.ocx
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\system32\components
C:\WINDOWS\system32\components\flx0.dll
C:\WINDOWS\system32\components\flx1.dll
C:\WINDOWS\system32\components\flx2.dll
C:\WINDOWS\system32\paytime.exe
C:\WINDOWS\tool1.exe
C:\WINDOWS\tool3.exe
C:\WINDOWS\tool4.exe

.
((((((((((((((((((((((((( Files Created from 2008-03-22 to 2008-04-22 )))))))))))))))))))))))))))))))
.

2008-04-22 14:46 . 2008-04-22 14:46 157,075 --a------ C:\itv.GIF
2008-04-22 10:07 . 2008-04-22 10:07 106,496 --a------ C:\WINDOWS\system32\jkfyvqbk.exe
2008-04-21 22:39 . 2008-04-21 22:39 106,496 --a------ C:\WINDOWS\system32\huncpero.exe
2008-04-21 10:39 . 2008-04-21 10:39 114,688 --a------ C:\WINDOWS\system32\vavidolm.exe
2008-04-20 22:28 . 2008-04-20 22:28 106,496 --a------ C:\WINDOWS\system32\rqvqjyzq.exe
2008-04-20 10:27 . 2008-04-20 10:27 110,592 --a------ C:\WINDOWS\system32\rwhmbulq.exe
2008-04-19 21:13 . 2008-04-19 21:13 98,304 --a------ C:\WINDOWS\system32\jenixqxa.exe
2008-04-17 12:33 . 2008-04-17 12:33 0 --a------ C:\WINDOWS\nsreg.dat
2008-04-17 12:31 . 2008-04-17 12:31 5,840,544 --a------ C:\Firefox Setup 2.0.0.14.exe
2008-04-16 23:02 . 2008-04-16 23:02 14,890 --a------ C:\the[1].riches.205.dsr-0tv.avi.torrent
2008-04-14 16:52 . 2008-04-14 16:52 7,947,736 --a------ C:\GoMagazineIssue02.pdf
2008-04-14 13:47 . 2008-04-22 16:00 <DIR> d-------- C:\Documents and Settings\paul\Application Data\SuperNZB
2008-04-14 13:46 . 2008-04-14 13:46 <DIR> d-------- C:\Program Files\SuperNZB
2008-04-14 13:45 . 2008-04-14 13:45 1,877,448 --a------ C:\SuperNZB-Setup.exe
2008-04-13 22:03 . 2008-04-13 22:03 28,855 --a------ C:\battlestar[1].galactica.402.hdtv-lol.avi.torrent
2008-04-11 15:16 . 2008-04-11 15:16 <DIR> d-------- C:\Documents and Settings\paul\Application Data\Forte
2008-04-11 15:15 . 2008-04-11 15:16 <DIR> d-------- C:\Program Files\Agent
2008-04-11 15:14 . 2008-04-11 15:14 9,347,192 --a------ C:\agentenu420-1118.exe
2008-04-11 14:51 . 2008-04-11 14:51 <DIR> d-------- C:\xnews
2008-04-11 13:39 . 2008-04-11 13:40 713,503 --a------ C:\xnews.zip
2008-04-11 12:27 . 2008-04-11 12:50 <DIR> d-------- C:\Documents and Settings\paul\Application Data\GrabIt
2008-04-11 12:25 . 2008-04-11 12:25 1,728,307 --a------ C:\GrabIt171b.exe
2008-04-10 17:12 . 2008-04-10 17:12 310,119 --a------ C:\agentenu-spelleng400-100.exe
2008-04-10 17:01 . 2008-04-10 17:01 19,456 --a------ C:\alt.doc
2008-04-09 14:45 . 2008-04-09 14:45 14,878 --a------ C:\the[1].riches.s02e04.dsr.xvid-0tv.avi.torrent
2008-04-08 11:28 . 2008-04-08 11:28 28,935 --a------ C:\Medium[1].S04E11.HDTV.XviD-0TV.avi.torrent
2008-04-07 23:00 . 2008-04-07 23:00 41,649 --a------ C:\Profit_DVD-Rip.torrent
2008-04-07 12:34 . 2008-04-07 12:34 14,878 --a------ C:\Cold[1].Case.S05E15.HDTV.XviD-HDQ.[VTV].avi.torrent
2008-04-05 11:13 . 2008-04-05 11:13 14,881 --a------ C:\battlestar[1].galactica.401.hdtv-lol.avi.torrent
2008-04-04 16:32 . 2008-04-04 16:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\jspknkli
2008-04-04 13:39 . 2008-04-04 13:39 14,840 --a------ C:\my[1].name.is.earl.314.315.hdtv-lol.avi.torrent
2008-04-02 13:37 . 2008-04-02 13:37 14,899 --a------ C:\the[1].riches.2x03.field.of.dreams.avi.torrent
2008-03-31 11:32 . 2008-03-31 11:32 28,801 --a------ C:\medium[1].410.hdtv-lol.avi.torrent
2008-03-31 11:31 . 2008-03-31 11:31 14,994 --a------ C:\cold[1].case.s05e14.Andy_in_C_Minor.hdtv.xvid-2hd.avi.torrent
2008-03-28 12:33 . 2008-03-28 12:32 14,916 --a------ C:\reaper[1].s01e13.hdtv.xvid-notv.avi.torrent
2008-03-28 12:33 . 2008-03-28 12:33 14,847 --a------ C:\smallville[1].s07e15.proper.hdtv.xvid-notv.avi.torrent
2008-03-27 20:23 . 2008-03-27 20:23 354,362 --a------ C:\Oz.COMPLETE.DVDRip.3535630.TPB.torrent
2008-03-27 20:18 . 2008-03-27 20:18 16,624 --a------ C:\Stargate.The.Ark.Of.Truth.2008.Proper.DVDRIP.XVID-iGNiTE.4068808.TPB.torrent
2008-03-26 14:15 . 2008-03-26 14:15 14,898 --a------ C:\The[1].Riches.S02E02.DSR.XviD-0TV.avi.torrent
2008-03-26 14:15 . 2008-03-26 14:15 7,867 --a------ C:\jericho[1].207.hdtv-lol.avi.torrent
2008-03-25 23:26 . 2008-03-25 23:26 130,266 --a------ C:\Oz[1].S04.DVDRip [mininova].torrent
2008-03-24 11:48 . 2008-03-24 11:48 14,867 --a------ C:\medium[1].409.hdtv-lol.avi.torrent
2008-03-23 17:39 . 2008-03-23 17:39 14,861 --a------ C:\The[1].Simpsons.S19E07.PDTV.XviD-LOL.avi.torrent

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-22 18:37 --------- d-----w C:\Program Files\PeerGuardian2
2008-04-22 09:09 --------- d-----w C:\Program Files\GetRight
2008-04-21 09:36 --------- d-----w C:\Documents and Settings\paul\Application Data\AVG7
2008-04-21 09:35 40,304,069 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2008-04-20 23:16 --------- d-----w C:\Documents and Settings\paul\Application Data\Azureus
2008-04-20 10:27 --------- d-----w C:\Program Files\lx_cats
2008-04-16 22:48 --------- d-----w C:\Program Files\Azureus
2008-04-15 09:41 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2008-04-06 10:20 --------- d-----w C:\Documents and Settings\paul\Application Data\FaxCtr
2008-03-16 12:45 --------- d-----w C:\Documents and Settings\paul\Application Data\MSN6
2008-02-28 17:44 --------- d-----w C:\Program Files\Unity
2008-02-28 17:43 3,242,080 ----a-w C:\UnityWebPlayer.exe
2008-02-12 17:53 2,817,536 ----a-w C:\ica32t.exe
2006-07-22 12:05 1,034,833 ----a-w C:\Program Files\winrar.exe
2006-07-22 12:03 1,034,833 ----a-w C:\Program Files\wrar36b8.exe
2005-01-16 12:57 20,798,256 ----a-w C:\Program Files\AdbeRdr70_enu_full.exe
2004-12-29 21:46 487,544 ----a-w C:\Program Files\yahoo messenger.exe
2002-04-16 11:27 5 --sha-w C:\WINDOWS\system32\CdI5T.drv
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TaskTray"="C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe" [2001-06-29 09:00 163840]
"Taskbar"="C:\Program Files\Creative\SBAudigy\Taskbar\CTLTask.exe" [2001-09-20 09:00 122880]
"DownloadSoftware"=" C:\WINDOWS\System32\MSA64CHK.dll" [ ]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe" [2004-08-06 16:33 2502656]
"PeerGuardian"="C:\Program Files\PeerGuardian2\pg2.exe" [2007-01-30 00:39 1432064]
"PromptCast"="C:\Program Files\PromptCast\PromptCast.exe" [2004-05-04 16:43 221184]
"EasyLinkAdvisor"="C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" [2006-10-30 12:01 392832]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2004-10-29 17:50 4620288]
"nwiz"="nwiz.exe" [2004-10-29 17:50 921600 C:\WINDOWS\system32\nwiz.exe]
"WinFast2KLoadDefault"="wf2kcpl.dll" [2002-05-16 10:53 628736 C:\WINDOWS\system32\WF2KCPL.dll]
"Pop-Up Stopper"="C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe" [2002-07-28 22:51 708608]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2004-10-29 17:50 86016]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-07-10 13:20 77824]
"DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" [2004-08-22 18:05 81920]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-15 10:41 579584]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-10-02 09:35 180269]
"Zone Labs Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2005-08-29 19:09 980736]
"OPSE reminder"="C:\Program Files\ScanSoft\OmniPageSE2.0\EregEng\Ereg.exe" [ ]
"lxcrmon.exe"="C:\Program Files\Lexmark 2400 Series\lxcrmon.exe" [2006-01-22 18:45 286720]
"EzPrint"="C:\Program Files\Lexmark 2400 Series\ezprint.exe" [2006-02-07 06:10 98304]
"FaxCenterServer"="C:\Program Files\Lexmark Fax Solutions\fm3032.exe" [2006-02-02 09:11 290816]
"LXCRCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll" [2005-12-01 19:38 65536]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe" [2006-10-12 04:10 49263]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 03:12 483328]
"CTHelper"="CTHELPER.EXE" [2006-08-11 14:56 17920 C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 14:56 18944 C:\WINDOWS\system32\CTXFIHLP.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2002-08-29 11:41 13312]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-24 09:16 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2006-11-16 19:20:51 25214]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 05:44:06 29696]
GetRight - Tray Icon.lnk - C:\Program Files\GetRight\getright.exe [2002-07-31 22:05:02 2345984]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2003-12-13 15:28:04 630915]
Kodak software updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe [2003-06-08 17:48:18 16432]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-03-22 02:00:00 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"JsG7Ticser"= C:\Documents and Settings\All Users\Application Data\jspknkli\lqlefsts.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"{68BE643F-06C4-2057-0417-02051520002c}"= "C:\Program Files\Common Files\{68BE643F-06C4-2057-0417-02051520002c}\Update.exe" mc-110-12-0000272

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm"= L3codecp.acm
"msacm.ctmp3"= C:\WINDOWS\System32\ctmp3.acm
"msacm.divxa32"= DivXa32.acm
"vidc.XVID"= xvid.dll

R2 ousbehci;%OWC_USBEHCD.DeviceDesc%;C:\WINDOWS\System32\Drivers\ousbehci.sys [2002-02-01 07:39]
R3 ousb2hub;OrangeWare USB 2.0 Root Hub Support;C:\WINDOWS\System32\DRIVERS\ousb2hub.sys [2002-02-01 07:39]
R3 WFsys;WinFox Control I/O Driver;C:\WINDOWS\System32\DRIVERS\wfsys.sys [2002-04-22 15:15]
S4 hpt3xx;hpt3xx;C:\WINDOWS\System32\DRIVERS\hpt3xx.sys [2001-08-17 21:52]

*Newly Created Service* - CATCHME
*Newly Created Service* - PGFILTER

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{43564368-4375-8601-4371-458454791235}]
C:\WINDOWS\System32\tcpdiss.exe /r
.
Contents of the 'Scheduled Tasks' folder
"2008-04-21 23:00:00 C:\WINDOWS\Tasks\At1.job"
- C:\WINDOWS\System32\4us0sr0K.exe
"2008-04-07 08:00:00 C:\WINDOWS\Tasks\At10.job"
- C:\WINDOWS\System32\4us0sr0K.exe
"2007-11-16 03:00:00 C:\WINDOWS\Tasks\At100.job"
- C:\WINDOWS\System32\q6M1J6mE.exe
"2007-11-16 04:00:00 C:\WINDOWS\Tasks\At101.job"
- C:\WINDOWS\System32\q6M1J6mE.exe
"2007-11-16 05:00:00 C:\WINDOWS\Tasks\At102.job"
- C:\WINDOWS\System32\q6M1J6mE.exe
"2007-11-16 06:00:00 C:\WINDOWS\Tasks\At103.job"
- C:\WINDOWS\System32\q6M1J6mE.exe
"2007-11-16 07:00:00 C:\WINDOWS\Tasks\At104.job"
- C:\WINDOWS\System32\q6M1J6mE.exe
"2007-11-16 08:00:00 C:\WINDOWS\Tasks\At105.job"
- C:\WINDOWS\System32\q6M1J6mE.exe
"2008-04-07 08:00:00 C:\WINDOWS\Tasks\At106.job"
- C:\WINDOWS\System32\q6M1J6mE.exe
"2008-04-19 09:00:00 C:\WINDOWS\Tasks\At107.job"
- C:\WINDOWS\System32\q6M1J6mE.exe
"2008-04-22 10:00:00 C:\WINDOWS\Tasks\At108.job"
- C:\WINDOWS\System32\q6M1J6mE.exe
"2008-04-22 11:00:00 C:\WINDOWS\Tasks\At109.job"
- C:\WINDOWS\System32\q6M1J6mE.exe
"2008-04-19 09:00:00 C:\WINDOWS\Tasks\At11.job"
- C:\WINDOWS\System32\4us0sr0K.exe
"2008-04-22 12:00:00 C:\WINDOWS\Tasks\At110.job"
- C:\WINDOWS\System32\q6M1J6mE.exe
"2008-04-22 13:00:00 C:\WINDOWS\Tasks\At111.job"
- C:\WINDOWS\System32\q6M1J6mE.exe
"2008-04-22 14:00:00 C:\WINDOWS\Tasks\At112.job"
- C:\WINDOWS\System32\q6M1J6mE.exe
"2008-04-22 15:00:01 C:\WINDOWS\Tasks\At113.job"
- C:\WINDOWS\System32\q6M1J6mE.exe
"2008-04-22 16:00:00 C:\WINDOWS\Tasks\At114.job"
- C:\WINDOWS\System32\q6M1J6mE.exe
"2008-04-22 17:00:00 C:\WINDOWS\Tasks\At115.job"
- C:\WINDOWS\System32\q6M1J6mE.exe
"2008-04-22 18:00:00 C:\WINDOWS\Tasks\At116.job"
- C:\WINDOWS\System32\q6M1J6mE.exe
"2008-04-21 19:00:00 C:\WINDOWS\Tasks\At117.job"
- C:\WINDOWS\System32\q6M1J6mE.exe
"2008-04-21 20:00:00 C:\WINDOWS\Tasks\At118.job"
- C:\WINDOWS\System32\q6M1J6mE.exe
"2008-04-21 21:00:00 C:\WINDOWS\Tasks\At119.job"
- C:\WINDOWS\System32\q6M1J6mE.exe
"2008-04-22 10:00:00 C:\WINDOWS\Tasks\At12.job"
- C:\WINDOWS\System32\4us0sr0K.exe
"2008-04-21 22:00:00 C:\WINDOWS\Tasks\At120.job"
- C:\WINDOWS\System32\q6M1J6mE.exe
"2008-04-22 11:00:00 C:\WINDOWS\Tasks\At13.job"
- C:\WINDOWS\System32\4us0sr0K.exe
"2008-04-22 12:00:00 C:\WINDOWS\Tasks\At14.job"
- C:\WINDOWS\System32\4us0sr0K.exe
"2008-04-22 13:00:00 C:\WINDOWS\Tasks\At15.job"
- C:\WINDOWS\System32\4us0sr0K.exe
"2008-04-22 14:00:00 C:\WINDOWS\Tasks\At16.job"
- C:\WINDOWS\System32\4us0sr0K.exe
"2008-04-22 15:00:01 C:\WINDOWS\Tasks\At17.job"
- C:\WINDOWS\System32\4us0sr0K.exe
"2008-04-22 16:00:00 C:\WINDOWS\Tasks\At18.job"
- C:\WINDOWS\System32\4us0sr0K.exe
"2008-04-22 17:00:00 C:\WINDOWS\Tasks\At19.job"
- C:\WINDOWS\System32\4us0sr0K.exe
"2007-11-16 01:00:00 C:\WINDOWS\Tasks\At2.job"
- C:\WINDOWS\System32\4us0sr0K.exe
"2008-04-22 18:00:00 C:\WINDOWS\Tasks\At20.job"
- C:\WINDOWS\System32\4us0sr0K.exe
"2008-04-21 19:00:00 C:\WINDOWS\Tasks\At21.job"
- C:\WINDOWS\System32\4us0sr0K.exe
"2008-04-21 20:00:00 C:\WINDOWS\Tasks\At22.job"
- C:\WINDOWS\System32\4us0sr0K.exe
"2008-04-21 21:00:00 C:\WINDOWS\Tasks\At23.job"
- C:\WINDOWS\System32\4us0sr0K.exe
"2008-04-21 22:00:00 C:\WINDOWS\Tasks\At24.job"
- C:\WINDOWS\System32\4us0sr0K.exe
"2008-04-21 23:00:00 C:\WINDOWS\Tasks\At25.job"
- C:\WINDOWS\System32\HJEGhvq1.exe
"2007-11-16 01:00:00 C:\WINDOWS\Tasks\At26.job"
- C:\WINDOWS\System32\HJEGhvq1.exe
"2007-11-16 02:00:00 C:\WINDOWS\Tasks\At27.job"
- C:\WINDOWS\System32\HJEGhvq1.exe
"2007-11-16 03:00:00 C:\WINDOWS\Tasks\At28.job"
- C:\WINDOWS\System32\HJEGhvq1.exe
"2007-11-16 04:00:00 C:\WINDOWS\Tasks\At29.job"
- C:\WINDOWS\System32\HJEGhvq1.exe
"2007-11-16 02:00:00 C:\WINDOWS\Tasks\At3.job"
- C:\WINDOWS\System32\4us0sr0K.exe
"2007-11-16 05:00:00 C:\WINDOWS\Tasks\At30.job"
- C:\WINDOWS\System32\HJEGhvq1.exe
"2007-11-16 06:00:00 C:\WINDOWS\Tasks\At31.job"
- C:\WINDOWS\System32\HJEGhvq1.exe
"2007-11-16 07:00:00 C:\WINDOWS\Tasks\At32.job"
- C:\WINDOWS\System32\HJEGhvq1.exe
"2007-11-16 08:00:00 C:\WINDOWS\Tasks\At33.job"
- C:\WINDOWS\System32\HJEGhvq1.exe
"2008-04-07 08:00:00 C:\WINDOWS\Tasks\At34.job"
- C:\WINDOWS\System32\HJEGhvq1.exe
"2008-04-19 09:00:00 C:\WINDOWS\Tasks\At35.job"
- C:\WINDOWS\System32\HJEGhvq1.exe
"2008-04-22 10:00:00 C:\WINDOWS\Tasks\At36.job"
- C:\WINDOWS\System32\HJEGhvq1.exe
"2008-04-22 11:00:00 C:\WINDOWS\Tasks\At37.job"
- C:\WINDOWS\System32\HJEGhvq1.exe
"2008-04-22 12:00:00 C:\WINDOWS\Tasks\At38.job"
- C:\WINDOWS\System32\HJEGhvq1.exe
"2008-04-22 13:00:00 C:\WINDOWS\Tasks\At39.job"
- C:\WINDOWS\System32\HJEGhvq1.exe
"2007-11-16 03:00:00 C:\WINDOWS\Tasks\At4.job"
- C:\WINDOWS\System32\4us0sr0K.exe
"2008-04-22 14:00:00 C:\WINDOWS\Tasks\At40.job"
- C:\WINDOWS\System32\HJEGhvq1.exe
"2008-04-22 15:00:01 C:\WINDOWS\Tasks\At41.job"
- C:\WINDOWS\System32\HJEGhvq1.exe
"2008-04-22 16:00:00 C:\WINDOWS\Tasks\At42.job"
- C:\WINDOWS\System32\HJEGhvq1.exe
"2008-04-22 17:00:00 C:\WINDOWS\Tasks\At43.job"
- C:\WINDOWS\System32\HJEGhvq1.exe
"2008-04-22 18:00:00 C:\WINDOWS\Tasks\At44.job"
- C:\WINDOWS\System32\HJEGhvq1.exe
"2008-04-21 19:00:00 C:\WINDOWS\Tasks\At45.job"
- C:\WINDOWS\System32\HJEGhvq1.exe
"2008-04-21 20:00:00 C:\WINDOWS\Tasks\At46.job"
- C:\WINDOWS\System32\HJEGhvq1.exe
"2008-04-21 21:00:00 C:\WINDOWS\Tasks\At47.job"
- C:\WINDOWS\System32\HJEGhvq1.exe
"2008-04-21 22:00:00 C:\WINDOWS\Tasks\At48.job"
- C:\WINDOWS\System32\HJEGhvq1.exe
"2008-04-21 23:00:00 C:\WINDOWS\Tasks\At49.job"
- C:\WINDOWS\System32\Wa181r03.exe
"2007-11-16 04:00:00 C:\WINDOWS\Tasks\At5.job"
- C:\WINDOWS\System32\4us0sr0K.exe
"2007-11-16 01:00:00 C:\WINDOWS\Tasks\At50.job"
- C:\WINDOWS\System32\Wa181r03.exe
"2007-11-16 02:00:00 C:\WINDOWS\Tasks\At51.job"
- C:\WINDOWS\System32\Wa181r03.exe
"2007-11-16 03:00:00 C:\WINDOWS\Tasks\At52.job"
- C:\WINDOWS\System32\Wa181r03.exe
"2007-11-16 04:00:00 C:\WINDOWS\Tasks\At53.job"
- C:\WINDOWS\System32\Wa181r03.exe
"2007-11-16 05:00:00 C:\WINDOWS\Tasks\At54.job"
- C:\WINDOWS\System32\Wa181r03.exe
"2007-11-16 06:00:00 C:\WINDOWS\Tasks\At55.job"
- C:\WINDOWS\System32\Wa181r03.exe
"2007-11-16 07:00:00 C:\WINDOWS\Tasks\At56.job"
- C:\WINDOWS\System32\Wa181r03.exe
"2007-11-16 08:00:00 C:\WINDOWS\Tasks\At57.job"
- C:\WINDOWS\System32\Wa181r03.exe
"2008-04-07 08:00:00 C:\WINDOWS\Tasks\At58.job"
- C:\WINDOWS\System32\Wa181r03.exe
"2008-04-19 09:00:00 C:\WINDOWS\Tasks\At59.job"
- C:\WINDOWS\System32\Wa181r03.exe
"2007-11-16 05:00:00 C:\WINDOWS\Tasks\At6.job"
- C:\WINDOWS\System32\4us0sr0K.exe
"2008-04-22 10:00:00 C:\WINDOWS\Tasks\At60.job"
- C:\WINDOWS\System32\Wa181r03.exe
"2008-04-22 11:00:00 C:\WINDOWS\Tasks\At61.job"
- C:\WINDOWS\System32\Wa181r03.exe
"2008-04-22 12:00:00 C:\WINDOWS\Tasks\At62.job"
- C:\WINDOWS\System32\Wa181r03.exe
"2008-04-22 13:00:00 C:\WINDOWS\Tasks\At63.job"
- C:\WINDOWS\System32\Wa181r03.exe
"2008-04-22 14:00:00 C:\WINDOWS\Tasks\At64.job"
- C:\WINDOWS\System32\Wa181r03.exe
"2008-04-22 15:00:01 C:\WINDOWS\Tasks\At65.job"
- C:\WINDOWS\System32\Wa181r03.exe
"2008-04-22 16:00:00 C:\WINDOWS\Tasks\At66.job"
- C:\WINDOWS\System32\Wa181r03.exe
"2008-04-22 17:00:00 C:\WINDOWS\Tasks\At67.job"
- C:\WINDOWS\System32\Wa181r03.exe
"2008-04-22 18:00:00 C:\WINDOWS\Tasks\At68.job"
- C:\WINDOWS\System32\Wa181r03.exe
"2008-04-21 19:00:00 C:\WINDOWS\Tasks\At69.job"
- C:\WINDOWS\System32\Wa181r03.exe
"2007-11-16 06:00:00 C:\WINDOWS\Tasks\At7.job"
- C:\WINDOWS\System32\4us0sr0K.exe
"2008-04-21 20:00:00 C:\WINDOWS\Tasks\At70.job"
- C:\WINDOWS\System32\Wa181r03.exe
"2008-04-21 21:00:00 C:\WINDOWS\Tasks\At71.job"
- C:\WINDOWS\System32\Wa181r03.exe
"2008-04-21 22:00:00 C:\WINDOWS\Tasks\At72.job"
- C:\WINDOWS\System32\Wa181r03.exe
"2008-04-21 23:00:00 C:\WINDOWS\Tasks\At73.job"
- C:\WINDOWS\System32\3mjCpW2H.exe
"2007-11-16 01:00:00 C:\WINDOWS\Tasks\At74.job"
- C:\WINDOWS\System32\3mjCpW2H.exe
"2007-11-16 02:00:00 C:\WINDOWS\Tasks\At75.job"
- C:\WINDOWS\System32\3mjCpW2H.exe
"2007-11-16 03:00:00 C:\WINDOWS\Tasks\At76.job"
- C:\WINDOWS\System32\3mjCpW2H.exe
"2007-11-16 04:00:00 C:\WINDOWS\Tasks\At77.job"
- C:\WINDOWS\System32\3mjCpW2H.exe
"2007-11-16 05:00:00 C:\WINDOWS\Tasks\At78.job"
- C:\WINDOWS\System32\3mjCpW2H.exe
"2007-11-16 06:00:00 C:\WINDOWS\Tasks\At79.job"
- C:\WINDOWS\System32\3mjCpW2H.exe
"2007-11-16 07:00:00 C:\WINDOWS\Tasks\At8.job"
- C:\WINDOWS\System32\4us0sr0K.exe
"2007-11-16 07:00:00 C:\WINDOWS\Tasks\At80.job"
- C:\WINDOWS\System32\3mjCpW2H.exe
"2007-11-16 08:00:00 C:\WINDOWS\Tasks\At81.job"
- C:\WINDOWS\System32\3mjCpW2H.exe
"2008-04-07 08:00:00 C:\WINDOWS\Tasks\At82.job"
- C:\WINDOWS\System32\3mjCpW2H.exe
"2008-04-19 09:00:00 C:\WINDOWS\Tasks\At83.job"
- C:\WINDOWS\System32\3mjCpW2H.exe
"2008-04-22 10:00:00 C:\WINDOWS\Tasks\At84.job"
- C:\WINDOWS\System32\3mjCpW2H.exe
"2008-04-22 11:00:00 C:\WINDOWS\Tasks\At85.job"
- C:\WINDOWS\System32\3mjCpW2H.exe
- ¤:\Á
"2008-04-22 12:00:00 C:\WINDOWS\Tasks\At86.job"
- C:\WINDOWS\System32\3mjCpW2H.exe
"2008-04-22 13:00:00 C:\WINDOWS\Tasks\At87.job"
- C:\WINDOWS\System32\3mjCpW2H.exe
"2008-04-22 14:00:00 C:\WINDOWS\Tasks\At88.job"
- C:\WINDOWS\System32\3mjCpW2H.exe
"2008-04-22 15:00:01 C:\WINDOWS\Tasks\At89.job"
- C:\WINDOWS\System32\3mjCpW2H.exe
"2007-11-16 08:00:00 C:\WINDOWS\Tasks\At9.job"
- C:\WINDOWS\System32\4us0sr0K.exe
"2008-04-22 16:00:00 C:\WINDOWS\Tasks\At90.job"
- C:\WINDOWS\System32\3mjCpW2H.exe
"2008-04-22 17:00:00 C:\WINDOWS\Tasks\At91.job"
- C:\WINDOWS\System32\3mjCpW2H.exe
"2008-04-22 18:00:00 C:\WINDOWS\Tasks\At92.job"
- C:\WINDOWS\System32\3mjCpW2H.exe
"2008-04-21 19:00:00 C:\WINDOWS\Tasks\At93.job"
- C:\WINDOWS\System32\3mjCpW2H.exe
"2008-04-21 20:00:00 C:\WINDOWS\Tasks\At94.job"
- C:\WINDOWS\System32\3mjCpW2H.exe
"2008-04-21 21:00:00 C:\WINDOWS\Tasks\At95.job"
- C:\WINDOWS\System32\3mjCpW2H.exe
"2008-04-21 22:00:00 C:\WINDOWS\Tasks\At96.job"
- C:\WINDOWS\System32\3mjCpW2H.exe
"2008-04-21 23:00:00 C:\WINDOWS\Tasks\At97.job"
- C:\WINDOWS\System32\q6M1J6mE.exe
"2007-11-16 01:00:00 C:\WINDOWS\Tasks\At98.job"
- C:\WINDOWS\System32\q6M1J6mE.exe
"2007-11-16 02:00:00 C:\WINDOWS\Tasks\At99.job"
- C:\WINDOWS\System32\q6M1J6mE.exe
"2008-04-22 18:10:16 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-22 19:36:44
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCRCATS = rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-22 19:45:03
ComboFix-quarantined-files.txt 2008-04-22 18:44:12

Pre-Run: 6,270,455,296 bytes free
Post-Run: 13,675,258,880 bytes free

416
iut044
Active Member
 
Posts: 12
Joined: April 19th, 2008, 10:46 am

Re: trojan horse downloader.obfuskated

Unread postby chryssi2001 » April 22nd, 2008, 3:23 pm

Hello itu44,

At the end of Combofix report i see this:

416

Is there anything else next or after it?

Last line of Combofix report should be something like this:

2008-03-27 17:32:50 --- E O F ---

So please open Combofix report again and post the part after the part in quote:
Completion time: 2008-04-22 19:45:03
ComboFix-quarantined-files.txt 2008-04-22 18:44:12

Pre-Run: 6,270,455,296 bytes free
Post-Run: 13,675,258,880 bytes free

416

------------------------------
You will need to Validate your copy of Windows XP here first: http://www.microsoft.com/resources/howtotell/ww/windows/default.mspx
Click on "Run the Windows Validation Assistant". Let me know the results.
------------------------------
It's late night here now.
I need some time to check your Combofix report, meanwhile post a new HijackThis log, Validate windows report.

I will be back some time tomorrow.
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: trojan horse downloader.obfuskated

Unread postby iut044 » April 22nd, 2008, 3:59 pm

The last thing in the report is 416. Copy of windows is Genuine as came with a computer from a major manufacteur .
Logfile of HijackThis v1.99.1
Scan saved at 20:39:06, on 22/04/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Documents and Settings\All Users\Application Data\jspknkli\lqlefsts.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Lexmark 2400 Series\lxcrmon.exe
C:\Program Files\Lexmark 2400 Series\ezprint.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe
C:\Program Files\Creative\SBAudigy\Taskbar\CTLTask.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\PromptCast\PromptCast.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\lxcrcoms.exe
C:\Program Files\Java\jre1.5.0_09\bin\jucheck.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\HijackThis\hj.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://www.football365.com;http://www.m ... ;localhost
O2 - BHO: (no name) - P@þ - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - €@þ - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WinFast2KLoadDefault] rundll32.exe wf2kcpl.dll,DllLoadDefaultSettings
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [OPSE reminder] "C:\Program Files\ScanSoft\OmniPageSE2.0\EregEng\Ereg.exe" -r "C:\Program Files\ScanSoft\OmniPageSE2.0\EregEng\ereg.ini"
O4 - HKLM\..\Run: [lxcrmon.exe] "C:\Program Files\Lexmark 2400 Series\lxcrmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2400 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKCU\..\Run: [TaskTray] C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe
O4 - HKCU\..\Run: [Taskbar] C:\Program Files\Creative\SBAudigy\Taskbar\CTLTask.exe
O4 - HKCU\..\Run: [DownloadSoftware] rundll32.exe C:\WINDOWS\System32\MSA64CHK.dll,DllMostrar Matrix_HTML:DownloadSoftware:t
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [PromptCast] C:\Program Files\PromptCast\PromptCast.exe
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: -> TimelyWeb - C:\PROGRA~1\EldoS\TIMELY~1\IEPopupExtension.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: (no name) - {76DD9E77-F06C-4471-AB6C-CF03C5C6B5B0} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.virgin.net
O16 - DPF: JT's Blocks - http://download.games.yahoo.com/games/c ... blt1_x.cab
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/rap ... loader.cab
O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/games/c ... /jt0_x.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/ ... 1/chat.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/c ... /ct2_x.cab
O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/c ... grt5_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/c ... pote_x.cab
O16 - DPF: Yahoo! Towers 2.0 - http://download.games.yahoo.com/games/c ... ywt0_x.cab
O16 - DPF: {0835BC90-6ABC-4F52-A103-4FC3A61F2C33} (A18X Control) - http://www.albatross18.com/cabs/A18X.ocx
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/SU/ocx/12119/CTSUEng.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {1F996EAE-3D97-4862-AA0E-27F257C089DE} (blueyonder Game Launcher Control) - http://www.bygames.com/activex/launcher.ocx
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip.com/bestfriends/retro64_loader.dll
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/zenpuzzlegarden ... Loader.dll
O16 - DPF: {2A493D5F-8914-4D3E-8BF3-767F281862F4} (TraderMediaImgX Control) - http://sell.autotrader.co.uk/uk-ola/com ... MediaX.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/ ... acscom.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.c ... urrent.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.shockwave.com/content/ricoch ... Loader.cab
O16 - DPF: {4E7BD74F-2B8D-469E-89B3-BE29F5D3E32D} (MINICLIPTOOLBAR) - http://www.miniclip.com/toolbar/minicliptoolbar.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.com/r ... nPUpld.cab
O16 - DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} (CPlayFirstDinerDash2Control Object) - http://www.shockwave.com/content/dinerd ... 0.0.67.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 3355862896
O16 - DPF: {6D5FCFCB-FA6C-4CFB-9918-5F0A9F7365F2} - http://www.gigex.com/tv/igor/gigexagent.dll
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/softwar ... launch.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {77DD44BF-551D-4E3C-82CD-D637D5018D3C} - http://www.surveys.com/promptcast/Insta ... 0SETUP.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplat ... -devel.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {88C51E90-8E9C-4C96-8A45-574D88B63FAF} - http://acceso.masminutos.com/laaplicacion.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {9CCE3B43-4DE0-4236-A84E-108CA848EE6A} (WebCam Control) - http://webcamnow.com/broadcast/ActiveXWebCam.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnme ... loader.cab
O16 - DPF: {B516CA4E-A5BA-405C-AFCF-A97F08CC7429} (GoBit Games Player) - http://www.shockwave.com/content/burger ... yer_v4.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v ... b34246.cab
O16 - DPF: {BAE1D8DF-0B35-47E3-A1E7-EEB3FF2ECD19} (CPlayFirstddfotgControl Object) - http://www.shockwave.com/content/dinerd ... 0.0.33.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://www.arcadetown.com/swf/delicious ... player.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.telewest.co.uk/motive/files/ ... reQual.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.games.yahoo.com/games/w ... uncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://playgames.virginmedia.com/online ... der_v5.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {E522120B-0CF2-4C26-A8EA-50A7591F10F1} (blueyonder Game Launcher Control) - http://gaming.blueyonder.co.uk/activex/launcher.ocx
O16 - DPF: {EA6246B4-F380-443F-8727-9AEA3371146C} (CPlayFirstWeddingDashControl Object) - http://www.shockwave.com/content/weddin ... 0.0.47.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by15fd.bay15.hotmail.msn.com/act ... Atchmt.ocx
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/SU/ocx/12119/CTPID.cab
O16 - DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} (H2hPool Control) - http://www.worldwinner.com/games/v51/h2 ... 2hpool.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: lxcr_device - - C:\WINDOWS\System32\lxcrcoms.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Last edited by iut044 on April 22nd, 2008, 4:45 pm, edited 1 time in total.
iut044
Active Member
 
Posts: 12
Joined: April 19th, 2008, 10:46 am

Re: trojan horse downloader.obfuskated

Unread postby iut044 » April 22nd, 2008, 3:59 pm

Double post
iut044
Active Member
 
Posts: 12
Joined: April 19th, 2008, 10:46 am

Re: trojan horse downloader.obfuskated

Unread postby chryssi2001 » April 23rd, 2008, 3:57 am

Hello iut044,

There is too much infection on your pc.

It seems that the infection might be downloaded while you used your P2P Program. Did you change any settings of the P2P programs you use?
I can see Azureus in your reports, so please uninstall Azureus and any other P2P program you have installed. They might be spreading the infection.

I now need some information from you regarding some files:
They look like they were downloaded while a P2P program was in use.
If you didn't downloaded them on purpose they were installed by the infection.

Did you downloaded these yourself and you know what they are?
C:\itv.GIF
C:\GoMagazineIssue02.pdf

What about these files?
C:\the[1].riches.205.dsr-0tv.avi.torrent
C:\battlestar[1].galactica.402.hdtv-lol.avi.torrent
C:\the[1].riches.s02e04.dsr.xvid-0tv.avi.torrent
C:\Medium[1].S04E11.HDTV.XviD-0TV.avi.torrent
C:\Profit_DVD-Rip.torrent
C:\Cold[1].Case.S05E15.HDTV.XviD-HDQ.[VTV].avi.torrent
C:\battlestar[1].galactica.401.hdtv-lol.avi.torrent
C:\my[1].name.is.earl.314.315.hdtv-lol.avi.torrent
C:\the[1].riches.2x03.field.of.dreams.avi.torrent
C:\medium[1].410.hdtv-lol.avi.torrent
C:\cold[1].case.s05e14.Andy_in_C_Minor.hdtv.xvid-2hd.avi.torrent
C:\reaper[1].s01e13.hdtv.xvid-notv.avi.torrent
C:\smallville[1].s07e15.proper.hdtv.xvid-notv.avi.torrent
C:\Oz.COMPLETE.DVDRip.3535630.TPB.torrent
C:\Stargate.The.Ark.Of.Truth.2008.Proper.DVDRIP.XVID-iGNiTE.4068808.TPB.torrent
C:\The[1].Riches.S02E02.DSR.XviD-0TV.avi.torrent
C:\jericho[1].207.hdtv-lol.avi.torrent
C:\Oz[1].S04.DVDRip [mininova].torrent
C:\medium[1].409.hdtv-lol.avi.torrent
C:\The[1].Simpsons.S19E07.PDTV.XviD-LOL.avi.torrent

--------------------------------------------
  • Please download this tool from Microsoft.
  • Double click on MGADiag.exe to run it.
  • Click Continue.
  • The program will run. It takes a while to finish the diagnosis, please be patient.
  • Once done, click on Copy.
  • Open Notepad and paste the contents in. Save this file and post it in your next reply.
--------------------------------------------
I need you to post back the following, so we can continue and clean your pc:

Information about the files
MGADiag report.
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: trojan horse downloader.obfuskated

Unread postby iut044 » April 23rd, 2008, 5:58 am

All the files I have download and know what they are.
Diagnostic Report (1.7.0095.0):
-----------------------------------------
WGA Data-->
Validation Status: Validation Control not Installed
Validation Code: 0
Online Validation Code: N/A
Cached Validation Code: N/A
Windows Product Key: *****-*****-PT9WH-FFMHF-DYTBY
Windows Product Key Hash: FC/bB+/Jh247d0IV4XrOH+roYB8=
Windows Product ID: 55277-OEM-2140626-61128
Windows Product ID Type: 3
Windows License Type: OEM System Builder
Windows OS version: 5.1.2600.2.00010300.1.0.hom
CSVLK Server: N/A
CSVLK PID: N/A
ID: {92C31B02-B2DC-4581-B3E1-5B9FA986A990}(1)
Is Admin: Yes
TestCab: 0x0
WGA Version: N/A, hr = 0x80070002
Signed By: N/A, hr = 0x80070002
Product Name: N/A
Architecture: N/A
Build lab: N/A
TTS Error: N/A
Validation Diagnostic: 025D1FF3-171-1_BB5C1257-90-80070002
Resolution Status: N/A

WgaER Data-->
ThreatID(s): N/A
Version: N/A

WGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
WGATray.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 109 N/A
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 025D1FF3-171-1

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Default Browser: C:\Program Files\Internet Explorer\IEXPLORE.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{92C31B02-B2DC-4581-B3E1-5B9FA986A990}</UGUID><Version>1.7.0095.0</Version><OS>5.1.2600.2.00010300.1.0.hom</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-DYTBY</PKey><PID>55277-OEM-2140626-61128</PID><PIDType>3</PIDType><SID>S-1-5-21-1085806099-2501954535-3646181656</SID><SYSTEM><Manufacturer>System Manufacturer</Manufacturer><Model>System Name</Model></SYSTEM><BIOS><Manufacturer>Award Software, Inc.</Manufacturer><Version>ASUS A7V333 ACPI BIOS Revision 1006</Version><SMBIOSVersion major="2" minor="3"/><Date>20020417******.******+***</Date></BIOS><HWID>0733308F01842E59</HWID><UserLCID>0809</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>GMT Standard Time(GMT+00:00)</TimeZone><iJoin>0</iJoin><SBID><stat>2</stat><msppid></msppid><name>MESH Computers PLC</name><model>MESH</model></SBID><OEM/><BRT/></MachineData> <Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>
iut044
Active Member
 
Posts: 12
Joined: April 19th, 2008, 10:46 am

Re: trojan horse downloader.obfuskated

Unread postby chryssi2001 » April 23rd, 2008, 12:58 pm

Hello iut044,

Did you remove Azureus and any other P2P programs you use?
I will have to remove all those files with the extention avi.torrent

Have some read here about P2P programs.
----------------------------------------------
P2P PROGRAMS

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

AZUREUS
and any other simular P2P program.


I'd like you to read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.

Also available here.

Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).

If you wish to install them again you can do so after we clean your pc.
----------------------------------------------
FIX HIJACKTHIS ENTRIES

Open up Hijackthis.
Click on do a system scan only.
Place a checkmark next to these lines(if still present).

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://www.football365.com;http://www.m ... ;localhost
O2 - BHO: (no name) - P@? - (no file)
O2 - BHO: (no name) - €@? - (no file)
O9 - Extra button: (no name) - {76DD9E77-F06C-4471-AB6C-CF03C5C6B5B0} - (no file)
O14 - IERESET.INF: START_PAGE_URL=http://www.virgin.net << If the URL is not the provider of your computer or your ISP, have HijackThis fix it.
FIX ALL 016 LINES


Then close all windows except Hijackthis and click Fix Checked
Close HijackThis.
----------------------------------------------
COMBOFIX-Script
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: Select all
    KILLALL::
    
    File::
    C:\WINDOWS\system32\jkfyvqbk.exe
    C:\WINDOWS\system32\huncpero.exe
    C:\WINDOWS\system32\vavidolm.exe
    C:\WINDOWS\system32\rqvqjyzq.exe
    C:\WINDOWS\system32\rwhmbulq.exe
    C:\WINDOWS\system32\jenixqxa.exe
    C:\WINDOWS\Internet Logs\tvDebug.zip
    C:\the[1].riches.205.dsr-0tv.avi.torrent
    C:\battlestar[1].galactica.402.hdtv-lol.avi.torrent
    C:\the[1].riches.s02e04.dsr.xvid-0tv.avi.torrent
    C:\Medium[1].S04E11.HDTV.XviD-0TV.avi.torrent
    C:\Profit_DVD-Rip.torrent
    C:\Cold[1].Case.S05E15.HDTV.XviD-HDQ.[VTV].avi.torrent
    C:\battlestar[1].galactica.401.hdtv-lol.avi.torrent
    C:\my[1].name.is.earl.314.315.hdtv-lol.avi.torrent
    C:\the[1].riches.2x03.field.of.dreams.avi.torrent
    C:\medium[1].410.hdtv-lol.avi.torrent
    C:\cold[1].case.s05e14.Andy_in_C_Minor.hdtv.xvid-2hd.avi.torrent
    C:\reaper[1].s01e13.hdtv.xvid-notv.avi.torrent
    C:\smallville[1].s07e15.proper.hdtv.xvid-notv.avi.torrent
    C:\Oz.COMPLETE.DVDRip.3535630.TPB.torrent
    C:\Stargate.The.Ark.Of.Truth.2008.Proper.DVDRIP.XVID-iGNiTE.4068808.TPB.torrent
    C:\The[1].Riches.S02E02.DSR.XviD-0TV.avi.torrent
    C:\jericho[1].207.hdtv-lol.avi.torrent
    C:\Oz[1].S04.DVDRip [mininova].torrent
    C:\medium[1].409.hdtv-lol.avi.torrent
    C:\The[1].Simpsons.S19E07.PDTV.XviD-LOL.avi.torrent
    C:\WINDOWS\System32\MSA64CHK.dll
    C:\WINDOWS\System32\tcpdiss.exe
    C:\WINDOWS\Tasks\At1.job
    C:\WINDOWS\Tasks\At10.job
    C:\WINDOWS\Tasks\At100.job
    C:\WINDOWS\Tasks\At101.job
    C:\WINDOWS\Tasks\At102.job
    C:\WINDOWS\Tasks\At103.job
    C:\WINDOWS\Tasks\At104.job
    C:\WINDOWS\Tasks\At105.job
    C:\WINDOWS\Tasks\At106.job
    C:\WINDOWS\Tasks\At107.job
    C:\WINDOWS\Tasks\At108.job
    C:\WINDOWS\Tasks\At109.job
    C:\WINDOWS\Tasks\At11.job
    C:\WINDOWS\Tasks\At110.job
    C:\WINDOWS\Tasks\At111.job
    C:\WINDOWS\Tasks\At112.job
    C:\WINDOWS\Tasks\At113.job
    C:\WINDOWS\Tasks\At114.job
    C:\WINDOWS\Tasks\At115.job
    C:\WINDOWS\Tasks\At116.job
    C:\WINDOWS\Tasks\At117.job
    C:\WINDOWS\Tasks\At118.job
    C:\WINDOWS\Tasks\At119.job
    C:\WINDOWS\Tasks\At12.job
    C:\WINDOWS\Tasks\At120.job
    C:\WINDOWS\Tasks\At13.job
    C:\WINDOWS\Tasks\At14.job
    C:\WINDOWS\Tasks\At15.job
    C:\WINDOWS\Tasks\At16.job
    C:\WINDOWS\Tasks\At17.job
    C:\WINDOWS\Tasks\At18.job
    C:\WINDOWS\Tasks\At19.job
    C:\WINDOWS\Tasks\At2.job
    C:\WINDOWS\Tasks\At20.job
    C:\WINDOWS\Tasks\At21.job
    C:\WINDOWS\Tasks\At22.job
    C:\WINDOWS\Tasks\At23.job
    C:\WINDOWS\Tasks\At24.job
    C:\WINDOWS\Tasks\At25.job
    C:\WINDOWS\Tasks\At26.job
    C:\WINDOWS\Tasks\At27.job
    C:\WINDOWS\Tasks\At28.job
    C:\WINDOWS\Tasks\At29.job
    C:\WINDOWS\Tasks\At3.job
    C:\WINDOWS\Tasks\At30.job
    C:\WINDOWS\Tasks\At31.job
    C:\WINDOWS\Tasks\At32.job
    C:\WINDOWS\Tasks\At33.job
    C:\WINDOWS\Tasks\At34.job
    C:\WINDOWS\Tasks\At35.job
    C:\WINDOWS\Tasks\At36.job
    C:\WINDOWS\Tasks\At37.job
    C:\WINDOWS\Tasks\At38.job
    C:\WINDOWS\Tasks\At39.job
    C:\WINDOWS\Tasks\At4.job
    C:\WINDOWS\Tasks\At40.job
    C:\WINDOWS\Tasks\At41.job
    C:\WINDOWS\Tasks\At42.job
    C:\WINDOWS\Tasks\At43.job
    C:\WINDOWS\Tasks\At44.job
    C:\WINDOWS\Tasks\At45.job
    C:\WINDOWS\Tasks\At46.job
    C:\WINDOWS\Tasks\At47.job
    C:\WINDOWS\Tasks\At48.job
    C:\WINDOWS\Tasks\At49.job
    C:\WINDOWS\Tasks\At5.job
    C:\WINDOWS\Tasks\At50.job
    C:\WINDOWS\Tasks\At51.job
    C:\WINDOWS\Tasks\At52.job
    C:\WINDOWS\Tasks\At53.job
    C:\WINDOWS\Tasks\At54.job
    C:\WINDOWS\Tasks\At55.job
    C:\WINDOWS\Tasks\At56.job
    C:\WINDOWS\Tasks\At57.job
    C:\WINDOWS\Tasks\At58.job
    C:\WINDOWS\Tasks\At59.job
    C:\WINDOWS\Tasks\At6.job
    C:\WINDOWS\Tasks\At60.job
    C:\WINDOWS\Tasks\At61.job
    C:\WINDOWS\Tasks\At62.job
    C:\WINDOWS\Tasks\At63.job
    C:\WINDOWS\Tasks\At64.job
    C:\WINDOWS\Tasks\At65.job
    C:\WINDOWS\Tasks\At66.job
    C:\WINDOWS\Tasks\At67.job
    C:\WINDOWS\Tasks\At68.job
    C:\WINDOWS\Tasks\At69.job
    C:\WINDOWS\Tasks\At7.job
    C:\WINDOWS\Tasks\At70.job
    C:\WINDOWS\Tasks\At71.job
    C:\WINDOWS\Tasks\At72.job
    C:\WINDOWS\Tasks\At73.job
    C:\WINDOWS\Tasks\At74.job
    C:\WINDOWS\Tasks\At75.job
    C:\WINDOWS\Tasks\At76.job
    C:\WINDOWS\Tasks\At77.job
    C:\WINDOWS\Tasks\At78.job
    C:\WINDOWS\Tasks\At79.job
    C:\WINDOWS\Tasks\At8.job
    C:\WINDOWS\Tasks\At80.job
    C:\WINDOWS\Tasks\At81.job
    C:\WINDOWS\Tasks\At82.job
    C:\WINDOWS\Tasks\At83.job
    C:\WINDOWS\Tasks\At84.job
    C:\WINDOWS\Tasks\At85.job
    C:\WINDOWS\Tasks\At86.job
    C:\WINDOWS\Tasks\At87.job
    C:\WINDOWS\Tasks\At88.job
    C:\WINDOWS\Tasks\At89.job
    C:\WINDOWS\Tasks\At9.job
    C:\WINDOWS\Tasks\At90.job
    C:\WINDOWS\Tasks\At91.job
    C:\WINDOWS\Tasks\At92.job
    C:\WINDOWS\Tasks\At93.job
    C:\WINDOWS\Tasks\At94.job
    C:\WINDOWS\Tasks\At95.job
    C:\WINDOWS\Tasks\At96.job
    C:\WINDOWS\Tasks\At97.job
    C:\WINDOWS\Tasks\At98.job
    C:\WINDOWS\Tasks\At99.job
    
    Folder::
    C:\Documents and Settings\All Users\Application Data\jspknkli
    C:\Program Files\Azureus
    C:\Program Files\Common Files\{68BE643F-06C4-2057-0417-02051520002c}
    
    Registry::
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "DownloadSoftware"=-
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
    [-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{43564368-4375-8601-4371-458454791235}]
    
  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Image
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
----------------------------------------------
Post back:
Combofix report.
A new HijackThis log.
Tell me if the pc is running better.
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away

Re: trojan horse downloader.obfuskated

Unread postby iut044 » April 24th, 2008, 6:59 am

I have removed azureus and dc++ and the computer seems better . On another computer running vista two AVG scan in a row files have marked files changed does that mean that I might have a problem?
Also is it worth upgrading from 7.5 AVG to 8.0 and should I do a virus scan?
ComboFix 08-04-20.5 - paul 2008-04-24 11:21:46.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.178 [GMT 1:00]Running from: C:\Documents and Settings\paul\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\paul\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\battlestar[1].galactica.401.hdtv-lol.avi.torrent
C:\battlestar[1].galactica.402.hdtv-lol.avi.torrent
C:\cold[1].case.s05e14.Andy_in_C_Minor.hdtv.xvid-2hd.avi.torrent
C:\Cold[1].Case.S05E15.HDTV.XviD-HDQ.[VTV].avi.torrent
C:\jericho[1].207.hdtv-lol.avi.torrent
C:\medium[1].409.hdtv-lol.avi.torrent
C:\medium[1].410.hdtv-lol.avi.torrent
C:\Medium[1].S04E11.HDTV.XviD-0TV.avi.torrent
C:\my[1].name.is.earl.314.315.hdtv-lol.avi.torrent
C:\Oz.COMPLETE.DVDRip.3535630.TPB.torrent
C:\Oz[1].S04.DVDRip [mininova].torrent
C:\Profit_DVD-Rip.torrent
C:\reaper[1].s01e13.hdtv.xvid-notv.avi.torrent
C:\smallville[1].s07e15.proper.hdtv.xvid-notv.avi.torrent
C:\Stargate.The.Ark.Of.Truth.2008.Proper.DVDRIP.XVID-iGNiTE.4068808.TPB.torrent
C:\the[1].riches.205.dsr-0tv.avi.torrent
C:\the[1].riches.2x03.field.of.dreams.avi.torrent
C:\The[1].Riches.S02E02.DSR.XviD-0TV.avi.torrent
C:\the[1].riches.s02e04.dsr.xvid-0tv.avi.torrent
C:\The[1].Simpsons.S19E07.PDTV.XviD-LOL.avi.torrent
C:\WINDOWS\Internet Logs\tvDebug.zip
C:\WINDOWS\system32\huncpero.exe
C:\WINDOWS\system32\jenixqxa.exe
C:\WINDOWS\system32\jkfyvqbk.exe
C:\WINDOWS\System32\MSA64CHK.dll
C:\WINDOWS\system32\rqvqjyzq.exe
C:\WINDOWS\system32\rwhmbulq.exe
C:\WINDOWS\System32\tcpdiss.exe
C:\WINDOWS\system32\vavidolm.exe
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At100.job
C:\WINDOWS\Tasks\At101.job
C:\WINDOWS\Tasks\At102.job
C:\WINDOWS\Tasks\At103.job
C:\WINDOWS\Tasks\At104.job
C:\WINDOWS\Tasks\At105.job
C:\WINDOWS\Tasks\At106.job
C:\WINDOWS\Tasks\At107.job
C:\WINDOWS\Tasks\At108.job
C:\WINDOWS\Tasks\At109.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At110.job
C:\WINDOWS\Tasks\At111.job
C:\WINDOWS\Tasks\At112.job
C:\WINDOWS\Tasks\At113.job
C:\WINDOWS\Tasks\At114.job
C:\WINDOWS\Tasks\At115.job
C:\WINDOWS\Tasks\At116.job
C:\WINDOWS\Tasks\At117.job
C:\WINDOWS\Tasks\At118.job
C:\WINDOWS\Tasks\At119.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At120.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At25.job
C:\WINDOWS\Tasks\At26.job
C:\WINDOWS\Tasks\At27.job
C:\WINDOWS\Tasks\At28.job
C:\WINDOWS\Tasks\At29.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At30.job
C:\WINDOWS\Tasks\At31.job
C:\WINDOWS\Tasks\At32.job
C:\WINDOWS\Tasks\At33.job
C:\WINDOWS\Tasks\At34.job
C:\WINDOWS\Tasks\At35.job
C:\WINDOWS\Tasks\At36.job
C:\WINDOWS\Tasks\At37.job
C:\WINDOWS\Tasks\At38.job
C:\WINDOWS\Tasks\At39.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At40.job
C:\WINDOWS\Tasks\At41.job
C:\WINDOWS\Tasks\At42.job
C:\WINDOWS\Tasks\At43.job
C:\WINDOWS\Tasks\At44.job
C:\WINDOWS\Tasks\At45.job
C:\WINDOWS\Tasks\At46.job
C:\WINDOWS\Tasks\At47.job
C:\WINDOWS\Tasks\At48.job
C:\WINDOWS\Tasks\At49.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At50.job
C:\WINDOWS\Tasks\At51.job
C:\WINDOWS\Tasks\At52.job
C:\WINDOWS\Tasks\At53.job
C:\WINDOWS\Tasks\At54.job
C:\WINDOWS\Tasks\At55.job
C:\WINDOWS\Tasks\At56.job
C:\WINDOWS\Tasks\At57.job
C:\WINDOWS\Tasks\At58.job
C:\WINDOWS\Tasks\At59.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At60.job
C:\WINDOWS\Tasks\At61.job
C:\WINDOWS\Tasks\At62.job
C:\WINDOWS\Tasks\At63.job
C:\WINDOWS\Tasks\At64.job
C:\WINDOWS\Tasks\At65.job
C:\WINDOWS\Tasks\At66.job
C:\WINDOWS\Tasks\At67.job
C:\WINDOWS\Tasks\At68.job
C:\WINDOWS\Tasks\At69.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At70.job
C:\WINDOWS\Tasks\At71.job
C:\WINDOWS\Tasks\At72.job
C:\WINDOWS\Tasks\At73.job
C:\WINDOWS\Tasks\At74.job
C:\WINDOWS\Tasks\At75.job
C:\WINDOWS\Tasks\At76.job
C:\WINDOWS\Tasks\At77.job
C:\WINDOWS\Tasks\At78.job
C:\WINDOWS\Tasks\At79.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At80.job
C:\WINDOWS\Tasks\At81.job
C:\WINDOWS\Tasks\At82.job
C:\WINDOWS\Tasks\At83.job
C:\WINDOWS\Tasks\At84.job
C:\WINDOWS\Tasks\At85.job
C:\WINDOWS\Tasks\At86.job
C:\WINDOWS\Tasks\At87.job
C:\WINDOWS\Tasks\At88.job
C:\WINDOWS\Tasks\At89.job
C:\WINDOWS\Tasks\At9.job
C:\WINDOWS\Tasks\At90.job
C:\WINDOWS\Tasks\At91.job
C:\WINDOWS\Tasks\At92.job
C:\WINDOWS\Tasks\At93.job
C:\WINDOWS\Tasks\At94.job
C:\WINDOWS\Tasks\At95.job
C:\WINDOWS\Tasks\At96.job
C:\WINDOWS\Tasks\At97.job
C:\WINDOWS\Tasks\At98.job
C:\WINDOWS\Tasks\At99.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\battlestar[1].galactica.401.hdtv-lol.avi.torrent
C:\battlestar[1].galactica.402.hdtv-lol.avi.torrent
C:\cold[1].case.s05e14.Andy_in_C_Minor.hdtv.xvid-2hd.avi.torrent
C:\Cold[1].Case.S05E15.HDTV.XviD-HDQ.[VTV].avi.torrent
C:\Documents and Settings\All Users\Application Data\jspknkli
C:\Documents and Settings\All Users\Application Data\jspknkli\lqlefsts.exe
C:\jericho[1].207.hdtv-lol.avi.torrent
C:\medium[1].409.hdtv-lol.avi.torrent
C:\medium[1].410.hdtv-lol.avi.torrent
C:\Medium[1].S04E11.HDTV.XviD-0TV.avi.torrent
C:\my[1].name.is.earl.314.315.hdtv-lol.avi.torrent
C:\Oz.COMPLETE.DVDRip.3535630.TPB.torrent
C:\Oz[1].S04.DVDRip [mininova].torrent
C:\Profit_DVD-Rip.torrent
C:\Program Files\Azureus
C:\Program Files\Azureus\az_error.log
C:\Program Files\Azureus\az_output.log
C:\Program Files\Azureus\AzureusUpdater.exe
C:\Program Files\Azureus\msvcr71.dll
C:\Program Files\Azureus\plugins\azplugins\azplugins_1.8.6.jar
C:\Program Files\Azureus\plugins\azplugins\azplugins_1.8.8.jar
C:\Program Files\Azureus\plugins\azplugins\azplugins_2.0.jar
C:\Program Files\Azureus\plugins\azplugins\azplugins_2.1.1.jar
C:\Program Files\Azureus\plugins\azplugins\azplugins_2.1.4.jar
C:\Program Files\Azureus\plugins\azupdater\azupdater_1.8.3.zip
C:\Program Files\Azureus\plugins\azupdater\azupdater_1.8.5.zip
C:\Program Files\Azureus\plugins\azupdater\azupdater_1.8.8.zip
C:\Program Files\Azureus\plugins\azupdater\azupdaterpatcher_1.8.2.jar
C:\Program Files\Azureus\plugins\azupdater\azupdaterpatcher_1.8.3.jar
C:\Program Files\Azureus\plugins\azupdater\azupdaterpatcher_1.8.5.jar
C:\Program Files\Azureus\plugins\azupdater\azupdaterpatcher_1.8.8.jar
C:\Program Files\Azureus\plugins\azupdater\Azureus2_2.3.0.6_P2.pax
C:\Program Files\Azureus\plugins\azupdater\plugin.properties
C:\Program Files\Azureus\plugins\azupdater\plugin.properties_1.8.3
C:\Program Files\Azureus\plugins\azupdater\plugin.properties_1.8.5
C:\Program Files\Azureus\plugins\azupdater\plugin.properties_1.8.8
C:\Program Files\Azureus\plugins\azupdater\Updater.jar
C:\Program Files\Azureus\plugins\azupdater\Updater.jar.bak
C:\Program Files\Azureus\plugins\rating\azrating_1.3.1.jar
C:\Program Files\Azureus\plugins\rating\azrating_1.3.jar
C:\Program Files\Azureus\plugins\rating\rating_1.2.jar
C:\Program Files\Azureus\swt-awt-win32-3232.dll
C:\Program Files\Azureus\swt-awt-win32-3318.dll
C:\Program Files\Azureus\swt-gdip-win32-3232.dll
C:\Program Files\Azureus\swt-gdip-win32-3318.dll
C:\Program Files\Azureus\swt-wgl-win32-3232.dll
C:\Program Files\Azureus\swt-wgl-win32-3318.dll
C:\Program Files\Azureus\swt-win32-3232.dll
C:\Program Files\Azureus\swt-win32-3318.dll
C:\Program Files\Azureus\Uninstall.exe
C:\reaper[1].s01e13.hdtv.xvid-notv.avi.torrent
C:\smallville[1].s07e15.proper.hdtv.xvid-notv.avi.torrent
C:\Stargate.The.Ark.Of.Truth.2008.Proper.DVDRIP.XVID-iGNiTE.4068808.TPB.torrent
C:\the[1].riches.205.dsr-0tv.avi.torrent
C:\the[1].riches.2x03.field.of.dreams.avi.torrent
C:\The[1].Riches.S02E02.DSR.XviD-0TV.avi.torrent
C:\the[1].riches.s02e04.dsr.xvid-0tv.avi.torrent
C:\The[1].Simpsons.S19E07.PDTV.XviD-LOL.avi.torrent
C:\WINDOWS\Internet Logs\tvDebug.zip
C:\WINDOWS\system32\huncpero.exe
C:\WINDOWS\system32\jenixqxa.exe
C:\WINDOWS\system32\jkfyvqbk.exe
C:\WINDOWS\system32\rqvqjyzq.exe
C:\WINDOWS\system32\rwhmbulq.exe
C:\WINDOWS\system32\vavidolm.exe
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At100.job
C:\WINDOWS\Tasks\At101.job
C:\WINDOWS\Tasks\At102.job
C:\WINDOWS\Tasks\At103.job
C:\WINDOWS\Tasks\At104.job
C:\WINDOWS\Tasks\At105.job
C:\WINDOWS\Tasks\At106.job
C:\WINDOWS\Tasks\At107.job
C:\WINDOWS\Tasks\At108.job
C:\WINDOWS\Tasks\At109.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At110.job
C:\WINDOWS\Tasks\At111.job
C:\WINDOWS\Tasks\At112.job
C:\WINDOWS\Tasks\At113.job
C:\WINDOWS\Tasks\At114.job
C:\WINDOWS\Tasks\At115.job
C:\WINDOWS\Tasks\At116.job
C:\WINDOWS\Tasks\At117.job
C:\WINDOWS\Tasks\At118.job
C:\WINDOWS\Tasks\At119.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At120.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At25.job
C:\WINDOWS\Tasks\At26.job
C:\WINDOWS\Tasks\At27.job
C:\WINDOWS\Tasks\At28.job
C:\WINDOWS\Tasks\At29.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At30.job
C:\WINDOWS\Tasks\At31.job
C:\WINDOWS\Tasks\At32.job
C:\WINDOWS\Tasks\At33.job
C:\WINDOWS\Tasks\At34.job
C:\WINDOWS\Tasks\At35.job
C:\WINDOWS\Tasks\At36.job
C:\WINDOWS\Tasks\At37.job
C:\WINDOWS\Tasks\At38.job
C:\WINDOWS\Tasks\At39.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At40.job
C:\WINDOWS\Tasks\At41.job
C:\WINDOWS\Tasks\At42.job
C:\WINDOWS\Tasks\At43.job
C:\WINDOWS\Tasks\At44.job
C:\WINDOWS\Tasks\At45.job
C:\WINDOWS\Tasks\At46.job
C:\WINDOWS\Tasks\At47.job
C:\WINDOWS\Tasks\At48.job
C:\WINDOWS\Tasks\At49.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At50.job
C:\WINDOWS\Tasks\At51.job
C:\WINDOWS\Tasks\At52.job
C:\WINDOWS\Tasks\At53.job
C:\WINDOWS\Tasks\At54.job
C:\WINDOWS\Tasks\At55.job
C:\WINDOWS\Tasks\At56.job
C:\WINDOWS\Tasks\At57.job
C:\WINDOWS\Tasks\At58.job
C:\WINDOWS\Tasks\At59.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At60.job
C:\WINDOWS\Tasks\At61.job
C:\WINDOWS\Tasks\At62.job
C:\WINDOWS\Tasks\At63.job
C:\WINDOWS\Tasks\At64.job
C:\WINDOWS\Tasks\At65.job
C:\WINDOWS\Tasks\At66.job
C:\WINDOWS\Tasks\At67.job
C:\WINDOWS\Tasks\At68.job
C:\WINDOWS\Tasks\At69.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At70.job
C:\WINDOWS\Tasks\At71.job
C:\WINDOWS\Tasks\At72.job
C:\WINDOWS\Tasks\At73.job
C:\WINDOWS\Tasks\At74.job
C:\WINDOWS\Tasks\At75.job
C:\WINDOWS\Tasks\At76.job
C:\WINDOWS\Tasks\At77.job
C:\WINDOWS\Tasks\At78.job
C:\WINDOWS\Tasks\At79.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At80.job
C:\WINDOWS\Tasks\At81.job
C:\WINDOWS\Tasks\At82.job
C:\WINDOWS\Tasks\At83.job
C:\WINDOWS\Tasks\At84.job
C:\WINDOWS\Tasks\At85.job
C:\WINDOWS\Tasks\At86.job
C:\WINDOWS\Tasks\At87.job
C:\WINDOWS\Tasks\At88.job
C:\WINDOWS\Tasks\At89.job
C:\WINDOWS\Tasks\At9.job
C:\WINDOWS\Tasks\At90.job
C:\WINDOWS\Tasks\At91.job
C:\WINDOWS\Tasks\At92.job
C:\WINDOWS\Tasks\At93.job
C:\WINDOWS\Tasks\At94.job
C:\WINDOWS\Tasks\At95.job
C:\WINDOWS\Tasks\At96.job
C:\WINDOWS\Tasks\At97.job
C:\WINDOWS\Tasks\At98.job
C:\WINDOWS\Tasks\At99.job

.
((((((((((((((((((((((((( Files Created from 2008-03-24 to 2008-04-24 )))))))))))))))))))))))))))))))
.

2008-04-24 10:37 . 2008-04-24 10:37 98,304 --a------ C:\WINDOWS\system32\ixkjgbkb.exe
2008-04-23 21:11 . 2008-04-23 21:11 98,304 --a------ C:\WINDOWS\system32\letgxado.exe
2008-04-23 10:54 . 2008-04-23 10:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-04-23 09:11 . 2008-04-23 09:11 122,880 --a------ C:\WINDOWS\system32\nmbylepc.exe
2008-04-22 22:07 . 2008-04-22 22:07 110,592 --a------ C:\WINDOWS\system32\votyzgda.exe
2008-04-22 14:46 . 2008-04-22 14:46 157,075 --a------ C:\itv.GIF
2008-04-17 12:33 . 2008-04-17 12:33 0 --a------ C:\WINDOWS\nsreg.dat
2008-04-17 12:31 . 2008-04-17 12:31 5,840,544 --a------ C:\Firefox Setup 2.0.0.14.exe
2008-04-14 16:52 . 2008-04-14 16:52 7,947,736 --a------ C:\GoMagazineIssue02.pdf
2008-04-14 13:47 . 2008-04-23 22:33 <DIR> d-------- C:\Documents and Settings\paul\Application Data\SuperNZB
2008-04-14 13:46 . 2008-04-14 13:46 <DIR> d-------- C:\Program Files\SuperNZB
2008-04-14 13:45 . 2008-04-14 13:45 1,877,448 --a------ C:\SuperNZB-Setup.exe
2008-04-11 15:16 . 2008-04-11 15:16 <DIR> d-------- C:\Documents and Settings\paul\Application Data\Forte
2008-04-11 15:15 . 2008-04-11 15:16 <DIR> d-------- C:\Program Files\Agent
2008-04-11 15:14 . 2008-04-11 15:14 9,347,192 --a------ C:\agentenu420-1118.exe
2008-04-11 14:51 . 2008-04-11 14:51 <DIR> d-------- C:\xnews
2008-04-11 13:39 . 2008-04-11 13:40 713,503 --a------ C:\xnews.zip
2008-04-11 12:27 . 2008-04-11 12:50 <DIR> d-------- C:\Documents and Settings\paul\Application Data\GrabIt
2008-04-11 12:25 . 2008-04-11 12:25 1,728,307 --a------ C:\GrabIt171b.exe
2008-04-10 17:12 . 2008-04-10 17:12 310,119 --a------ C:\agentenu-spelleng400-100.exe
2008-04-10 17:01 . 2008-04-10 17:01 19,456 --a------ C:\alt.doc

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-24 10:21 --------- d-----w C:\Program Files\PeerGuardian2
2008-04-24 10:17 --------- d-----w C:\Program Files\GetRight
2008-04-24 10:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Zylom
2008-04-24 10:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\GoBit Games
2008-04-23 18:35 --------- d-----w C:\Documents and Settings\paul\Application Data\Azureus
2008-04-21 09:36 --------- d-----w C:\Documents and Settings\paul\Application Data\AVG7
2008-04-20 10:27 --------- d-----w C:\Program Files\lx_cats
2008-04-15 09:41 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2008-04-06 10:20 --------- d-----w C:\Documents and Settings\paul\Application Data\FaxCtr
2008-03-16 12:45 --------- d-----w C:\Documents and Settings\paul\Application Data\MSN6
2008-02-28 17:44 --------- d-----w C:\Program Files\Unity
2008-02-28 17:43 3,242,080 ----a-w C:\UnityWebPlayer.exe
2008-02-12 17:53 2,817,536 ----a-w C:\ica32t.exe
2006-07-22 12:05 1,034,833 ----a-w C:\Program Files\winrar.exe
2006-07-22 12:03 1,034,833 ----a-w C:\Program Files\wrar36b8.exe
2005-01-16 12:57 20,798,256 ----a-w C:\Program Files\AdbeRdr70_enu_full.exe
2004-12-29 21:46 487,544 ----a-w C:\Program Files\yahoo messenger.exe
2002-04-16 11:27 5 --sha-w C:\WINDOWS\system32\CdI5T.drv
.

((((((((((((((((((((((((((((( snapshot@2008-04-22_19.43.20.39 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-22 09:03:33 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-24 10:28:38 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-04-22 18:10:00 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-04-24 10:10:00 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-04-22 18:10:00 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-04-24 10:10:00 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-03-30 09:19:17 40,896 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-04-23 08:12:32 40,896 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-03-30 09:19:17 313,562 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-04-23 08:12:32 313,562 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TaskTray"="C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe" [2001-06-29 09:00 163840]
"Taskbar"="C:\Program Files\Creative\SBAudigy\Taskbar\CTLTask.exe" [2001-09-20 09:00 122880]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe" [2004-08-06 16:33 2502656]
"PeerGuardian"="C:\Program Files\PeerGuardian2\pg2.exe" [2007-01-30 00:39 1432064]
"PromptCast"="C:\Program Files\PromptCast\PromptCast.exe" [2004-05-04 16:43 221184]
"EasyLinkAdvisor"="C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" [2006-10-30 12:01 392832]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2004-10-29 17:50 4620288]
"nwiz"="nwiz.exe" [2004-10-29 17:50 921600 C:\WINDOWS\system32\nwiz.exe]
"WinFast2KLoadDefault"="wf2kcpl.dll" [2002-05-16 10:53 628736 C:\WINDOWS\system32\WF2KCPL.dll]
"Pop-Up Stopper"="C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe" [2002-07-28 22:51 708608]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2004-10-29 17:50 86016]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-07-10 13:20 77824]
"DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" [2004-08-22 18:05 81920]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-15 10:41 579584]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-10-02 09:35 180269]
"Zone Labs Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2005-08-29 19:09 980736]
"OPSE reminder"="C:\Program Files\ScanSoft\OmniPageSE2.0\EregEng\Ereg.exe" [ ]
"lxcrmon.exe"="C:\Program Files\Lexmark 2400 Series\lxcrmon.exe" [2006-01-22 18:45 286720]
"EzPrint"="C:\Program Files\Lexmark 2400 Series\ezprint.exe" [2006-02-07 06:10 98304]
"FaxCenterServer"="C:\Program Files\Lexmark Fax Solutions\fm3032.exe" [2006-02-02 09:11 290816]
"LXCRCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll" [2005-12-01 19:38 65536]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe" [2006-10-12 04:10 49263]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 03:12 483328]
"CTHelper"="CTHELPER.EXE" [2006-08-11 14:56 17920 C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 14:56 18944 C:\WINDOWS\system32\CTXFIHLP.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2002-08-29 11:41 13312]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-24 09:16 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2006-11-16 19:20:51 25214]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 05:44:06 29696]
GetRight - Tray Icon.lnk - C:\Program Files\GetRight\getright.exe [2002-07-31 22:05:02 2345984]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2003-12-13 15:28:04 630915]
Kodak software updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe [2003-06-08 17:48:18 16432]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-03-22 02:00:00 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm"= L3codecp.acm
"msacm.ctmp3"= C:\WINDOWS\System32\ctmp3.acm
"msacm.divxa32"= DivXa32.acm
"vidc.XVID"= xvid.dll

R2 ousbehci;%OWC_USBEHCD.DeviceDesc%;C:\WINDOWS\System32\Drivers\ousbehci.sys [2002-02-01 07:39]
R3 ousb2hub;OrangeWare USB 2.0 Root Hub Support;C:\WINDOWS\System32\DRIVERS\ousb2hub.sys [2002-02-01 07:39]
R3 WFsys;WinFox Control I/O Driver;C:\WINDOWS\System32\DRIVERS\wfsys.sys [2002-04-22 15:15]
S4 hpt3xx;hpt3xx;C:\WINDOWS\System32\DRIVERS\hpt3xx.sys [2001-08-17 21:52]

.
Contents of the 'Scheduled Tasks' folder
"2008-04-24 10:10:16 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-24 11:29:22
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\PROGRA~1\PANICW~1\POP-UP~1\DPHOOK32.DLL
-> C:\WINDOWS\PANICNT.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Java\jre1.5.0_09\bin\jucheck.exe
C:\WINDOWS\system32\lxcrcoms.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\Ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2008-04-24 11:47:31 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-24 10:47:09
ComboFix2.txt 2008-04-22 18:45:05

Pre-Run: 14,951,938,048 bytes free
Post-Run: 14,910,896,128 bytes free

498

Logfile of HijackThis v1.99.1
Scan saved at 11:54:16, on 24/04/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\D-Tools\daemon.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Lexmark 2400 Series\lxcrmon.exe
C:\Program Files\Lexmark 2400 Series\ezprint.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe
C:\Program Files\Creative\SBAudigy\Taskbar\CTLTask.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\PromptCast\PromptCast.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\Program Files\Java\jre1.5.0_09\bin\jucheck.exe
C:\WINDOWS\System32\lxcrcoms.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\HijackThis\hj.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WinFast2KLoadDefault] rundll32.exe wf2kcpl.dll,DllLoadDefaultSettings
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [OPSE reminder] "C:\Program Files\ScanSoft\OmniPageSE2.0\EregEng\Ereg.exe" -r "C:\Program Files\ScanSoft\OmniPageSE2.0\EregEng\ereg.ini"
O4 - HKLM\..\Run: [lxcrmon.exe] "C:\Program Files\Lexmark 2400 Series\lxcrmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2400 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKCU\..\Run: [TaskTray] C:\Program Files\Creative\SBAudigy\Taskbar\CTLTray.exe
O4 - HKCU\..\Run: [Taskbar] C:\Program Files\Creative\SBAudigy\Taskbar\CTLTask.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [PromptCast] C:\Program Files\PromptCast\PromptCast.exe
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: -> TimelyWeb - C:\PROGRA~1\EldoS\TIMELY~1\IEPopupExtension.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: (no name) - {76DD9E77-F06C-4471-AB6C-CF03C5C6B5B0} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.virgin.net
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: lxcr_device - - C:\WINDOWS\System32\lxcrcoms.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
iut044
Active Member
 
Posts: 12
Joined: April 19th, 2008, 10:46 am
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 56 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware