Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

1/06/09 HijackThis log

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

1/06/09 HijackThis log

Unread postby Barkin » January 6th, 2009, 8:22 pm

I noticed in netstat there's alot of connections to localhost:8080.
http://localhost:8080 just makes firefox pop up with a download. i never did anything with it

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:13:14 PM, on 1/6/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Eset\nod32krn.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\Program Files\SafeConnect\scManager.sys
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\CTHELPER.EXE
E:\WINDOWS\system32\CTXFIHLP.EXE
E:\WINDOWS\SYSTEM32\CTXFISPI.EXE
E:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
E:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
E:\WINDOWS\system32\RUNDLL32.EXE
E:\Program Files\Eset\nod32kui.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Logitech\SetPoint\SetPoint.exe
E:\Program Files\SafeConnect\scClient.exe
E:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
E:\Program Files\AIM\aim.exe
E:\Documents and Settings\Aqua\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
E:\Program Files\Winamp\winamp.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
F:\Downloads\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - E:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - E:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [WinampAgent] "E:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "E:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LVCOMSX] "E:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "E:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] E:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] E:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] E:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [nod32kui] "E:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [Vidalia] "E:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe"
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Utopia Angel] "E:\utop\Angel.exe"
O4 - HKCU\..\Run: [Google Update] "E:\Documents and Settings\Aqua\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] E:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe -p
O4 - Global Startup: Adobe Gamma Loader.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech SetPoint.lnk = E:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SafeConnect.lnk = ?
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - E:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Unknown owner - E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - E:\WINDOWS\system32\IcdSptSv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - E:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - E:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - E:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SafeConnect Manager (SCManager) - Unknown owner - E:\Program Files\SafeConnect\scManager.sys servicestart (file missing)
Barkin
Regular Member
 
Posts: 15
Joined: January 6th, 2009, 8:19 pm
Advertisement
Register to Remove

Re: 1/06/09 HijackThis log

Unread postby Bio-Hazard » January 16th, 2009, 7:52 am

Hello and Welcome to forums!

My name is Bio-Hazard and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:

  • I will be working on your Malware issues this may or may not solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • I f you don't know or understand something please don't hesitate to ask.
  • Please DO NOT run any other tools or scans whilst I am helping you.
  • It is important that you reply to this thread. Do not start a new topic.
  • Absence of symptoms does not mean that everything is clear.

NOTE: Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe


random's system information tool (RSIT)

  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: 1/06/09 HijackThis log

Unread postby Barkin » January 16th, 2009, 12:09 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:05:08 AM, on 1/16/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Java\jre6\bin\jqs.exe
E:\Program Files\Eset\nod32krn.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\Program Files\SafeConnect\scManager.sys
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\CTHELPER.EXE
E:\WINDOWS\system32\CTXFIHLP.EXE
E:\WINDOWS\SYSTEM32\CTXFISPI.EXE
E:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
E:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
E:\WINDOWS\system32\RUNDLL32.EXE
E:\Program Files\Java\jre6\bin\jusched.exe
E:\Program Files\Eset\nod32kui.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Documents and Settings\Aqua\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
E:\Program Files\Logitech\SetPoint\SetPoint.exe
E:\Program Files\SafeConnect\scClient.exe
E:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
E:\Program Files\AIM\aim.exe
E:\Program Files\Mozilla Firefox\firefox.exe
G:\sysreset\mirc.exe
E:\PROGRA~1\MICROS~2\Office\WINWORD.EXE
E:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\Program Files\Winamp\winamp.exe
F:\Downloads\RSIT.exe
F:\Downloads\Aqua.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - E:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - E:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [WinampAgent] "E:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "E:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LVCOMSX] "E:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "E:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] E:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] E:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] E:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [nod32kui] "E:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Vidalia] "E:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe"
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Utopia Angel] "E:\utop\Angel.exe"
O4 - HKCU\..\Run: [Google Update] "E:\Documents and Settings\Aqua\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - Global Startup: Adobe Gamma Loader.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech SetPoint.lnk = E:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SafeConnect.lnk = ?
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - E:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Unknown owner - E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - E:\WINDOWS\system32\IcdSptSv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - E:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - E:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - E:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SafeConnect Manager (SCManager) - Unknown owner - E:\Program Files\SafeConnect\scManager.sys servicestart (file missing)

--
End of file - 6561 bytes



info.txt logfile of random's system information tool 1.05 2009-01-16 08:05:09

======Uninstall list======

-->E:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
-->RunDll32 E:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "E:\Program Files\InstallShield Installation Information\{510582B9-2633-11D4-99DC-0000F49094C7}\Setup.exe" UNINSTALL
-->RunDll32 E:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "E:\Program Files\InstallShield Installation Information\{17E96A7F-AFE3-4171-87B1-583E376319E8}\setup.exe" -l0x9
-->RunDll32 E:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "E:\Program Files\InstallShield Installation Information\{700932B3-A964-4878-82A2-96054622A1F7}\setup.exe" -l0x9
-->RunDll32 E:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "E:\Program Files\InstallShield Installation Information\{700932B3-A964-4878-82A2-96054622A1F7}\setup.exe" -l0x9 /remove
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 E:\WINDOWS\INF\PCHealth.inf
32 Bit HP BiDi Channel Components Installer-->MsiExec.exe /I{9DE3F260-B88E-42CE-90E7-73C78C37D95E}
Adobe Flash Player ActiveX-->E:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin-->E:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Photoshop CS-->RunDll32 E:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "E:\Program Files\InstallShield Installation Information\{EFB21DE7-8C19-4A88-BB28-A766E16493BC}\setup.exe" -l0x9
Adobe Reader 8.1.2-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
AIM Ad Hack-->"E:\Program Files\AIM\unins000.exe"
AOL Instant Messenger-->E:\Program Files\AIM\uninstll.exe -LOG= E:\Program Files\AIM\install.log -OEM=
BS.Player PRO-->"E:\Program Files\Webteh\BSplayerPro\uninstall.exe"
CDDRV_Installer-->MsiExec.exe /I{0C826C5B-B131-423A-A229-C71B3CACCD6A}
Chinese Traditional Fonts Support For Adobe Reader 8-->MsiExec.exe /I{AC76BA86-7AD7-2448-0000-800000000003}
Combined Community Codec Pack 2008-01-24-->"E:\Program Files\Combined Community Codec Pack\unins000.exe"
Cool Edit Pro 2.0-->E:\Program Files\coolpro2\cep2unin.exe
Creative Audio Console-->RunDll32 E:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "E:\Program Files\InstallShield Installation Information\{17E96A7F-AFE3-4171-87B1-583E376319E8}\setup.exe" -l0x9 /remove
HijackThis 2.0.2-->"F:\Downloads\HijackThis.exe" /uninstall
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->E:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Windows Internet Explorer 7 (KB947864)-->"E:\WINDOWS\ie7updates\KB947864-IE7\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"E:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
HP Color LaserJet CM1312 MFP Series 1.0-->E:\Program Files\HP\Digital Imaging\{8EEDB90E-6ABC-42bb-AD4C-39DEE05E3EEA}\setup\hpzscr01.exe -datfile hppscr11.dat -onestop -forcereboot
HP Photosmart, Officejet and Deskjet 7.0.A-->E:\Program Files\HP\Digital Imaging\{3A316611-45D1-429C-AA26-B71259C44689}\setup\hpzscr01.exe -datfile hposcr11.dat
Impulse-->"E:\Documents and Settings\All Users\Application Data\{BDF85E36-9312-4FF0-A33B-467762DFE6F8}\Impulse_setup.exe" REMOVE=TRUE MODIFY=FALSE
Impulse-->E:\Documents and Settings\All Users\Application Data\{BDF85E36-9312-4FF0-A33B-467762DFE6F8}\Impulse_setup.exe
Java(TM) 6 Update 11-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216011FF}
Java(TM) 6 Update 5-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Java(TM) 6 Update 7-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
Kaspersky Online Scanner-->E:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
KhalInstallWrapper-->MsiExec.exe /I{3101CB58-3482-4D21-AF1A-7057FC935355}
Logitech Communications Manager-->MsiExec.exe /I{BD202930-5F70-4B35-B875-1E28604F328D}
Logitech SetPoint-->E:\Program Files\InstallShield Installation Information\{F29B21BD-CAA6-445F-8EF7-A7E2B9D8B14E}\setup.exe -runfromtemp -l0x0009 -removeonly
Microsoft .NET Framework 2.0 Service Pack 2-->MsiExec.exe /I{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}
Microsoft .NET Framework 3.0 Service Pack 2-->MsiExec.exe /I{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}
Microsoft .NET Framework 3.5 SP1-->E:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft Internationalized Domain Names Mitigation APIs-->"E:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5-->"E:\WINDOWS\$NtUninstallWdf01005$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"E:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office 2000 Premium-->MsiExec.exe /I{00000409-78E1-11D2-B60F-006097C998E7}
Microsoft SQL Server 2008 Management Objects-->MsiExec.exe /I{F5E87B12-3C27-452F-8E78-21D42164FD83}
mIRC-->"G:\sysreset\mirc.exe" -uninstall
MKVtoolnix 2.3.0-->E:\Program Files\MKVtoolnix\uninst.exe
Mozilla Firefox (3.0.5)-->E:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
NOD32 antivirus system-->E:\Program Files\Eset\Setup\setup.exe /UNINSTALL
NOD32 FiX-->"E:\Program Files\Eset\unins000.exe"
NVIDIA Drivers-->E:\WINDOWS\system32\nvuninst.exe UninstallGUI
PlayNC Launcher-->E:\Program Files\InstallShield Installation Information\{5F8E2CBB-949D-4175-AC98-5ADE7F6C9697}\setup.exe -runfromtemp -l0x0009 -removeonly
RealPlayer-->E:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Richard Garriott's Tabula Rasa-->E:\Program Files\InstallShield Installation Information\{7848AAFB-851F-419D-B9B3-D3D07CD59CF3}\Setup.exe -runfromtemp -l0x0009 -removeonly
SafeConnect-->"E:\Program Files\SafeConnect\UnInstall.exe"
Security Update for Windows Internet Explorer 7 (KB938127)-->"E:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB942615)-->"E:\WINDOWS\ie7updates\KB942615-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB944533)-->"E:\WINDOWS\ie7updates\KB944533-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB950759)-->"E:\WINDOWS\ie7updates\KB950759-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB953838)-->"E:\WINDOWS\ie7updates\KB953838-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB956390)-->"E:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB958215)-->"E:\WINDOWS\ie7updates\KB958215-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB960714)-->"E:\WINDOWS\ie7updates\KB960714-IE7\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB952069)-->"E:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923789)-->E:\WINDOWS\system32\MacroMed\Flash\genuinst.exe E:\WINDOWS\system32\MacroMed\Flash\KB923789.inf
Security Update for Windows XP (KB938464)-->"E:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"E:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"E:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950760)-->"E:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"E:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"E:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"E:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"E:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"E:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"E:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"E:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953839)-->"E:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"E:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"E:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"E:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"E:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"E:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"E:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"E:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"E:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"E:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"E:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"E:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"E:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Sins of a Solar Empire - Entrenchment-->"E:\Program Files\Stardock\Impulse\Impulse.exe" /autouninstall sinsentrench
Sins of a Solar Empire-->"E:\Program Files\Stardock\Impulse\Impulse.exe" /autouninstall sin
Skype™ 3.6-->MsiExec.exe /X{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}
Sony Digital Voice Editor 2-->E:\PROGRA~1\SONY\DIGITA~1\UNINST.EXE
Spybot - Search & Destroy-->"E:\Program Files\Spybot - Search & Destroy\unins000.exe"
SQL Server System CLR Types-->MsiExec.exe /I{342D4AD7-EC4C-4EC8-AEA6-E70F5905A490}
Update for Windows XP (KB951072-v2)-->"E:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"E:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"E:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Winamp-->"E:\Program Files\Winamp\UninstWA.exe"
Windows Live Messenger-->MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
Windows XP Service Pack 3-->"E:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinRAR archiver-->E:\Program Files\WinRAR\uninstall.exe

======Hosts File======

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

======Security center information======

AV: ESET NOD32 antivirus system 2.70

System event log

Computer Name: SORA
Event Code: 2
Message: Device identified.

Record Number: 5826
Source Name: nvata
Time Written: 20080625022123.000000-420
Event Type: information
User:

Computer Name: SORA
Event Code: 2
Message: Device identified.

Record Number: 5825
Source Name: nvata
Time Written: 20080625022123.000000-420
Event Type: information
User:

Computer Name: SORA
Event Code: 6005
Message: The Event log service was started.

Record Number: 5824
Source Name: EventLog
Time Written: 20080625022110.000000-420
Event Type: information
User:

Computer Name: SORA
Event Code: 6009
Message: Microsoft (R) Windows (R) 5.01. 2600 Service Pack 2 Multiprocessor Free.

Record Number: 5823
Source Name: EventLog
Time Written: 20080625022110.000000-420
Event Type: information
User:

Computer Name: SORA
Event Code: 6006
Message: The Event log service was stopped.

Record Number: 5822
Source Name: EventLog
Time Written: 20080625022016.000000-420
Event Type: information
User:

Application event log

Computer Name: SORA
Event Code: 1800
Message: The Windows Security Center Service has started.

Record Number: 380
Source Name: SecurityCenter
Time Written: 20080426105012.000000-420
Event Type: information
User:

Computer Name: SORA
Event Code: 1517
Message: Windows saved user SORA\Aqua registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.


This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Record Number: 379
Source Name: Userenv
Time Written: 20080425233918.000000-420
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: SORA
Event Code: 4097
Message: The application, E:\Program Files\Mozilla Firefox\firefox.exe, generated an application error
The error occurred on 04/25/2008 @ 20:52:45.109
The exception generated was c0000005 at address 66951354 (QuickTime!CallComponentFunctionWithStorage)

Record Number: 378
Source Name: DrWatson
Time Written: 20080425205245.000000-420
Event Type: information
User:

Computer Name: SORA
Event Code: 1001
Message: Fault bucket 717408378.

Record Number: 377
Source Name: Application Error
Time Written: 20080425205244.000000-420
Event Type: error
User:

Computer Name: SORA
Event Code: 1000
Message: Faulting application firefox.exe, version 1.8.20080.40413, faulting module quicktime.qts, version 7.4.1.14, fault address 0x00151354.

Record Number: 376
Source Name: Application Error
Time Written: 20080425205234.000000-420
Event Type: error
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 15 Stepping 6, GenuineIntel
"PROCESSOR_REVISION"=0f06
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP

-----------------EOF-----------------
Barkin
Regular Member
 
Posts: 15
Joined: January 6th, 2009, 8:19 pm

Re: 1/06/09 HijackThis log

Unread postby Bio-Hazard » January 16th, 2009, 12:25 pm

Hello!

You have cracked version of NOD32 on your computer. You need to remove NOD32 FiX before we can continue with any further. Please remove this from your system. Here is our forums Malware Removal Forum Guidelines and Rules. Here is quote from it:

Any time the helper detects that you may have illegal software on your machine, that helper may stop assisting you immediately until you can demonstrate that you have rectified the situation. We will not support fixing machines with pirated or otherwise illegal software.


Remove Programs

  • Click Start
  • Go to Control Panel
  • Go to [b]programs and features[/b]
  • Find and Right click on each instance of (if present):

    NOD32 FiX
  • Click Uninstall & then follow the prompts to remove it

NOTE: Take care when answering any questions posed by an uninstaller. Some questions may be worded to deceive you into keeping the program.


Antivirus

Anti-virus software are programs that detect cleans and erase harmful virus files on a computer
Web server or network.
Unchecked virus files can unintentionally be forwarded to others including trading partners and thereby spreading infection. Because new viruses regularly emerge anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present and will clean delete (or quarantine) infected files or directories. Please download a free anti-virus software from one these excellent vendors NOW:


It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts. If you choose to install more than one antivirus program on your computer then only one of them should be active in memory at a time.


Can you go here: C:/rsit and post the content of log.txt.
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: 1/06/09 HijackThis log

Unread postby Barkin » January 16th, 2009, 2:20 pm

AVG installed. my C:\ is the printer card reader.
Operational drive is E:\ all others are either optical or storage drives (internal)

here is the old log. do you want a new log since nod32 is gone?

Logfile of random's system information tool 1.05 (written by random/random)
Run by Aqua at 2009-01-16 08:04:56
Microsoft Windows XP Professional Service Pack 3
System drive E: has 38 GB (50%) free of 76 GB
Total RAM: 2046 MB (68% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:05:08 AM, on 1/16/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Java\jre6\bin\jqs.exe
E:\Program Files\Eset\nod32krn.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\Program Files\SafeConnect\scManager.sys
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\CTHELPER.EXE
E:\WINDOWS\system32\CTXFIHLP.EXE
E:\WINDOWS\SYSTEM32\CTXFISPI.EXE
E:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
E:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
E:\WINDOWS\system32\RUNDLL32.EXE
E:\Program Files\Java\jre6\bin\jusched.exe
E:\Program Files\Eset\nod32kui.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Documents and Settings\Aqua\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
E:\Program Files\Logitech\SetPoint\SetPoint.exe
E:\Program Files\SafeConnect\scClient.exe
E:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
E:\Program Files\AIM\aim.exe
E:\Program Files\Mozilla Firefox\firefox.exe
G:\sysreset\mirc.exe
E:\PROGRA~1\MICROS~2\Office\WINWORD.EXE
E:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\Program Files\Winamp\winamp.exe
F:\Downloads\RSIT.exe
F:\Downloads\Aqua.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - E:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - E:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [WinampAgent] "E:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "E:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LVCOMSX] "E:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "E:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] E:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] E:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] E:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [nod32kui] "E:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Vidalia] "E:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe"
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Utopia Angel] "E:\utop\Angel.exe"
O4 - HKCU\..\Run: [Google Update] "E:\Documents and Settings\Aqua\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - Global Startup: Adobe Gamma Loader.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech SetPoint.lnk = E:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SafeConnect.lnk = ?
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - E:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Unknown owner - E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - E:\WINDOWS\system32\IcdSptSv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - E:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - E:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - E:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SafeConnect Manager (SCManager) - Unknown owner - E:\Program Files\SafeConnect\scManager.sys servicestart (file missing)

--
End of file - 6561 bytes

======Scheduled tasks folder======

E:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-507921405-682003330-725345543-1003.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-22 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
Java(tm) Plug-In SSV Helper - E:\Program Files\Java\jre6\bin\ssv.dll [2008-12-20 320920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - E:\Program Files\Java\jre6\bin\jp2ssv.dll [2008-12-20 34816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - E:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2008-12-20 73728]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"=E:\WINDOWS\system32\NvCpl.dll [2007-12-05 8523776]
"nwiz"=nwiz.exe /install []
"CTHelper"=E:\WINDOWS\CTHELPER.EXE [2006-08-17 17920]
"CTxfiHlp"=E:\WINDOWS\system32\CTXFIHLP.EXE [2006-08-17 18944]
"Adobe Reader Speed Launcher"=E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-01-11 39792]
"WinampAgent"=E:\Program Files\Winamp\winampa.exe []
"Kernel and Hardware Abstraction Layer"=E:\WINDOWS\KHALMNPR.EXE [2008-02-29 76304]
"LogitechCommunicationsManager"=E:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe [2007-04-05 488984]
"LVCOMSX"=E:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe [2007-03-09 252704]
"NvMediaCenter"=E:\WINDOWS\system32\NvMcTray.dll [2007-12-05 81920]
"SunJavaUpdateSched"=E:\Program Files\Java\jre6\bin\jusched.exe [2008-12-20 136600]
"IMJPMIG8.1"=E:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE [2006-02-28 208952]
"MSPY2002"=E:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe [2006-02-28 59392]
"PHIME2002ASync"=E:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE [2006-02-28 455168]
"PHIME2002A"=E:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE [2006-02-28 455168]
"nod32kui"=E:\Program Files\Eset\nod32kui.exe [2008-12-30 949376]
"TkBellExe"=E:\Program Files\Common Files\Real\Update_OB\realsched.exe [2009-01-11 185872]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Vidalia"=E:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe []
"ctfmon.exe"=E:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
"Utopia Angel"=E:\utop\Angel.exe [2009-01-05 3552256]
"Google Update"=E:\Documents and Settings\Aqua\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-30 133104]

E:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Gamma Loader.lnk - E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
Logitech SetPoint.lnk - E:\Program Files\Logitech\SetPoint\SetPoint.exe
Microsoft Office.lnk - E:\Program Files\Microsoft Office\Office\OSA9.EXE
SafeConnect.lnk - E:\Program Files\SafeConnect\scClient.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LBTWlgn]
e:\program files\common files\logitech\bluetooth\LBTWlgn.dll [2008-05-02 72208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
E:\WINDOWS\system32\WgaLogon.dll [2008-09-05 241704]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WdfLoadGroup]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"E:\Program Files\AIM\aim.exe"="E:\Program Files\AIM\aim.exe:*:Enabled:AOL Instant Messenger"
"E:\Program Files\Sophos\AutoUpdate\ALsvc.exe"="E:\Program Files\Sophos\AutoUpdate\ALsvc.exe:*:Enabled:ALsvc"
"E:\Program Files\HP\Digital Imaging\bin\hpqscnvw.exe"="E:\Program Files\HP\Digital Imaging\bin\hpqscnvw.exe:*:Enabled:hpqscnvw.exe"
"E:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe"="E:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"E:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe"="E:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe:*:Enabled:hpqnrs08.exe"
"C:\sysreset\mirc.exe"="C:\sysreset\mirc.exe:*:Enabled:mIRC"
"E:\Program Files\uTorrent\uTorrent.exe"="E:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent"
"E:\Program Files\Internet Explorer\iexplore.exe"="E:\Program Files\Internet Explorer\iexplore.exe:*:Enabled:Internet Explorer"
"E:\Program Files\FlashGet\flashget.exe"="E:\Program Files\FlashGet\flashget.exe:*:Enabled:Flashget"
"E:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"="E:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"E:\Program Files\Yahoo!\Messenger\YServer.exe"="E:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server"
"G:\sysreset\mirc.exe"="G:\sysreset\mirc.exe:*:Enabled:mIRC"
"E:\Program Files\Stardock Games\Sins of a Solar Empire\Sins of a Solar Empire.exe"="E:\Program Files\Stardock Games\Sins of a Solar Empire\Sins of a Solar Empire.exe:*:Enabled:Sins of a Solar Empire"
"E:\Program Files\Messenger\msmsgs.exe"="E:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"E:\Program Files\MSN Messenger\msnmsgr.exe"="E:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"E:\Program Files\MSN Messenger\livecall.exe"="E:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"E:\Program Files\realplay.exe"="E:\Program Files\realplay.exe:*:Enabled:RealPlayer"
"E:\Program Files\Skype\Phone\Skype.exe"="E:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype. Take a deep breath "

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"E:\Program Files\MSN Messenger\msnmsgr.exe"="E:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"E:\Program Files\MSN Messenger\livecall.exe"="E:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

======List of files/folders created in the last 1 months======

2009-01-16 08:04:56 ----D---- E:\rsit
2009-01-13 20:31:41 ----HDC---- E:\WINDOWS\$NtUninstallKB958687$
2009-01-11 21:13:33 ----D---- E:\Program Files\templates
2009-01-11 21:13:33 ----A---- E:\Program Files\wmdmhelper.dll
2009-01-11 21:13:32 ----D---- E:\Program Files\Devices
2009-01-11 21:13:32 ----D---- E:\Program Files\CDBurning
2009-01-11 21:13:32 ----A---- E:\Program Files\tsasdk.dll
2009-01-11 21:13:32 ----A---- E:\Program Files\tpasdk.dll
2009-01-11 21:13:32 ----A---- E:\Program Files\tnetdtct.dll
2009-01-11 21:13:32 ----A---- E:\Program Files\rjprog.dll
2009-01-11 21:13:32 ----A---- E:\Program Files\rjdlg.dll
2009-01-11 21:13:32 ----A---- E:\Program Files\rjbres.dll
2009-01-11 21:13:32 ----A---- E:\Program Files\mmcdda32.dll
2009-01-11 21:13:32 ----A---- E:\Program Files\ierjplug.dll
2009-01-11 21:13:32 ----A---- E:\Program Files\fixrjb.exe
2009-01-11 21:13:32 ----A---- E:\Program Files\DUNZIP32.dll
2009-01-11 21:13:32 ----A---- E:\Program Files\dtdr3260.dll
2009-01-11 21:13:31 ----D---- E:\Program Files\Common Files\xing shared
2009-01-11 21:13:31 ----A---- E:\Program Files\rpwa3260.dll
2009-01-11 21:13:30 ----D---- E:\Program Files\producer
2009-01-11 21:13:30 ----D---- E:\Program Files\browserrecord
2009-01-11 21:13:30 ----A---- E:\Program Files\rpshellsearch.dll
2009-01-11 21:13:30 ----A---- E:\Program Files\rpbrowserrecordplugin.dll
2009-01-11 21:13:30 ----A---- E:\Program Files\RecordingManager.exe.manifest
2009-01-11 21:13:30 ----A---- E:\Program Files\RecordingManager.exe
2009-01-11 21:13:30 ----A---- E:\Program Files\dbghelp.dll
2009-01-11 21:13:29 ----D---- E:\Program Files\plugins
2009-01-11 21:13:29 ----A---- E:\Program Files\rjwmapln.dll
2009-01-11 21:13:28 ----A---- E:\Program Files\rpau3260.dll
2009-01-11 21:13:28 ----A---- E:\Program Files\RealNetworks License.txt
2009-01-11 21:13:28 ----A---- E:\Program Files\playrlic.txt
2009-01-11 21:13:27 ----D---- E:\Program Files\Netscape6
2009-01-11 21:13:27 ----D---- E:\Program Files\DataCache
2009-01-11 21:13:27 ----A---- E:\WINDOWS\system32\rmoc3260.dll
2009-01-11 21:13:27 ----A---- E:\Program Files\rpplugprot.dll
2009-01-11 21:13:27 ----A---- E:\Program Files\rdsf3260.dll
2009-01-11 21:13:27 ----A---- E:\Program Files\HXAudioDeviceHook.dll
2009-01-11 21:13:26 ----D---- E:\Program Files\rpplugins
2009-01-11 21:13:26 ----D---- E:\Program Files\library
2009-01-11 21:13:26 ----A---- E:\WINDOWS\system32\pndx5032.dll
2009-01-11 21:13:26 ----A---- E:\WINDOWS\system32\pndx5016.dll
2009-01-11 21:13:26 ----A---- E:\Program Files\rpshellextension.dll
2009-01-11 21:13:26 ----A---- E:\Program Files\rpshell.dll
2009-01-11 21:13:26 ----A---- E:\Program Files\rphelperapp.exe
2009-01-11 21:13:26 ----A---- E:\Program Files\realplay.exe.manifest
2009-01-11 21:13:26 ----A---- E:\Program Files\realplay.exe
2009-01-11 21:13:26 ----A---- E:\Program Files\realjbox.exe
2009-01-11 21:13:25 ----D---- E:\Program Files\Setup
2009-01-11 21:13:25 ----A---- E:\WINDOWS\system32\pncrt.dll
2009-01-11 21:13:25 ----A---- E:\WINDOWS\system32\msvcp71.dll
2008-12-30 15:02:04 ----A---- E:\WINDOWS\system32\imon.dll
2008-12-30 15:01:34 ----D---- E:\Program Files\ESET
2008-12-20 20:22:05 ----A---- E:\WINDOWS\system32\deploytk.dll
2008-12-18 00:06:37 ----D---- E:\Program Files\Spybot - Search & Destroy
2008-12-18 00:06:37 ----D---- E:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

======List of files/folders modified in the last 1 months======

2009-01-15 20:32:46 ----D---- E:\Documents and Settings\Aqua\Application Data\Skype
2009-01-15 19:43:06 ----D---- E:\Program Files\Mozilla Firefox
2009-01-15 17:27:47 ----D---- E:\Documents and Settings\Aqua\Application Data\skypePM
2009-01-14 20:07:52 ----D---- E:\WINDOWS\Temp
2009-01-14 17:10:07 ----A---- E:\WINDOWS\SchedLgU.Txt
2009-01-14 13:26:26 ----D---- E:\WINDOWS\Prefetch
2009-01-14 13:22:49 ----D---- E:\WINDOWS\system32
2009-01-14 12:20:01 ----D---- E:\WINDOWS
2009-01-13 20:31:43 ----RSHDC---- E:\WINDOWS\system32\dllcache
2009-01-13 20:31:43 ----D---- E:\WINDOWS\system32\drivers
2009-01-13 20:31:39 ----HD---- E:\WINDOWS\inf
2009-01-13 20:31:37 ----HD---- E:\WINDOWS\$hf_mig$
2009-01-13 20:31:35 ----D---- E:\WINDOWS\system32\CatRoot2
2009-01-12 23:23:58 ----D---- E:\Documents and Settings\Aqua\Application Data\Adobe
2009-01-12 23:23:58 ----D---- E:\Documents and Settings\All Users\Application Data\Adobe
2009-01-11 21:13:39 ----D---- E:\Documents and Settings\Aqua\Application Data\Real
2009-01-11 21:13:38 ----RD---- E:\Program Files
2009-01-11 21:13:31 ----D---- E:\Program Files\Common Files
2009-01-11 21:13:29 ----D---- E:\Program Files\Common Files\Real
2009-01-09 20:17:03 ----D---- E:\Documents and Settings\Aqua\Application Data\uTorrent
2009-01-09 17:35:30 ----A---- E:\WINDOWS\system32\MRT.exe
2008-12-30 18:22:23 ----SD---- E:\WINDOWS\Tasks
2008-12-30 15:03:11 ----HD---- E:\Config.Msi
2008-12-30 15:03:11 ----D---- E:\WINDOWS\SxsCaPendDel
2008-12-30 15:01:02 ----D---- E:\WINDOWS\WinSxS
2008-12-30 15:00:52 ----SHD---- E:\WINDOWS\Installer
2008-12-30 14:58:29 ----D---- E:\Program Files\Microsoft Visual Studio 9.0
2008-12-30 14:58:29 ----D---- E:\Program Files\Common Files\Microsoft Shared
2008-12-30 14:58:22 ----D---- E:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-12-28 22:18:49 ----RSD---- E:\WINDOWS\assembly
2008-12-22 13:52:19 ----D---- E:\Program Files\FlashGet
2008-12-20 20:21:58 ----A---- E:\WINDOWS\system32\javaws.exe
2008-12-20 20:21:58 ----A---- E:\WINDOWS\system32\javaw.exe
2008-12-20 20:21:58 ----A---- E:\WINDOWS\system32\java.exe
2008-12-20 20:21:55 ----D---- E:\Program Files\Java
2008-12-18 09:29:19 ----A---- E:\WINDOWS\imsins.BAK

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 intelppm;Intel Processor Driver; E:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 kbdhid;Keyboard HID Driver; E:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
R1 nod32drv;nod32drv; E:\WINDOWS\system32\drivers\nod32drv.sys [2008-12-30 15424]
R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; E:\WINDOWS\System32\drivers\ws2ifsl.sys [2006-02-28 12032]
R2 AMON;AMON; E:\WINDOWS\system32\drivers\amon.sys [2008-12-30 512096]
R3 Arp1394;1394 ARP Client Protocol; E:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-13 60800]
R3 ctac32k;Creative AC3 Software Decoder; E:\WINDOWS\system32\drivers\ctac32k.sys [2006-08-17 502272]
R3 ctaud2k;Creative Audio Driver (WDM); E:\WINDOWS\system32\drivers\ctaud2k.sys [2006-08-17 500480]
R3 ctprxy2k;Creative Proxy Driver; E:\WINDOWS\system32\drivers\ctprxy2k.sys [2006-08-17 7168]
R3 ctsfm2k;Creative SoundFont Management Device Driver; E:\WINDOWS\system32\drivers\ctsfm2k.sys [2006-08-17 143872]
R3 emupia;E-mu Plug-in Architecture Driver; E:\WINDOWS\system32\drivers\emupia2k.sys [2006-08-17 78336]
R3 ha20x2k;Creative 20X HAL Driver; E:\WINDOWS\system32\drivers\ha20x2k.sys [2006-08-17 1110528]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; E:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 hidusb;Microsoft HID Class Driver; E:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 HPZid412;IEEE-1284.4 Driver HPZid412; E:\WINDOWS\system32\DRIVERS\HPZid412.sys [2006-04-12 49664]
R3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; E:\WINDOWS\system32\DRIVERS\HPZipr12.sys [2006-04-12 16496]
R3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; E:\WINDOWS\system32\DRIVERS\HPZius12.sys [2006-04-12 21568]
R3 LHidFilt;Logitech SetPoint KMDF HID Filter Driver; E:\WINDOWS\system32\DRIVERS\LHidFilt.Sys [2008-02-29 35344]
R3 LMouFilt;Logitech SetPoint KMDF Mouse Filter Driver; E:\WINDOWS\system32\DRIVERS\LMouFilt.Sys [2008-02-29 36880]
R3 mouhid;Mouse HID Driver; E:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 NIC1394;1394 Net Driver; E:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-13 61824]
R3 npkcusb;npkcusb; \??\E:\Program Files\Ragray\npkcusb.sys []
R3 nv;nv; E:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2007-12-05 7435392]
R3 NVENETFD;NVIDIA nForce Networking Controller Driver; E:\WINDOWS\system32\DRIVERS\NVENETFD.sys [2006-08-07 52736]
R3 nvnetbus;NVIDIA Network Bus Enumerator; E:\WINDOWS\system32\DRIVERS\nvnetbus.sys [2006-08-07 18944]
R3 ossrv;Creative OS Services Driver; E:\WINDOWS\system32\drivers\ctoss2k.sys [2006-08-17 116224]
R3 usbccgp;Microsoft USB Generic Parent Driver; E:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; E:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; E:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; E:\WINDOWS\system32\DRIVERS\usbohci.sys [2008-04-13 17152]
R3 usbprint;Microsoft USB PRINTER Class; E:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
R3 usbscan;USB Scanner Driver; E:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
R3 USBSTOR;USB Mass Storage Driver; E:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
R3 Wdf01000;Wdf01000; E:\WINDOWS\system32\DRIVERS\Wdf01000.sys [2006-11-02 492000]
S3 axjghpnj;axjghpnj; E:\WINDOWS\system32\drivers\axjghpnj.sys []
S3 ctdvda2k;Creative DVD-Audio Device Driver; E:\WINDOWS\system32\drivers\ctdvda2k.sys [2006-08-17 340176]
S3 HidBatt;HID UPS Battery Driver; E:\WINDOWS\system32\DRIVERS\HidBatt.sys [2008-04-13 20352]
S3 ICDUSB2;Sony IC Recorder (P); E:\WINDOWS\System32\Drivers\ICDUSB2.sys [2002-11-28 39048]
S3 npkcrypt;npkcrypt; \??\E:\Program Files\Ragray\npkcrypt.sys []
S3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service; E:\WINDOWS\system32\DRIVERS\WPN111.sys [2005-09-26 362944]
S4 IntelIde;IntelIde; E:\WINDOWS\system32\drivers\IntelIde.sys []
S4 sr;System Restore Filter Driver; E:\WINDOWS\system32\DRIVERS\sr.sys [2008-04-13 73472]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 JavaQuickStarterService;Java Quick Starter; E:\Program Files\Java\jre6\bin\jqs.exe [2008-12-20 152984]
R2 NOD32krn;NOD32 Kernel Service; E:\Program Files\Eset\nod32krn.exe [2008-12-30 552064]
R2 NVSvc;NVIDIA Display Driver Service; E:\WINDOWS\system32\nvsvc32.exe [2007-12-05 155716]
R2 SCManager;SafeConnect Manager; E:\Program Files\SafeConnect\scManager.sys [2008-09-22 136472]
S2 Net Driver HPZ12;Net Driver HPZ12; E:\WINDOWS\System32\svchost.exe [2008-04-13 14336]
S2 Pml Driver HPZ12;Pml Driver HPZ12; E:\WINDOWS\System32\svchost.exe [2008-04-13 14336]
S3 Adobe LM Service;Adobe LM Service; E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe [2008-09-16 68096]
S3 aspnet_state;ASP.NET State Service; E:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; E:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; E:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 ICDSPTSV;Sony SPTI Service for DVE; E:\WINDOWS\system32\IcdSptSv.exe [2003-04-01 69632]
S3 idsvc;Windows CardSpace; E:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 LBTServ;Logitech Bluetooth Service; E:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe [2008-05-02 121360]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; E:\Program Files\MSN Messenger\usnsvc.exe [2007-01-19 97136]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; E:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]

-----------------EOF-----------------
Barkin
Regular Member
 
Posts: 15
Joined: January 6th, 2009, 8:19 pm

Re: 1/06/09 HijackThis log

Unread postby Bio-Hazard » January 16th, 2009, 2:37 pm

ATF-Cleaner

Please download ATF Cleaner by Atribune.

  • Save it to your desktop
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.

    If you use Firefox browser
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.

    NOTE: If you would like to keep your saved passwords please click No at the prompt.
  • Click Exit on the Main menu to close the program.


Kaspersky Online Scan

Please go to Kaspersky website and perform an online antivirus scan.

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
    • Archives
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply along with a fresh HijackThis log.


Logs/Information to Post in Next Reply

Please post the following logs/Information in your reply:
  • Kaspersky Log
  • A fresh HijackThis Log ( after all the above has been done)
  • A description of how your computer is behaving
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: 1/06/09 HijackThis log

Unread postby Barkin » January 16th, 2009, 9:14 pm

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Friday, January 16, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, January 16, 2009 22:22:05
Records in database: 1633110
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
I:\

Scan statistics:
Files scanned: 92574
Threat name: 1
Infected objects: 2
Suspicious objects: 0
Duration of the scan: 00:57:58


File name / Threat name / Threats count
G:\sysreset\mirc.exe/G:\sysreset\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 1
G:\sysreset\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 1

The selected area was scanned.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:10:03 PM, on 1/16/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
E:\Program Files\Java\jre6\bin\jqs.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\SafeConnect\scManager.sys
E:\WINDOWS\system32\svchost.exe
E:\PROGRA~1\AVG\AVG8\avgrsx.exe
E:\PROGRA~1\AVG\AVG8\avgemc.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\CTHELPER.EXE
E:\WINDOWS\system32\CTXFIHLP.EXE
E:\WINDOWS\SYSTEM32\CTXFISPI.EXE
E:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
E:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
E:\WINDOWS\system32\RUNDLL32.EXE
E:\Program Files\Java\jre6\bin\jusched.exe
E:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\PROGRA~1\AVG\AVG8\avgtray.exe
E:\WINDOWS\system32\ctfmon.exe
E:\utop\Angel.exe
E:\Documents and Settings\Aqua\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
E:\Program Files\Logitech\SetPoint\SetPoint.exe
E:\Program Files\SafeConnect\scClient.exe
E:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
E:\Program Files\Mozilla Firefox\firefox.exe
E:\Program Files\Java\jre6\bin\java.exe
G:\sysreset\mirc.exe
E:\WINDOWS\system32\calc.exe
E:\Program Files\AIM\aim.exe
F:\Downloads\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - E:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - E:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - E:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [WinampAgent] "E:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "E:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LVCOMSX] "E:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "E:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] E:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] E:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] E:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG8_TRAY] E:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [Vidalia] "E:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe"
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Utopia Angel] "E:\utop\Angel.exe"
O4 - HKCU\..\Run: [Google Update] "E:\Documents and Settings\Aqua\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - Global Startup: Adobe Gamma Loader.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech SetPoint.lnk = E:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SafeConnect.lnk = ?
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - E:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - E:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Adobe LM Service - Unknown owner - E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - E:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - E:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - E:\WINDOWS\system32\IcdSptSv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - E:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - E:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SafeConnect Manager (SCManager) - Unknown owner - E:\Program Files\SafeConnect\scManager.sys servicestart (file missing)

--
End of file - 7074 bytes


harddrives get accessed alot even if im not doing anything. the antivirus isn't scanning anything and stuff when it happens.
cmd -> netstat see alot of TCP connections to localhost:XXXX. usually 8080, other ports in the 1100-1300 appear as well.

while the kaspersky thing was running, AVG popped up with some .exe's that were in temp folders.

Resident Shield detection
"Infection" "Object" "Result" "Detection time" "Object Type" "Process"
"Trojan horse Generic4.QZN" "F:\Documents and Settings\Sora\Local Settings\Temp\bdtmp\3960.exe" "Moved to Virus Vault" "1/16/2009, 4:41:12 PM" "file" "E:\Documents and Settings\Aqua\Local Settings\Temp\jkos-Aqua\binaries\ScanningProcess.exe"
"Trojan horse Generic4.QZN" "F:\Documents and Settings\Sora\Local Settings\Temp\bdtmp\4439.exe" "Moved to Virus Vault" "1/16/2009, 4:41:12 PM" "file" "E:\Documents and Settings\Aqua\Local Settings\Temp\jkos-Aqua\binaries\ScanningProcess.exe"
"Trojan horse Generic4.QZN" "F:\Documents and Settings\Sora\Local Settings\Temp\bdtmp\5151.exe" "Moved to Virus Vault" "1/16/2009, 4:41:13 PM" "file" "E:\Documents and Settings\Aqua\Local Settings\Temp\jkos-Aqua\binaries\ScanningProcess.exe"
"Trojan horse Generic4.QZN" "F:\Documents and Settings\Sora\Local Settings\Temp\bdtmp\5559.exe" "Moved to Virus Vault" "1/16/2009, 4:41:13 PM" "file" "E:\Documents and Settings\Aqua\Local Settings\Temp\jkos-Aqua\binaries\ScanningProcess.exe"

btw, i will not be back to use this computer until 1/19 because i am going home for the weekend and am not taking my desktop with me... just in case you wonder wtf im doing.
Barkin
Regular Member
 
Posts: 15
Joined: January 6th, 2009, 8:19 pm

Re: 1/06/09 HijackThis log

Unread postby Bio-Hazard » January 17th, 2009, 12:33 pm

Using Gmer

Please download Gmer by Gmer and save it to your desktop.

  • Right click on gmer.zip and select Extract All....
  • Click Next on seeing the Welcome to the Compressed (zipped) Folders Extraction Wizard.
  • Click on the Browse button. Click on Desktop. Then click OK.
  • Click Next. It will start extracting.
  • Once done, check (tick) the Show extracted files box and click Finish.
  • Double click on gmer.exe to run it.
  • Select the Rootkit tab.
  • On the right hand side, check all the items to be scanned, but leave Show All box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click on the Scan button.
  • When the scan is finished, click Copy to save the scan log to the Windows clipboard.
  • Open Notepad or a similar text editor.
  • Paste the clipboard contents into the text editor.
  • Save the Gmer scan log and post it in your next reply.
  • Close Gmer.
  • Open Command Prompt by going to Start > Run and type in cmd. Press Enter.
  • In Command Prompt, type in net stop gmer. Press Enter.
  • Type in exit to close Command Prompt.

Note: Do not run any programs while Gmer is running.


Logs/Information to Post in Next Reply

Please post the following logs/Information in your reply:
  • Gmer Log
  • A fresh HijackThis Log ( after all the above has been done)
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: 1/06/09 HijackThis log

Unread postby Barkin » January 20th, 2009, 3:27 am

gmer...

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-01-19 23:23:42
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

SSDT spjt.sys ZwCreateKey [0xBA6A80E0]
SSDT spjt.sys ZwEnumerateKey [0xBA6C6CA2]
SSDT spjt.sys ZwEnumerateValueKey [0xBA6C7030]
SSDT spjt.sys ZwOpenKey [0xBA6A80C0]
SSDT spjt.sys ZwQueryKey [0xBA6C7108]
SSDT spjt.sys ZwQueryValueKey [0xBA6C6F88]
SSDT spjt.sys ZwSetValueKey [0xBA6C719A]

INT 0x62 ? 8A75CBF8
INT 0x63 ? 8A7CDBF8
INT 0x63 ? 8A7CDBF8
INT 0x73 ? 8A7CDBF8
INT 0x73 ? 8A570BF8
INT 0x73 ? 8A7CDBF8
INT 0xB4 ? 8A7CDBF8

---- Kernel code sections - GMER 1.0.14 ----

? spjt.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload B94ED8AC 5 Bytes JMP 8A5701D8
.text a5s4ad07.SYS B9220386 35 Bytes [ 00, 00, 00, 00, 00, 00, 20, ... ]
.text a5s4ad07.SYS B92203AA 24 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text a5s4ad07.SYS B92203C4 3 Bytes [ 00, 70, 02 ]
.text a5s4ad07.SYS B92203C9 1 Byte [ 2E ]
.text a5s4ad07.SYS B92203CB 9 Bytes [ 00, 00, 5A, 02, 00, 00, 00, ... ]
.text ...
? System32\Drivers\hiber_WMILIB.SYS The system cannot find the file specified. !

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [BA6A9040] spjt.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [BA6A913C] spjt.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [BA6A90BE] spjt.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [BA6A97FC] spjt.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [BA6A96D2] spjt.sys
IAT \SystemRoot\System32\Drivers\a5s4ad07.SYS[HAL.dll!KfAcquireSpinLock] C0840CEC
IAT \SystemRoot\System32\Drivers\a5s4ad07.SYS[HAL.dll!READ_PORT_UCHAR] 053C0D74
IAT \SystemRoot\System32\Drivers\a5s4ad07.SYS[HAL.dll!KeGetCurrentIrql] 57B80974
IAT \SystemRoot\System32\Drivers\a5s4ad07.SYS[HAL.dll!KfRaiseIrql] 8B000000
IAT \SystemRoot\System32\Drivers\a5s4ad07.SYS[HAL.dll!KfLowerIrql] 56C35DE5
IAT \SystemRoot\System32\Drivers\a5s4ad07.SYS[HAL.dll!HalGetInterruptVector] 8D08758B
IAT \SystemRoot\System32\Drivers\a5s4ad07.SYS[HAL.dll!HalTranslateBusAddress] 8D51FC4D
IAT \SystemRoot\System32\Drivers\a5s4ad07.SYS[HAL.dll!KeStallExecutionProcessor] 8D52FD55
IAT \SystemRoot\System32\Drivers\a5s4ad07.SYS[HAL.dll!KfReleaseSpinLock] 8D51FE4D
IAT \SystemRoot\System32\Drivers\a5s4ad07.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] 8D52FF55
IAT \SystemRoot\System32\Drivers\a5s4ad07.SYS[HAL.dll!READ_PORT_USHORT] 8D51F84D
IAT \SystemRoot\System32\Drivers\a5s4ad07.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 5052F455
IAT \SystemRoot\System32\Drivers\a5s4ad07.SYS[HAL.dll!WRITE_PORT_UCHAR] EACAE856
IAT \SystemRoot\System32\Drivers\a5s4ad07.SYS[WMILIB.SYS!WmiSystemControl] 0FC08520
IAT \SystemRoot\System32\Drivers\a5s4ad07.SYS[WMILIB.SYS!WmiCompleteRequest] 0001B185

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs 8A7CC1F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{4C5F349F-A015-4643-AF98-D7D44801EDD4} 87B751F8
Device \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\usbohci \Device\USBPDO-0 8A56F1F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8A7CE1F8
Device \Driver\dmio \Device\DmControl\DmConfig 8A7CE1F8
Device \Driver\dmio \Device\DmControl\DmPnP 8A7CE1F8
Device \Driver\dmio \Device\DmControl\DmInfo 8A7CE1F8
Device \Driver\usbehci \Device\USBPDO-1 8A5631F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{089806CB-DD9A-4A04-B3CE-7CCA996D8559} 87B751F8
Device \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\Ftdisk \Device\HarddiskVolume1 8A75D1F8
Device \Driver\Cdrom \Device\CdRom0 8A5571F8
Device \Driver\Ftdisk \Device\HarddiskVolume2 8A75D1F8
Device \Driver\Ftdisk \Device\HarddiskVolume3 8A75D1F8
Device \Driver\sptd \Device\179063538 spjt.sys
Device \Driver\Cdrom \Device\CdRom1 8A5571F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 87B751F8
Device \Driver\PCI_PNP8538 \Device\0000004b spjt.sys
Device \Driver\NetBT \Device\NetbiosSmb 87B751F8
Device \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\USBSTOR \Device\00000089 8A4C51F8
Device \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\nvata \Device\0000006c 8A7CD1F8
Device \Driver\usbohci \Device\USBFDO-0 8A56F1F8
Device \Driver\nvata \Device\0000006d 8A7CD1F8
Device \Driver\usbehci \Device\USBFDO-1 8A5631F8
Device \Driver\nvata \Device\NvAta0 8A7CD1F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 87B4E1F8
Device \Driver\Tcpip \Device\IPMULTICAST avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\nvata \Device\NvAta1 8A7CD1F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 87B4E1F8
Device \Driver\nvata \Device\NvAta2 8A7CD1F8
Device \Driver\Ftdisk \Device\FtControl 8A75D1F8
Device \Driver\USBSTOR \Device\0000007f 8A4C51F8
Device \Driver\a5s4ad07 \Device\Scsi\a5s4ad071Port5Path0Target0Lun0 8A51D1F8
Device \Driver\a5s4ad07 \Device\Scsi\a5s4ad071 8A51D1F8
Device \FileSystem\Cdfs \Cdfs 8A3B3500

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations ???M0F??WmiOpenPerfData?????Enables the download and installation of Windows updates. If this service is disabled, this computer will not be able to use the Automatic Updates feature or the Windows Update Web site.?e?U??? ???M????????????????r??N?????????n????? ???@??????????????? ???+??????????????? ???W???S??????e????????????????????????M??????????????????????7-1-2001?????????????1??????2b???M??? ???M???O??????se??%SystemRoot%\System32\svchost.exe -k netsvcs?????? ??M?????????e??????Z??M???0????h\{E????X??i???e??????Security Center???????8??M?????????eNI??169.232.93.152???????????M???????????e???????M???????????W??RpcSs?Ndisuio????????????N???o?????????2\d???????????????????????)??????p????????????2?2?2???W???????M???????????e???@?K?K?K?L?M?M?M?M?M?M???0?0e????????Y???4????????????a480??E:\WINDOWS\system32\wbem\wmiaprpl.dll?????&??M???????t??WmiCollectPerfData?????????????????????r????Maintains date and time synchronization on all clients and servers in the network. If this service is stopped, date and tim
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 E:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x91 0xBB 0x70 0x0B ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x11 0x9B 0x2B 0xF0 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x6C 0x96 0x75 0x34 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 E:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x91 0xBB 0x70 0x0B ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x11 0x9B 0x2B 0xF0 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x6C 0x96 0x75 0x34 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 E:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x91 0xBB 0x70 0x0B ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x11 0x9B 0x2B 0xF0 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x6C 0x96 0x75 0x34 ...

---- EOF - GMER 1.0.14 ----

hijackthis
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:27:03 PM, on 1/19/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
E:\Program Files\Java\jre6\bin\jqs.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\Program Files\SafeConnect\scManager.sys
E:\WINDOWS\system32\svchost.exe
E:\PROGRA~1\AVG\AVG8\avgrsx.exe
E:\PROGRA~1\AVG\AVG8\avgemc.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\CTHELPER.EXE
E:\WINDOWS\system32\CTXFIHLP.EXE
E:\WINDOWS\SYSTEM32\CTXFISPI.EXE
E:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
E:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
E:\WINDOWS\system32\RUNDLL32.EXE
E:\Program Files\Java\jre6\bin\jusched.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Documents and Settings\Aqua\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
E:\Program Files\Logitech\SetPoint\SetPoint.exe
E:\Program Files\SafeConnect\scClient.exe
E:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
E:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\Program Files\AVG\AVG8\avgtray.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\WINDOWS\system32\NOTEPAD.EXE
F:\Downloads\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - E:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - E:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - E:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [WinampAgent] "E:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "E:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LVCOMSX] "E:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "E:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] E:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] E:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] E:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG8_TRAY] E:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [Vidalia] "E:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe"
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Utopia Angel] "E:\utop\Angel.exe"
O4 - HKCU\..\Run: [Google Update] "E:\Documents and Settings\Aqua\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - Global Startup: Adobe Gamma Loader.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech SetPoint.lnk = E:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SafeConnect.lnk = ?
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - E:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - E:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Adobe LM Service - Unknown owner - E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - E:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - E:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - E:\WINDOWS\system32\IcdSptSv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - E:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - E:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SafeConnect Manager (SCManager) - Unknown owner - E:\Program Files\SafeConnect\scManager.sys servicestart (file missing)

--
End of file - 6905 bytes
Barkin
Regular Member
 
Posts: 15
Joined: January 6th, 2009, 8:19 pm

Re: 1/06/09 HijackThis log

Unread postby Bio-Hazard » January 20th, 2009, 9:41 am

Hello!

When you were running Kaspersky online scan AVG should have been disabled. AVG was reacting to the Kaspersky scanning.

What are drives are F and G?
Are they removable drives?


Download and Run ComboFix

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

HOW TO USE COMBOFIX

IMPORTANT: combofix.exe MUST be on your Desktop for us to proceed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Double click on ComboFix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

NOTE: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Image


  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Image

  • Click on Yes, to continue scanning for malware.
  • Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Combofix should never take more that 20 minutes including the reboot if malware is detected.


Next Reply

Please reply with:
  • ComboFix log (found at C:\Combofix.txt)
  • New HijackThis log
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: 1/06/09 HijackThis log

Unread postby Barkin » January 20th, 2009, 7:33 pm

My university has a policy where realtime antivirus protection needs to be active for internet access and they enforce this using safeconnect. I don't have the OS CD with me so i didn't install the recovery console. I did disable AVG, but I lose internet with it too.

E is system drive - this is the drive teh OS is installed on
F and G are storage drives
C is the cardreader on my printer linked via USB
D is my optical drive

ComboFix 09-01-19.05 - Aqua 2009-01-20 15:19:14.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1650 [GMT -8:00]
Running from: e:\documents and settings\Aqua\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-12-20 to 2009-01-20 )))))))))))))))))))))))))))))))
.

2009-01-19 23:07 . 2009-01-19 23:09 250 --a------ e:\windows\gmer.ini
2009-01-16 10:17 . 2009-01-16 10:17 97,928 --a------ e:\windows\system32\drivers\avgldx86.sys
2009-01-16 10:17 . 2009-01-16 10:17 76,040 --a------ e:\windows\system32\drivers\avgtdix.sys
2009-01-16 10:17 . 2009-01-16 10:17 10,520 --a------ e:\windows\system32\avgrsstx.dll
2009-01-16 10:16 . 2009-01-20 08:14 <DIR> d-------- e:\windows\system32\drivers\Avg
2009-01-16 10:16 . 2009-01-16 10:16 <DIR> d-------- e:\program files\AVG
2009-01-16 10:16 . 2009-01-16 10:16 <DIR> d-------- e:\documents and settings\All Users\Application Data\avg8
2009-01-16 08:04 . 2009-01-16 08:05 <DIR> d-------- E:\rsit
2009-01-11 21:13 . 2009-01-11 21:13 <DIR> d-------- e:\program files\templates
2009-01-11 21:13 . 2009-01-11 21:13 <DIR> d-------- e:\program files\Setup
2009-01-11 21:13 . 2009-01-11 21:13 <DIR> d-------- e:\program files\rpplugins
2009-01-11 21:13 . 2009-01-11 21:13 <DIR> d-------- e:\program files\producer
2009-01-11 21:13 . 2009-01-11 21:13 <DIR> d-------- e:\program files\plugins
2009-01-11 21:13 . 2009-01-11 21:13 <DIR> d-------- e:\program files\Netscape6
2009-01-11 21:13 . 2009-01-11 21:13 <DIR> d-------- e:\program files\library
2009-01-11 21:13 . 2009-01-11 21:13 <DIR> d-------- e:\program files\Devices
2009-01-11 21:13 . 2009-01-11 21:13 <DIR> d-------- e:\program files\DataCache
2009-01-11 21:13 . 2009-01-11 21:13 <DIR> d-------- e:\program files\Common Files\xing shared
2009-01-11 21:13 . 2009-01-11 21:13 <DIR> d-------- e:\program files\CDBurning
2009-01-11 21:13 . 2009-01-11 21:13 <DIR> d-------- e:\program files\browserrecord
2009-01-11 21:13 . 2009-01-11 21:13 719,360 --a------ e:\program files\dbghelp.dll
2009-01-11 21:13 . 2009-01-11 21:13 692,224 --a------ e:\program files\dtdr3260.dll
2009-01-11 21:13 . 2009-01-11 21:13 659,456 --a------ e:\program files\rjbres.dll
2009-01-11 21:13 . 2009-01-11 21:13 499,712 --a------ e:\windows\system32\msvcp71.dll
2009-01-11 21:13 . 2009-01-11 21:13 339,968 --a------ e:\program files\rjdlg.dll
2009-01-11 21:13 . 2009-01-11 21:13 304,736 --a------ e:\program files\rpbrowserrecordplugin.dll
2009-01-11 21:13 . 2009-01-11 21:13 214,536 --a------ e:\program files\realplay.exe
2009-01-11 21:13 . 2009-01-11 21:13 153,152 --a------ e:\program files\RecordingManager.exe
2009-01-11 21:13 . 2009-01-11 21:13 139,264 --a------ e:\program files\DUNZIP32.dll
2009-01-11 21:13 . 2009-01-11 21:13 102,400 --a------ e:\program files\HXAudioDeviceHook.dll
2009-01-11 21:13 . 2009-01-11 21:13 98,304 --a------ e:\program files\rpshellextension.dll
2009-01-11 21:13 . 2009-01-11 21:13 95,784 --a------ e:\program files\rdsf3260.dll
2009-01-11 21:13 . 2009-01-11 21:13 86,016 --a------ e:\program files\rpplugprot.dll
2009-01-11 21:13 . 2009-01-11 21:13 81,920 --a------ e:\program files\tsasdk.dll
2009-01-11 21:13 . 2009-01-11 21:13 65,536 --a------ e:\program files\rjwmapln.dll
2009-01-11 21:13 . 2009-01-11 21:13 63,016 --a------ e:\program files\rpshell.dll
2009-01-11 21:13 . 2009-01-11 21:13 57,344 --a------ e:\program files\tpasdk.dll
2009-01-11 21:13 . 2009-01-11 21:13 53,248 --a------ e:\program files\rpau3260.dll
2009-01-11 21:13 . 2009-01-11 21:13 43,056 --a------ e:\program files\rpshellsearch.dll
2009-01-11 21:13 . 2009-01-11 21:13 41,472 --a------ e:\program files\mmcdda32.dll
2009-01-11 21:13 . 2009-01-11 21:13 36,352 --a------ e:\program files\ierjplug.dll
2009-01-11 21:13 . 2009-01-11 21:13 32,768 --a------ e:\program files\rpwa3260.dll
2009-01-11 21:13 . 2009-01-11 21:13 19,456 --a------ e:\program files\tnetdtct.dll
2009-01-11 21:13 . 2009-01-11 21:13 19,456 --a------ e:\program files\rjprog.dll
2009-01-11 21:13 . 2009-01-11 21:13 14,336 --a------ e:\program files\wmdmhelper.dll
2009-01-11 21:13 . 2009-01-11 21:13 9,216 --a------ e:\program files\rphelperapp.exe
2009-01-11 21:13 . 2009-01-11 21:13 7,168 --a------ e:\program files\realjbox.exe
2009-01-11 21:13 . 2009-01-11 21:13 6,656 --a------ e:\program files\fixrjb.exe
2009-01-11 21:13 . 2009-01-11 21:13 1,030 --a------ e:\program files\autoplaylist.dat
2009-01-11 21:13 . 2009-01-11 21:13 480 --a------ e:\program files\keys.dat
2009-01-11 21:13 . 2009-01-11 21:13 50 --a------ e:\program files\strs23.dat
2009-01-11 21:13 . 2009-01-11 21:13 13 --a------ e:\program files\strs26.dat
2009-01-04 12:41 . 2008-04-13 11:40 43,904 --a------ e:\windows\system32\drivers\sbp2port.sys
2009-01-04 12:41 . 2008-04-13 11:40 43,904 --a--c--- e:\windows\system32\dllcache\sbp2port.sys
2008-12-30 15:01 . 2009-01-16 10:08 <DIR> d-------- e:\program files\ESET
2008-12-20 20:22 . 2008-12-20 20:21 410,984 --a------ e:\windows\system32\deploytk.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-16 04:32 --------- d-----w e:\documents and settings\Aqua\Application Data\Skype
2009-01-16 01:27 --------- d-----w e:\documents and settings\Aqua\Application Data\skypePM
2009-01-10 04:17 --------- d-----w e:\documents and settings\Aqua\Application Data\uTorrent
2009-01-06 23:57 --------- d-----w e:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-30 22:58 --------- d-----w e:\program files\Microsoft Visual Studio 9.0
2008-12-30 22:58 --------- d-----w e:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-22 21:52 --------- d-----w e:\program files\FlashGet
2008-12-21 04:21 --------- d-----w e:\program files\Java
2008-12-18 17:26 --------- d-----w e:\program files\Spybot - Search & Destroy
2008-12-16 00:09 --------- d-----w e:\program files\HP
2008-12-16 00:08 --------- d-----w e:\program files\Hewlett-Packard
2008-12-16 00:08 --------- d-----w e:\program files\Common Files\HP
2008-12-16 00:08 --------- d-----w e:\documents and settings\All Users\Application Data\Hewlett-Packard
2008-12-16 00:05 --------- d-----w e:\program files\Common Files\SWF Studio
2008-12-11 10:57 333,952 ----a-w e:\windows\system32\drivers\srv.sys
2008-04-20 21:05 32 ----a-w e:\documents and settings\All Users\Application Data\ezsid.dat
2008-09-18 23:35 32,768 --sha-w e:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008091820080919\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="e:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Utopia Angel"="e:\utop\Angel.exe" [2009-01-05 3552256]
"Google Update"="e:\documents and settings\Aqua\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-12-30 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="e:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
"Adobe Reader Speed Launcher"="e:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"LogitechCommunicationsManager"="e:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-04-05 488984]
"LVCOMSX"="e:\program files\Common Files\LogiShrd\LComMgr\LVComSX.exe" [2007-03-09 252704]
"NvMediaCenter"="e:\windows\system32\NvMcTray.dll" [2007-12-05 81920]
"SunJavaUpdateSched"="e:\program files\Java\jre6\bin\jusched.exe" [2008-12-20 136600]
"IMJPMIG8.1"="e:\windows\IME\imjp8_1\IMJPMIG.EXE" [2006-02-28 208952]
"MSPY2002"="e:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2006-02-28 59392]
"PHIME2002ASync"="e:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-02-28 455168]
"PHIME2002A"="e:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-02-28 455168]
"TkBellExe"="e:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-01-11 185872]
"AVG8_TRAY"="e:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-16 1261336]
"nwiz"="nwiz.exe" [2007-12-05 e:\windows\system32\nwiz.exe]
"CTHelper"="CTHELPER.EXE" [2006-08-17 e:\windows\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-17 e:\windows\system32\CTXFIHLP.EXE]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 e:\windows\KHALMNPR.Exe]

e:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - e:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-09-16 113664]
Logitech SetPoint.lnk - e:\program files\Logitech\SetPoint\SetPoint.exe [2008-09-06 805392]
Microsoft Office.lnk - e:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-16 65588]
SafeConnect.lnk - e:\program files\SafeConnect\scClient.exe [2007-11-13 271640]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 01:42 72208 e:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= e:\progra~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"e:\\Program Files\\AIM\\aim.exe"=
"e:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"e:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"e:\\Program Files\\uTorrent\\uTorrent.exe"=
"g:\\sysreset\\mirc.exe"=
"e:\\Program Files\\Stardock Games\\Sins of a Solar Empire\\Sins of a Solar Empire.exe"=
"e:\\Program Files\\Messenger\\msmsgs.exe"=
"e:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"e:\\Program Files\\MSN Messenger\\livecall.exe"=
"e:\\Program Files\\realplay.exe"=
"e:\\Program Files\\Skype\\Phone\\Skype.exe"=
"e:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"e:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;e:\windows\system32\drivers\avgldx86.sys [2009-01-16 97928]
R4 avg8emc;AVG Free8 E-mail Scanner;e:\progra~1\AVG\AVG8\avgemc.exe [2009-01-16 875288]
R4 avg8wd;AVG Free8 WatchDog;e:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-16 231704]
R4 AvgTdiX;AVG Free8 Network Redirector;e:\windows\system32\drivers\avgtdix.sys [2009-01-16 76040]
R4 SCManager;SafeConnect Manager;e:\program files\SafeConnect\scManager.sys servicestart --> e:\program files\SafeConnect\scManager.sys servicestart [?]
S3 Algitmysn;Algitmysn; [x]
S3 ICDUSB2;Sony IC Recorder (P);e:\windows\system32\drivers\ICDUSB2.sys [2008-11-02 39048]
S3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;e:\windows\system32\drivers\WPN111.sys [2008-12-12 362944]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2009-01-20 e:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-507921405-682003330-725345543-1003.job
- e:\documents and settings\Aqua\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-30 18:15]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Vidalia - e:\program files\Vidalia Bundle\Vidalia\vidalia.exe
HKLM-Run-WinampAgent - e:\program files\Winamp\winampa.exe


.
------- Supplementary Scan -------
.
FF - ProfilePath - e:\documents and settings\Aqua\Application Data\Mozilla\Firefox\Profiles\c7u8llno.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - component: e:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: e:\documents and settings\Aqua\Local Settings\Application Data\Google\Update\1.2.133.33\npGoogleOneClick7.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-20 15:21:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(880)
e:\program files\common files\logitech\bluetooth\LBTWlgn.dll
e:\program files\common files\logitech\bluetooth\LBTServ.dll
.
------------------------ Other Running Processes ------------------------
.
e:\program files\Java\jre6\bin\jqs.exe
e:\windows\system32\nvsvc32.exe
e:\program files\SafeConnect\scManager.sys
e:\progra~1\AVG\AVG8\avgrsx.exe
e:\windows\system32\rundll32.exe
e:\program files\Common Files\LogiShrd\KHAL2\KHALMNPR.exe
.
**************************************************************************
.
Completion time: 2009-01-20 15:24:23 - machine was rebooted [Aqua]
ComboFix-quarantined-files.txt 2009-01-20 23:24:21

Pre-Run: 40,485,072,896 bytes free
Post-Run: 40,610,381,824 bytes free

198 --- E O F --- 2009-01-14 04:31:48


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:32:32 PM, on 1/20/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
E:\Program Files\Java\jre6\bin\jqs.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\SafeConnect\scManager.sys
E:\WINDOWS\system32\svchost.exe
E:\PROGRA~1\AVG\AVG8\avgrsx.exe
E:\PROGRA~1\AVG\AVG8\avgemc.exe
E:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
E:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
E:\WINDOWS\system32\RUNDLL32.EXE
E:\Program Files\Java\jre6\bin\jusched.exe
E:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\PROGRA~1\AVG\AVG8\avgtray.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Documents and Settings\Aqua\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
E:\Program Files\Logitech\SetPoint\SetPoint.exe
E:\Program Files\SafeConnect\scClient.exe
E:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
E:\WINDOWS\system32\notepad.exe
E:\WINDOWS\explorer.exe
E:\Program Files\Mozilla Firefox\firefox.exe
F:\Downloads\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - E:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - E:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - E:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "E:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LVCOMSX] "E:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "E:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] E:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] E:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] E:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG8_TRAY] E:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Utopia Angel] "E:\utop\Angel.exe"
O4 - HKCU\..\Run: [Google Update] "E:\Documents and Settings\Aqua\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - Global Startup: Adobe Gamma Loader.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech SetPoint.lnk = E:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SafeConnect.lnk = ?
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - E:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - E:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Unknown owner - E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - E:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - E:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - E:\WINDOWS\system32\IcdSptSv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - E:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - E:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SafeConnect Manager (SCManager) - Unknown owner - E:\Program Files\SafeConnect\scManager.sys servicestart (file missing)

--
End of file - 6684 bytes
Barkin
Regular Member
 
Posts: 15
Joined: January 6th, 2009, 8:19 pm

Re: 1/06/09 HijackThis log

Unread postby Bio-Hazard » January 21st, 2009, 8:31 am

Hello!

Could you please clarify is this a your personal machine or University machine?

Thank you

Bio-Hazard
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: 1/06/09 HijackThis log

Unread postby Barkin » January 21st, 2009, 11:31 am

Personal. School machines wouldn't have 3 harddrives internally.
Barkin
Regular Member
 
Posts: 15
Joined: January 6th, 2009, 8:19 pm

Re: 1/06/09 HijackThis log

Unread postby Bio-Hazard » January 22nd, 2009, 6:32 pm

Hello!

Remove HijackThis entries

  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

  • Close all open windows and browsers/email etc...
  • Click on the Fix Checked button
  • When completed close the application.


OTMoveIt3

Download OTMoveIt3 by Old Timer and save it to your Desktop.
  • Double-click OTMoveIt3.exe to run it.
  • Copy the lines in the codebox below.
Code: Select all
:reg
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"e:\\Program Files\\uTorrent\\uTorrent.exe"=-
:files
 e:\documents and settings\Aqua\Application Data\uTorrent
:commands
[EmptyTemp]

  • Return to OTMoveIt3, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar), and paste it in your next reply.
  • Close OTMoveIt3

Logs/Information to Post in Next Reply

Please post the following logs/Information in your reply:
  • OTMoveIt Log
  • A fresh HijackThis Log ( after all the above has been done)
  • A description of how your computer is behaving
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: 1/06/09 HijackThis log

Unread postby Barkin » January 24th, 2009, 4:31 pm

I'll post how my computer behaves after i reboot.

========== REGISTRY ==========
Registry key HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List not found.
========== FILES ==========
e:\documents and settings\Aqua\Application Data\uTorrent moved successfully.
========== COMMANDS ==========
File delete failed. E:\DOCUME~1\Aqua\LOCALS~1\Temp\etilqs_A4oTMITNhJ2fFUX0q3aR scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. E:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. E:\WINDOWS\temp\Perflib_Perfdata_764.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. E:\Documents and Settings\Aqua\Local Settings\Application Data\Mozilla\Firefox\Profiles\c7u8llno.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. E:\Documents and Settings\Aqua\Local Settings\Application Data\Mozilla\Firefox\Profiles\c7u8llno.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. E:\Documents and Settings\Aqua\Local Settings\Application Data\Mozilla\Firefox\Profiles\c7u8llno.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. E:\Documents and Settings\Aqua\Local Settings\Application Data\Mozilla\Firefox\Profiles\c7u8llno.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. E:\Documents and Settings\Aqua\Local Settings\Application Data\Mozilla\Firefox\Profiles\c7u8llno.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
File delete failed. E:\Documents and Settings\Aqua\Local Settings\Application Data\Mozilla\Firefox\Profiles\c7u8llno.default\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 01242009_122927


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:30:45 PM, on 1/24/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
E:\Program Files\Java\jre6\bin\jqs.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\Program Files\SafeConnect\scManager.sys
E:\WINDOWS\system32\svchost.exe
E:\PROGRA~1\AVG\AVG8\avgrsx.exe
E:\PROGRA~1\AVG\AVG8\avgemc.exe
E:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
E:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
E:\WINDOWS\system32\RUNDLL32.EXE
E:\Program Files\Java\jre6\bin\jusched.exe
E:\PROGRA~1\AVG\AVG8\avgtray.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Documents and Settings\Aqua\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
E:\Program Files\Logitech\SetPoint\SetPoint.exe
E:\Program Files\SafeConnect\scClient.exe
E:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
E:\WINDOWS\explorer.exe
E:\Program Files\coolpro2\coolpro2.exe
E:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\Program Files\Mozilla Firefox\firefox.exe
F:\Downloads\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - E:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - E:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - E:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "E:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LVCOMSX] "E:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "E:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] E:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] E:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] E:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG8_TRAY] E:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\RunOnce: [OTMoveIt] E:\Documents and Settings\Aqua\Desktop\OTMoveIt3.exe
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Utopia Angel] "E:\utop\Angel.exe"
O4 - HKCU\..\Run: [Google Update] "E:\Documents and Settings\Aqua\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - Global Startup: Adobe Gamma Loader.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech SetPoint.lnk = E:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SafeConnect.lnk = ?
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - E:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - E:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Unknown owner - E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - E:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - E:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - E:\WINDOWS\system32\IcdSptSv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - E:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - E:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SafeConnect Manager (SCManager) - Unknown owner - E:\Program Files\SafeConnect\scManager.sys servicestart (file missing)

--
End of file - 6639 bytes
Barkin
Regular Member
 
Posts: 15
Joined: January 6th, 2009, 8:19 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 51 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware