It didnt help, I STILL GOT A BACKDOOR, STUPID DOWNLOADERS AND ANOYING CLICKER!
Ive scanned with Kaspersky online, Malwarebytes deep scan and did new Hijack log. According to Malwarebyts even HP printer files are infected with Downloaders. Should i Uninstall all printer drivers and utilities? Maybe i could use TuneUp shreder and shred all of it into pieces. You are the boss, i wont do anything without your permission.
Here are the logs, MAKE HASTE!!
Wednesday, February 27, 2008 10:17:58 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 27/02/2008
Kaspersky Anti-Virus database records: 583466
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
A:\
C:\
D:\
E:\
F:\
Scan Statistics
Total number of scanned objects 81178
Number of viruses found 12
Number of infected objects 44
Number of suspicious objects 0
Duration of the scan process 01:11:47
Infected Object Name Virus Name Last Action
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Veronika\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Veronika\Local Settings\Application Data\ApplicationHistory\hpqimzone.exe.3204510e.ini.inuse Object is locked skipped
C:\Documents and Settings\Veronika\Local Settings\Application Data\HP\Digital Imaging\db\administrativeInfo.dbf Object is locked skipped
C:\Documents and Settings\Veronika\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.cdx Object is locked skipped
C:\Documents and Settings\Veronika\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.dbf Object is locked skipped
C:\Documents and Settings\Veronika\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.cdx Object is locked skipped
C:\Documents and Settings\Veronika\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.dbf Object is locked skipped
C:\Documents and Settings\Veronika\Local Settings\Application Data\HP\Digital Imaging\db\CB_Server_Errors.txt Object is locked skipped
C:\Documents and Settings\Veronika\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.cdx Object is locked skipped
C:\Documents and Settings\Veronika\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.dbf Object is locked skipped
C:\Documents and Settings\Veronika\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.cdx Object is locked skipped
C:\Documents and Settings\Veronika\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.dbf Object is locked skipped
C:\Documents and Settings\Veronika\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.fpt Object is locked skipped
C:\Documents and Settings\Veronika\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.cdx Object is locked skipped
C:\Documents and Settings\Veronika\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.dbf Object is locked skipped
C:\Documents and Settings\Veronika\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.cdx Object is locked skipped
C:\Documents and Settings\Veronika\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.dbf Object is locked skipped
C:\Documents and Settings\Veronika\Local Settings\Application Data\HP\Digital Imaging\db\managedFolderTable.dbf Object is locked skipped
C:\Documents and Settings\Veronika\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.cdx Object is locked skipped
C:\Documents and Settings\Veronika\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.dbf Object is locked skipped
C:\Documents and Settings\Veronika\Local Settings\Application Data\HP\Digital Imaging\db\propertiesTable.cdx Object is locked skipped
C:\Documents and Settings\Veronika\Local Settings\Application Data\HP\Digital Imaging\db\propertiesTable.dbf Object is locked skipped
C:\Documents and Settings\Veronika\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.cdx Object is locked skipped
C:\Documents and Settings\Veronika\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.dbf Object is locked skipped
C:\Documents and Settings\Veronika\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.cdx Object is locked skipped
C:\Documents and Settings\Veronika\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.dbf Object is locked skipped
C:\Documents and Settings\Veronika\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Veronika\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Veronika\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Veronika\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Veronika\Local Settings\History\History.IE5\MSHist012008022720080228\index.dat Object is locked skipped
C:\Documents and Settings\Veronika\Local Settings\Temp\hpodvd09.log Object is locked skipped
C:\Documents and Settings\Veronika\Local Settings\Temp\om27.tmp Object is locked skipped
C:\Documents and Settings\Veronika\Local Settings\Temp\~DFB35C.tmp Object is locked skipped
C:\Documents and Settings\Veronika\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Veronika\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Veronika\ntuser.dat Object is locked skipped
C:\Documents and Settings\Veronika\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Eset\infected\5JSWNFCA.NQF Infected: not-a-virus:AdWare.Win32.VB.bh skipped
C:\Program Files\Eset\infected\KRKKMJAA.NQF Infected: not-a-virus:AdWare.Win32.VB.bh skipped
C:\Program Files\Eset\infected\PE1FADCA.NQF Infected: Trojan-Downloader.Win32.Agent.dzm skipped
C:\Program Files\Eset\infected\YGFYOKAA.NQF Infected: Trojan-Clicker.Win32.VB.ael skipped
C:\Program Files\Eset\infected\YZ1RF5DA.NQF Infected: not-a-virus:AdWare.Win32.VB.bh skipped
C:\Program Files\Eset\logs\virlog.dat Object is locked skipped
C:\Program Files\Eset\logs\warnlog.dat Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\Config\csrss.exe.vir Infected: Backdoor.Win32.Agobot.aqs skipped
C:\QooBox\Quarantine\C\WINDOWS\Help\SETUP.EXE.vir Infected: Backdoor.Win32.VB.cds skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\andt.sys.vir Infected: Trojan-Downloader.Win32.Delf.evt skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\tmp0_377718344486.bk.vir Infected: not-a-virus:AdWare.Win32.VB.bh skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\tmp0_887540299780.bk.vir Infected: not-a-virus:AdWare.Win32.VB.bh skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\tmp1_238729110624.bk.vir Infected: not-a-virus:AdWare.Win32.VB.bh skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\tmp1_732898353811.bk.vir Infected: not-a-virus:AdWare.Win32.VB.bh skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\tmp2_391779322402.bk.vir Infected: not-a-virus:AdWare.Win32.VB.bh skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\tmp2_538623607110.bk.vir Infected: not-a-virus:AdWare.Win32.VB.bh skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\tmp3_12624285292.bk.vir Infected: not-a-virus:AdWare.Win32.VB.bh skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\tmp3_206889346973.bk.vir Infected: not-a-virus:AdWare.Win32.VB.bh skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\tmp4_147694747792.bk.vir Infected: not-a-virus:AdWare.Win32.VB.bh skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\Winlogon.bak.bak.vir Infected: Trojan.Win32.Patched.bm skipped
C:\QooBox\Quarantine\D\Downloads\Limewire PRO 4.17.0.zip.vir/Limewire PRO 4.17.0.EXE/data0000.cab/14XR6~1.EXE Infected: Backdoor.Win32.Agobot.aqs skipped
C:\QooBox\Quarantine\D\Downloads\Limewire PRO 4.17.0.zip.vir/Limewire PRO 4.17.0.EXE/data0000.cab Infected: Backdoor.Win32.Agobot.aqs skipped
C:\QooBox\Quarantine\D\Downloads\Limewire PRO 4.17.0.zip.vir/Limewire PRO 4.17.0.EXE Infected: Backdoor.Win32.Agobot.aqs skipped
C:\QooBox\Quarantine\D\Downloads\Limewire PRO 4.17.0.zip.vir ZIP: infected - 3 skipped
C:\QooBox\Quarantine\D\Program Files\Kazaa\kazaa.exe.vir/TopSearch.dll Infected: not-a-virus:AdWare.Win32.Altnet.d skipped
C:\QooBox\Quarantine\D\Program Files\Kazaa\kazaa.exe.vir CAB: infected - 1 skipped
C:\QooBox\Quarantine\D\Program Files\Kazaa\kazaa.exe.vir Execryptor: infected - 1 skipped
C:\QooBox\Quarantine\D\Sime stalker\Limewire PRO 4.17.0\Limewire PRO 4.17.0.EXE.vir/data0000.cab/14XR6~1.EXE Infected: Backdoor.Win32.Agobot.aqs skipped
C:\QooBox\Quarantine\D\Sime stalker\Limewire PRO 4.17.0\Limewire PRO 4.17.0.EXE.vir/data0000.cab Infected: Backdoor.Win32.Agobot.aqs skipped
C:\QooBox\Quarantine\D\Sime stalker\Limewire PRO 4.17.0\Limewire PRO 4.17.0.EXE.vir Rsrc-Package: infected - 2 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{CFEE2263-3668-4B34-A622-ACB960E9A3AE}\RP17\A0006013.sys Infected: not-a-virus:AdWare.Win32.VB.bh skipped
C:\System Volume Information\_restore{CFEE2263-3668-4B34-A622-ACB960E9A3AE}\RP17\A0006016.exe Infected: not-a-virus:AdTool.Win32.WhenU.t skipped
C:\System Volume Information\_restore{CFEE2263-3668-4B34-A622-ACB960E9A3AE}\RP17\A0006018.dll Infected: not-a-virus:AdTool.Win32.WhenU.r skipped
C:\System Volume Information\_restore{CFEE2263-3668-4B34-A622-ACB960E9A3AE}\RP17\A0006019.exe Infected: not-a-virus:AdWare.Win32.OneStep.c skipped
C:\System Volume Information\_restore{CFEE2263-3668-4B34-A622-ACB960E9A3AE}\RP17\A0006041.dll Infected: not-a-virus:AdWare.Win32.OneStep.a skipped
C:\System Volume Information\_restore{CFEE2263-3668-4B34-A622-ACB960E9A3AE}\RP17\A0006042.exe Infected: not-a-virus:AdWare.Win32.OneStep.c skipped
C:\System Volume Information\_restore{CFEE2263-3668-4B34-A622-ACB960E9A3AE}\RP24\A0007174.sys Infected: Trojan-Downloader.Win32.Delf.evt skipped
C:\System Volume Information\_restore{CFEE2263-3668-4B34-A622-ACB960E9A3AE}\RP25\A0007629.exe Infected: Backdoor.Win32.Agobot.aqs skipped
C:\System Volume Information\_restore{CFEE2263-3668-4B34-A622-ACB960E9A3AE}\RP25\A0007630.EXE Infected: Backdoor.Win32.VB.cds skipped
C:\System Volume Information\_restore{CFEE2263-3668-4B34-A622-ACB960E9A3AE}\RP25\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\Internet Logs\VERONIKA-36JOG3.ldb Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\drivers\vaxscsi.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\TEMP\NUP3F4F.tmp Object is locked skipped
C:\WINDOWS\TEMP\ZLT00c79.TMP Object is locked skipped
C:\WINDOWS\TEMP\ZLT01f04.TMP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\Program Files\Alcohol Soft\Alcohol 120\StarWind\logs\starwind.2008-02-27.08-00-17.log Object is locked skipped
D:\RECYCLER\S-1-5-21-1993962763-776561741-839522115-500\De22.doc Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{CFEE2263-3668-4B34-A622-ACB960E9A3AE}\RP17\A0005975.dll Infected: not-a-virus:AdWare.Win32.Altnet.d skipped
D:\System Volume Information\_restore{CFEE2263-3668-4B34-A622-ACB960E9A3AE}\RP25\A0007619.exe/TopSearch.dll Infected: not-a-virus:AdWare.Win32.Altnet.d skipped
D:\System Volume Information\_restore{CFEE2263-3668-4B34-A622-ACB960E9A3AE}\RP25\A0007619.exe CAB: infected - 1 skipped
D:\System Volume Information\_restore{CFEE2263-3668-4B34-A622-ACB960E9A3AE}\RP25\A0007619.exe Execryptor: infected - 1 skipped
D:\System Volume Information\_restore{CFEE2263-3668-4B34-A622-ACB960E9A3AE}\RP25\A0007638.EXE/data0000.cab/14XR6~1.EXE Infected: Backdoor.Win32.Agobot.aqs skipped
D:\System Volume Information\_restore{CFEE2263-3668-4B34-A622-ACB960E9A3AE}\RP25\A0007638.EXE/data0000.cab Infected: Backdoor.Win32.Agobot.aqs skipped
D:\System Volume Information\_restore{CFEE2263-3668-4B34-A622-ACB960E9A3AE}\RP25\A0007638.EXE Rsrc-Package: infected - 2 skipped
Scan process completed.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:24:38, on 27.2.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
d:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Fast.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Crawler\Toolbar\CToolbar.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant =
http://www.crawler.com/search/ie.aspx?tb_id=60327R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch =
http://dnl.crawler.com/support/sa_custo ... TbId=60327R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://go.microsoft.com/fwlink/?LinkId=69157R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) -
http://www.kaspersky.com/kos/eng/partne ... nicode.cabO16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Amazing%20Adventures%20The%20Lost%20Tomb/Images/stg_drm.ocx
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Scrabble/Images/armhelper.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{F095ED02-C1BB-4548-A5A3-ABEF8A029A77}: NameServer = 192.168.1.1
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - d:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - Unknown owner - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 8143 bytes
Malwarebytes' Anti-Malware 1.05
Database version: 414
Scan type: Full Scan (A:\|C:\|D:\|)
Objects scanned: 106517
Time elapsed: 26 minute(s), 33 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
C:\Program Files\HP\Digital Imaging\bin\hpqmif08.dll (Trojan.Downloader) -> No action taken.
Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{4c53f186-5376-913e-6bb7-1002d734c888} (Trojan.Downloader) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{085de4b8-c8fe-4017-86df-103fe31c39ab} (Trojan.Downloader) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{42693d23-6964-45f4-ad8e-1077ce972d8d} (Trojan.Downloader) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{6d04ab11-637e-4a88-8a1b-84bc5a0d193e} (Trojan.Downloader) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{6d04ab11-637e-4a88-8a1b-84bc5a0d193e} (Trojan.Downloader) -> No action taken.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Program Files\HP\Digital Imaging\bin\hpqmif08.dll (Trojan.Downloader) -> No action taken.
C:\System Volume Information\_restore{CFEE2263-3668-4B34-A622-ACB960E9A3AE}\RP17\A0006041.dll (Adware.OneStepSearch) -> No action taken.
C:\System Volume Information\_restore{CFEE2263-3668-4B34-A622-ACB960E9A3AE}\RP17\A0006042.exe (Adware.OneStepSearch) -> No action taken.
p.s. Autoplay works! Thanks, man!
p.s. Is this ZoneAlarm protecting me from backdoor master or its already has holes when im using IE or Modzilla? I have two suspicious programs on zonealarms list that wanted acess internet: 1. Generic Host Process for Win32 Service (file name C:/windows/system32/svchost.exe, file size 14KB)
2. Run a DLL as an App (file name C:/windows/system32/rundll32.exe, file size 32KB)
Also, i blocked three atemts yesterday notifying me that someone wants to get acess to my computer. I saw his ip adress but its dynamical so it doesnt worth shit.
MAKE HASTE!! Please
Just for test ive updated A2 and did a deep scan with it and look what that FAMOUS antimalware 30$ worth tool found (im using free version but it has the same scanner as comercial):
a-squared Free - Version 3.1
Last update: 27.2.2008 11:35:38
Scan settings:
Objects: Memory, Traces, Cookies, C:\, D:\
Scan archives: On
Heuristics: On
ADS Scan: On
Scan start: 27.2.2008 11:36:37
Key: HKEY_USERS\S-1-5-21-1220945662-1229272821-725345543-1003\software\kazaa detected: Trace.Registry.KaZaA
Value: HKEY_USERS\S-1-5-21-1220945662-1229272821-725345543-1003\Software\BST\bsplayerv1 --> AppPath detected: Trace.Registry.BSplayer
Value: HKEY_USERS\S-1-5-21-1220945662-1229272821-725345543-1003\Software\BST\bsplayerv1 --> AppVer detected: Trace.Registry.BSplayer
Scanned
Files: 53004
Traces: 378253
Cookies: 23
Processes: 36
Found
Files: 0
Traces: 3
Cookies: 0
Processes: 0
Registry keys: 0
Scan end: 27.2.2008 12:03:08
Scan time: 0:26:31
This A2 should be put in Hall of shame! Its complitely useless!