Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

strange sound, virus?trojan? logfileHijackthis

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

strange sound, virus?trojan? logfileHijackthis

Unread postby Suffer » June 23rd, 2008, 6:26 am

Dear Malware expert,

Some days ago my computer was infected. I saw at once bout 300 mails that came back to me from the Mail Delivery Subsystem. All were from different addreses in Russia.
I use Mcafee Internet Security Suite. It detected nothing. In addition I tried some extra spyware removal programs and it seems that these were able to eliminate of the virus or Trojan. At least there are no messegaes again from the Mail Delivery Subsystem. But I don't know with which virus or trojan my computer was infected. The program Mbam did not give details but that there were 19 files infected. These were deleted. SUPERAntiSpyware noticed 610 cookes that were put in quarantine.

However now I hear a strange short (1-2 sec.) sound after completion the start-up session of my computer. Not the sound of a pig but a bit like when the water runs away quick in the drain. I fear that there is a virus inside my computer although I don't know for sure.

Perhaps someone can find malware reading the logfile.
Please read below the logfile of Hijackthis:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:26:48, on 23/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Packard Bell Data Secure\PBDataSecure.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\WLAN Technology Corporation\802.11g_Utility\ZDWlan.exe
C:\Turbowin\X_UpdNedS.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\AddOn\AcrobatReader\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: (no name) - {B4D1A8F4-E318-496A-9B4F-0FC492CEF33E} - C:\WINDOWS\system32\byvsr.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Packard Bell Data Secure] C:\Program Files\Packard Bell Data Secure\PBDataSecure.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: 802.11g USB 2.0 WLan Utility.lnk = C:\Program Files\WLAN Technology Corporation\802.11g_Utility\ZDWlan.exe
O4 - Startup: Turboveg for Windows - Auto Update.lnk = C:\Turbowin\UpdNedS.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/sho ... wflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: ua - {3E519A10-7A92-40DF-BA57-5DB09A0BFBFD} - Uade4Web.dll (file missing)
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: yayywxw - C:\WINDOWS\
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe

--
End of file - 7953 bytes
Suffer
Regular Member
 
Posts: 18
Joined: June 23rd, 2008, 5:50 am

Re: strange sound, virus?trojan? logfileHijackthis

Unread postby Blade81 » June 25th, 2008, 4:18 am

Hi

Can't say what's causing the sound but there's something bad in the log that needs to be removed.

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 6.
  • Scroll down to where it says
    The J2SE Runtime Environment (JRE) allows end-users to run Java applications.
  • Click the
    Download
    button to the right.
  • Select Windows on platform combobox and check the box that says:
    Accept License Agreement. Click continue.
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u6-windows-i586-p.exe to install the newest version.


1. Download combofix from any of these links and save it to Desktop:
Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log & a fresh hjt log n your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

If you have problems with Combofix usage, see here
User avatar
Blade81
Admin/Teacher
Admin/Teacher
 
Posts: 5207
Joined: July 17th, 2006, 3:36 am
Location: Finland

Re: strange sound, virus?trojan? logfileHijackthis

Unread postby Suffer » June 25th, 2008, 7:32 am

Hi Teacher,

Thanks for giving me a helping hand.
I did what you asked although I still hear the same sound.

Here are the 2 reports first Hijack and then ComboFix (I replaced my real name in the log with Suffer)
Hope you will find out what kind of spies and viruses are active or dormant on inside the machine.
At least the CombiFix logfile says that it is infected. Some notifications are in Dutch. If you do not understand them I will translate them. Please tell me.

Cheers,

Here you go:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:17, on 2008-06-25
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Packard Bell Data Secure\PBDataSecure.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\WLAN Technology Corporation\802.11g_Utility\ZDWlan.exe
C:\Turbowin\X_UpdNedS.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\AddOn\AcrobatReader\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: (no name) - {B4D1A8F4-E318-496A-9B4F-0FC492CEF33E} - C:\WINDOWS\system32\byvsr.dll (file missing)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Packard Bell Data Secure] C:\Program Files\Packard Bell Data Secure\PBDataSecure.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: 802.11g USB 2.0 WLan Utility.lnk = C:\Program Files\WLAN Technology Corporation\802.11g_Utility\ZDWlan.exe
O4 - Startup: Turboveg for Windows - Auto Update.lnk = C:\Turbowin\UpdNedS.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/sho ... wflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: ua - {3E519A10-7A92-40DF-BA57-5DB09A0BFBFD} - Uade4Web.dll (file missing)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: yayywxw - C:\WINDOWS\
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe

--
End of file - 8090 bytes


ComboFix 08-06-20.4 - Suffer 2008-06-25 12:26:02.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.31.1043.18.147 [GMT 2:00]
Gestart vanuit: C:\Documents and Settings\Suffer\Bureaublad\ComboFix.exe
* Nieuw herstelpunt werd aangemaakt
* Resident AV is active


WAARSCHUWING - DE RECOVERY CONSOLE IS NIET OP DIT SYSTEEM GEINSTALLEERD !!
.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM435b09d9.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\gpphpslg.ini
C:\WINDOWS\system32\rsvyb.ini
C:\WINDOWS\system32\rsvyb.ini2

.
(((((((((((((((((((( Bestanden Gemaakt van 2008-05-25 to 2008-06-25 ))))))))))))))))))))))))))))))
.

2008-06-25 12:16 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-06-25 12:13 . 2008-06-25 12:13 <DIR> d-------- C:\Program Files\Common Files\Java
2008-06-23 11:26 . 2008-06-23 11:26 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-22 15:57 . 2008-06-22 15:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-22 15:56 . 2008-06-22 15:56 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-06-22 15:56 . 2008-06-22 15:56 <DIR> d-------- C:\Documents and Settings\Suffer\Application Data\SUPERAntiSpyware.com
2008-06-22 15:54 . 2008-06-22 15:54 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-20 13:16 . 2008-06-20 13:22 2,698 --a------ C:\WINDOWS\system32\tmp.reg
2008-06-19 15:32 . 2008-06-20 12:34 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-19 15:32 . 2008-06-19 15:32 <DIR> d-------- C:\Documents and Settings\Suffer\Application Data\Malwarebytes
2008-06-19 15:32 . 2008-06-19 15:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-19 15:32 . 2008-06-19 17:48 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-19 15:32 . 2008-06-19 17:47 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-17 12:00 . 2008-06-25 12:09 <DIR> d-------- C:\Documents and Settings\Suffer\Application Data\skypePM
2008-06-17 12:00 . 2008-06-17 12:00 56 --ah----- C:\WINDOWS\system32\ezsidmv.dat
2008-06-17 11:57 . 2008-06-23 13:17 <DIR> d-------- C:\Documents and Settings\Suffer\Application Data\Skype
2008-06-17 11:53 . 2008-06-17 11:53 <DIR> d-------- C:\Program Files\Skype
2008-06-17 11:53 . 2008-06-17 11:53 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-06-17 11:52 . 2008-06-17 11:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Skype
2008-06-11 14:11 . 2008-06-14 20:00 272,640 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 14:11 . 2008-06-14 20:00 272,640 --------- C:\WINDOWS\system32\dllcache\bthport.sys

.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-25 10:41 --------- d-----w C:\Program Files\Packard Bell Data Secure
2008-06-25 10:18 --------- d-----w C:\Documents and Settings\Suffer\Application Data\MegauploadToolbar
2008-06-25 10:16 --------- d-----w C:\Program Files\Java
2008-06-23 16:34 --------- d-----w C:\Program Files\McAfee
2008-06-02 08:48 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-05-30 15:27 --------- d-----w C:\Program Files\SiteAdvisor
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-04-27 17:43 --------- d-----w C:\Documents and Settings\Suffer\Application Data\SiteAdvisor
2007-10-03 19:25 1,074 ----a-w C:\Documents and Settings\Suffer\Application Data\wklnhst.dat
2007-09-14 09:28 0 ----a-w C:\Documents and Settings\Suffer2\Application Data\wklnhst.dat
2007-03-30 08:13 19,994,184 ----a-w C:\Program Files\QuickTimeInstaller.exe
2007-03-21 08:53 813,888 ----a-w C:\Program Files\megauploadtoolbarsetup.exe
2007-03-20 12:17 14,994,152 ----a-w C:\Program Files\GoogleEarthWin_EARV.exe
.
C:\WINDOWS\system32\user32.dll ... is infected !! (additional data below)


((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

.
Inhoud van de 'Gedeelde Taken' map
.
**************************************************************************
scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...


**************************************************************************
.

Pre-Run: 8,668,540,928 bytes beschikbaar
Suffer
Regular Member
 
Posts: 18
Joined: June 23rd, 2008, 5:50 am

Re: strange sound, virus?trojan? logfileHijackthis

Unread postby Blade81 » June 25th, 2008, 1:14 pm

Hi

You have to install Windows Recovery Console. Follow the instructions here. Post ComboFix log after that operation.
User avatar
Blade81
Admin/Teacher
Admin/Teacher
 
Posts: 5207
Joined: July 17th, 2006, 3:36 am
Location: Finland

Re: strange sound, virus?trojan? logfileHijackthis

Unread postby Suffer » June 26th, 2008, 3:40 am

Dear Teacher,

Thank you for the advice.

Hope you can detect something...

Cheers,

Suffer

And here comes the new ComboFix logfile:

ComboFix 08-06-20.4 - Suffer 2008-06-26 9:14:41.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.31.1043.18.131 [GMT 2:00]
Gestart vanuit: C:\Documents and Settings\Suffer \Bureaublad\ComboFix.exe
Command switches used :: C:\Documents and Settings\Suffer\Bureaublad\WindowsXP-KB310994-SP2-Home-BootDisk-NLD.exe
* Nieuw herstelpunt werd aangemaakt
* Resident AV is active

.

(((((((((((((((((((( Bestanden Gemaakt van 2008-05-26 to 2008-06-26 ))))))))))))))))))))))))))))))
.

2008-06-25 12:16 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-06-25 12:13 . 2008-06-25 12:13 <DIR> d-------- C:\Program Files\Common Files\Java
2008-06-23 11:26 . 2008-06-23 11:26 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-22 15:57 . 2008-06-22 15:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-22 15:56 . 2008-06-22 15:56 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-06-22 15:56 . 2008-06-22 15:56 <DIR> d-------- C:\Documents and Settings\Suffer\Application Data\SUPERAntiSpyware.com
2008-06-22 15:54 . 2008-06-22 15:54 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-20 13:16 . 2008-06-20 13:22 2,698 --a------ C:\WINDOWS\system32\tmp.reg
2008-06-19 15:32 . 2008-06-20 12:34 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-19 15:32 . 2008-06-19 15:32 <DIR> d-------- C:\Documents and Settings\Suffer\Application Data\Malwarebytes
2008-06-19 15:32 . 2008-06-19 15:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-19 15:32 . 2008-06-19 17:48 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-19 15:32 . 2008-06-19 17:47 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-17 12:00 . 2008-06-26 08:39 <DIR> d-------- C:\Documents and Settings\Suffer\Application Data\skypePM
2008-06-17 12:00 . 2008-06-17 12:00 56 --ah----- C:\WINDOWS\system32\ezsidmv.dat
2008-06-17 11:57 . 2008-06-23 13:17 <DIR> d-------- C:\Documents and Settings\Suffer\Application Data\Skype
2008-06-17 11:53 . 2008-06-17 11:53 <DIR> d-------- C:\Program Files\Skype
2008-06-17 11:53 . 2008-06-17 11:53 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-06-17 11:52 . 2008-06-17 11:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Skype
2008-06-11 14:11 . 2008-06-14 20:00 272,640 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 14:11 . 2008-06-14 20:00 272,640 --------- C:\WINDOWS\system32\dllcache\bthport.sys

.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-26 07:03 --------- d-----w C:\Documents and Settings\Suffer\Application Data\MegauploadToolbar
2008-06-26 06:37 --------- d-----w C:\Program Files\Packard Bell Data Secure
2008-06-25 10:16 --------- d-----w C:\Program Files\Java
2008-06-23 16:34 --------- d-----w C:\Program Files\McAfee
2008-06-02 08:48 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-05-30 15:27 --------- d-----w C:\Program Files\SiteAdvisor
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\dllcache\rmcast.sys
2008-05-07 05:16 1,291,776 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 05:16 1,291,776 ----a-w C:\WINDOWS\system32\dllcache\quartz.dll
2008-04-27 17:43 --------- d-----w C:\Documents and Settings\Suffer\Application Data\SiteAdvisor
2008-04-23 20:22 3,591,680 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-04-22 07:42 70,656 ----a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-04-22 07:42 625,664 ----a-w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-04-22 07:39 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-04-20 05:07 161,792 ----a-w C:\WINDOWS\system32\dllcache\ieakui.dll
2007-10-03 19:25 1,074 ----a-w C:\Documents and Settings\Suffer\Application Data\wklnhst.dat
2007-09-14 09:28 0 ----a-w C:\Documents and Settings\Suffer2\Application Data\wklnhst.dat
2007-03-30 08:13 19,994,184 ----a-w C:\Program Files\QuickTimeInstaller.exe
2007-03-21 08:53 813,888 ----a-w C:\Program Files\megauploadtoolbarsetup.exe
2007-03-20 12:17 14,994,152 ----a-w C:\Program Files\GoogleEarthWin_EARV.exe
.

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B4D1A8F4-E318-496A-9B4F-0FC492CEF33E}]
C:\WINDOWS\system32\byvsr.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00 15360]
"Packard Bell Data Secure"="C:\Program Files\Packard Bell Data Secure\PBDataSecure.exe" [2006-06-20 15:15 2361856]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-06-03 15:08 21718312]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-07-02 04:02 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-07-02 03:58 118784]
"SoundMan"="SOUNDMAN.EXE" [2004-08-30 13:48 69632 C:\WINDOWS\SOUNDMAN.EXE]
"AGRSMMSG"="AGRSMMSG.exe" [2004-02-21 07:00 88363 C:\WINDOWS\AGRSMMSG.exe]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-07-24 06:49 102400]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-07-24 06:49 684032]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50 155648]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-08-12 09:52 1838592]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54 282624]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-11-01 19:12 582992]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2007-08-24 23:57 36640]
"McENUI"="C:\PROGRA~1\McAfee\MHN\McENUI.exe" [2007-11-30 05:42 1164576]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 14:00 15360]

C:\Documents and Settings\Suffer\Menu Start\Programma's\Opstarten\
802.11g USB 2.0 WLan Utility.lnk - C:\Program Files\WLAN Technology Corporation\802.11g_Utility\ZDWlan.exe [2004-12-02 14:07:56 442368]
Turboveg for Windows - Auto Update.lnk - C:\Turbowin\UpdNedS.exe [2007-10-06 23:10:16 178405]

C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 20:05:56 65588]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= C:\Program Files\Eudora5\EuShlExt.dll [2006-08-17 15:57 86016]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yayywxw]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R3 PRISM_A00;PRISM 802.11 Driver;C:\WINDOWS\system32\DRIVERS\PRISMA00.sys [2004-07-20 21:16]
S3 TNET1130;TNET1130 WLAN Adapter;C:\WINDOWS\system32\DRIVERS\tnet1130.sys [2004-02-19 05:58]
S3 ZD1211U(WLAN);WLAN ZD1211 IEEE 802.11b+g Wireless LAN Driver (USB)(WLAN);C:\WINDOWS\system32\DRIVERS\zd1211u.sys [2004-11-30 02:53]

.
Inhoud van de 'Gedeelde Taken' map
"2008-06-19 16:57:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-14 10:36:11 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-06-19 09:51:48 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
"2008-06-26 06:37:33 C:\WINDOWS\Tasks\Packard Bell Data Secure for Suffer.job"
- C:\APPS\DataSecure\PBBackup.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-26 09:20:35
Windows 5.1.2600 Service Pack 2 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

Scan succesvol afgerond
verborgen bestanden: 0

**************************************************************************
.
--------------------- DLLs Geladen Onder Lopende Processen ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\SiteAdvisor\6253\saHook.dll
.
Voltooingstijd: 2008-06-26 9:28:47
ComboFix-quarantined-files.txt 2008-06-26 07:27:40

Pre-Run: 7,862,059,008 bytes beschikbaar
Post-Run: 7,905,255,424 bytes beschikbaar

WindowsXP-KB310994-SP2-Home-BootDisk-NLD.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

149 --- E O F --- 2008-06-20 14:14:49
Suffer
Regular Member
 
Posts: 18
Joined: June 23rd, 2008, 5:50 am

Re: strange sound, virus?trojan? logfileHijackthis

Unread postby Blade81 » June 26th, 2008, 5:35 am

Hi Suffer


Start hjt, do a system scan, check:
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)

Close browsers and other windows. Click fix checked.

Open notepad and copy/paste the text in the quotebox below into it:

Code: Select all
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B4D1A8F4-E318-496A-9B4F-0FC492CEF33E}]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yayywxw]



Save this as
CFScript


Image

Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.


Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache

*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please run an online scan with Kaspersky Online Scanner. You will be prompted to install an ActiveX component from Kaspersky, click Yes.
  • The program will launch and start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings and select the following:
[INDENT]Scan using the following Anti-Virus database: [/INDENT]
  • Extended (If available, otherwise Standard)
[INDENT]Scan Options:[/INDENT]
  • Scan Archives
  • Scan Mail Bases
  • Click OK.
  • Under
    select a target to scan
    , select My Computer.
  • The scan will take a while so be patient and let it run. As it scans your machine very deeply it could take hours to complete, Kaspersky suggests running it during a time of low activity.
Once the scan is complete:
  • Click on the Save as Text button.
  • Save the file to your desktop.
  • Copy and paste that information into your next post if the AV content will fit into one post only. Post a fresh hjt log (without forgetting above meantioned ComboFix resultant log) too.


Note for Internet Explorer 7 users: If at any time you have trouble with the Accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.

If having a problme doing the above

Make sure that your Internet security settings are set to default values.

To set default security settings for Internet Explorer:

* Open Internet Explorer.
* Go to the Tools menu, then choose Internet Options.
* Click on the Security tab.
* Make sure that all four item (Internet, Local intranet, Trusted sites, and Restricted sites) are set to their default settings.
User avatar
Blade81
Admin/Teacher
Admin/Teacher
 
Posts: 5207
Joined: July 17th, 2006, 3:36 am
Location: Finland

Re: strange sound, virus?trojan? logfileHijackthis

Unread postby Suffer » June 26th, 2008, 10:38 am

Dear teacher,

Please find the both txtfiles you asked for:

ComboFix 08-06-20.4 - Suffer 2008-06-26 11:53:58.3 - NTFSx86
Gestart vanuit: C:\Documents and Settings\Suffer\Bureaublad\ComboFix.exe
Command switches used :: C:\Documents and Settings\Suffer\Bureaublad\CFScript.txt
* Nieuw herstelpunt werd aangemaakt
* Resident AV is active

.

(((((((((((((((((((( Bestanden Gemaakt van 2008-05-26 to 2008-06-26 ))))))))))))))))))))))))))))))
.

2008-06-25 12:16 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-06-25 12:13 . 2008-06-25 12:13 <DIR> d-------- C:\Program Files\Common Files\Java
2008-06-23 11:26 . 2008-06-23 11:26 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-22 15:57 . 2008-06-22 15:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-22 15:56 . 2008-06-22 15:56 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-06-22 15:56 . 2008-06-22 15:56 <DIR> d-------- C:\Documents and Settings\Suffer\Application Data\SUPERAntiSpyware.com
2008-06-22 15:54 . 2008-06-22 15:54 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-20 13:16 . 2008-06-20 13:22 2,698 --a------ C:\WINDOWS\system32\tmp.reg
2008-06-19 15:32 . 2008-06-20 12:34 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-19 15:32 . 2008-06-19 15:32 <DIR> d-------- C:\Documents and Settings\Suffer\Application Data\Malwarebytes
2008-06-19 15:32 . 2008-06-19 15:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-19 15:32 . 2008-06-19 17:48 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-19 15:32 . 2008-06-19 17:47 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-17 12:00 . 2008-06-26 08:39 <DIR> d-------- C:\Documents and Settings\Suffer\Application Data\skypePM
2008-06-17 12:00 . 2008-06-17 12:00 56 --ah----- C:\WINDOWS\system32\ezsidmv.dat
2008-06-17 11:57 . 2008-06-23 13:17 <DIR> d-------- C:\Documents and Settings\Suffer\Application Data\Skype
2008-06-17 11:53 . 2008-06-17 11:53 <DIR> d-------- C:\Program Files\Skype
2008-06-17 11:53 . 2008-06-17 11:53 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-06-17 11:52 . 2008-06-17 11:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Skype
2008-06-11 14:11 . 2008-06-14 20:00 272,640 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 14:11 . 2008-06-14 20:00 272,640 --------- C:\WINDOWS\system32\dllcache\bthport.sys

.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-26 09:47 --------- d-----w C:\Documents and Settings\Suffer\Application Data\MegauploadToolbar
2008-06-26 07:58 --------- d-----w C:\Program Files\Packard Bell Data Secure
2008-06-25 10:16 --------- d-----w C:\Program Files\Java
2008-06-23 16:34 --------- d-----w C:\Program Files\McAfee
2008-06-02 08:48 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-05-30 15:27 --------- d-----w C:\Program Files\SiteAdvisor
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\dllcache\rmcast.sys
2008-05-07 05:16 1,291,776 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 05:16 1,291,776 ----a-w C:\WINDOWS\system32\dllcache\quartz.dll
2008-04-27 17:43 --------- d-----w C:\Documents and Settings\Suffer\Application Data\SiteAdvisor
2008-04-23 20:22 3,591,680 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-04-22 07:42 70,656 ----a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-04-22 07:42 625,664 ----a-w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-04-22 07:39 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-04-20 05:07 161,792 ----a-w C:\WINDOWS\system32\dllcache\ieakui.dll
2007-10-03 19:25 1,074 ----a-w C:\Documents and Settings\Suffer\Application Data\wklnhst.dat
2007-09-14 09:28 0 ----a-w C:\Documents and Settings\Suffer\Application Data\wklnhst.dat
2007-03-30 08:13 19,994,184 ----a-w C:\Program Files\QuickTimeInstaller.exe
2007-03-21 08:53 813,888 ----a-w C:\Program Files\megauploadtoolbarsetup.exe
2007-03-20 12:17 14,994,152 ----a-w C:\Program Files\GoogleEarthWin_EARV.exe
.

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 14:00 15360]
"Packard Bell Data Secure"="C:\Program Files\Packard Bell Data Secure\PBDataSecure.exe" [2006-06-20 15:15 2361856]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-06-03 15:08 21718312]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-07-02 04:02 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-07-02 03:58 118784]
"SoundMan"="SOUNDMAN.EXE" [2004-08-30 13:48 69632 C:\WINDOWS\SOUNDMAN.EXE]
"AGRSMMSG"="AGRSMMSG.exe" [2004-02-21 07:00 88363 C:\WINDOWS\AGRSMMSG.exe]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-07-24 06:49 102400]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-07-24 06:49 684032]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50 155648]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-08-12 09:52 1838592]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54 282624]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-11-01 19:12 582992]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2007-08-24 23:57 36640]
"McENUI"="C:\PROGRA~1\McAfee\MHN\McENUI.exe" [2007-11-30 05:42 1164576]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 14:00 15360]

C:\Documents and Settings\Suffer\Menu Start\Programma's\Opstarten\
802.11g USB 2.0 WLan Utility.lnk - C:\Program Files\WLAN Technology Corporation\802.11g_Utility\ZDWlan.exe [2004-12-02 14:07:56 442368]
Turboveg for Windows - Auto Update.lnk - C:\Turbowin\UpdNedS.exe [2007-10-06 23:10:16 178405]

C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 20:05:56 65588]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= C:\Program Files\Eudora5\EuShlExt.dll [2006-08-17 15:57 86016]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yayywxw]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R3 PRISM_A00;PRISM 802.11 Driver;C:\WINDOWS\system32\DRIVERS\PRISMA00.sys [2004-07-20 21:16]
S3 TNET1130;TNET1130 WLAN Adapter;C:\WINDOWS\system32\DRIVERS\tnet1130.sys [2004-02-19 05:58]
S3 ZD1211U(WLAN);WLAN ZD1211 IEEE 802.11b+g Wireless LAN Driver (USB)(WLAN);C:\WINDOWS\system32\DRIVERS\zd1211u.sys [2004-11-30 02:53]

.
Inhoud van de 'Gedeelde Taken' map
"2008-06-19 16:57:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-14 10:36:11 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-06-19 09:51:48 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
"2008-06-26 06:37:33 C:\WINDOWS\Tasks\Packard Bell Data Secure for Jan Jansen.job"
- C:\APPS\DataSecure\PBBackup.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-26 11:59:22
Windows 5.1.2600 Service Pack 2 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

Scan succesvol afgerond
verborgen bestanden: 0

**************************************************************************
.
--------------------- DLLs Geladen Onder Lopende Processen ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\SiteAdvisor\6253\saHook.dll
.
Voltooingstijd: 2008-06-26 12:07:07
ComboFix-quarantined-files.txt 2008-06-26 10:06:22
ComboFix2.txt 2008-06-26 07:28:49

Pre-Run: 9,253,445,632 bytes beschikbaar
Post-Run: 9,261,277,184 bytes beschikbaar

140 --- E O F --- 2008-06-20 14:14:49
--------------------------------------------------------
And here is the Kaspersky file:
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, June 26, 2008 4:10:08 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 26/06/2008
Kaspersky Anti-Virus database records: 884786
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 78331
Number of viruses found: 5
Number of infected objects: 29
Number of suspicious objects: 52
Duration of the scan process: 03:12:53

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\McAfee\EasyNet\MHNData Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MNA\NAData Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\Events.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{3015FF65-41AE-455A-85CF-F8BFC78FAABB}.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{48A41BEA-D0F3-4481-A87B-54D9B0A2B34B}.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\McUsers.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSK\MSKWMDB.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSK\settingsdb.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Data\TFR2.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Logs\OAS.Log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\Suffer\Application Data\Skype\Suffer\call256.dbb Object is locked skipped
C:\Documents and Settings\Suffer\Application Data\Skype\Suffer\callmember256.dbb Object is locked skipped
C:\Documents and Settings\Suffer\Application Data\Skype\Suffer\contactgroup256.dbb Object is locked skipped
C:\Documents and Settings\Suffer\Application Data\Skype\Suffer\dyncontent\bundle.dat Object is locked skipped
C:\Documents and Settings\Suffer\Application Data\Skype\Suffer\index2.dat Object is locked skipped
C:\Documents and Settings\Suffer\Application Data\Skype\Suffer\profile256.dbb Object is locked skipped
C:\Documents and Settings\Suffer\Application Data\Skype\Suffer\user1024.dbb Object is locked skipped
C:\Documents and Settings\Suffer\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\AppLogs\SUPERANTISPYWARE-6-26-2008( 8-38-27 ).LOG Object is locked skipped
C:\Documents and Settings\Suffer\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Suffer\Local Settings\Application Data\Google\Google Desktop Search\dbc2e.ht1 Object is locked skipped
C:\Documents and Settings\Suffer\Local Settings\Application Data\Google\Google Desktop Search\dbdam Object is locked skipped
C:\Documents and Settings\Suffer\Local Settings\Application Data\Google\Google Desktop Search\dbdao Object is locked skipped
C:\Documents and Settings\Suffer\Local Settings\Application Data\Google\Google Desktop Search\dbeam Object is locked skipped
C:\Documents and Settings\Suffer\Local Settings\Application Data\Google\Google Desktop Search\dbeao Object is locked skipped
C:\Documents and Settings\Suffer\Local Settings\Application Data\Google\Google Desktop Search\dbm Object is locked skipped
C:\Documents and Settings\Suffer\Local Settings\Application Data\Google\Google Desktop Search\dbu2d.ht1 Object is locked skipped
C:\Documents and Settings\Suffer\Local Settings\Application Data\Google\Google Desktop Search\dbvm.cf1 Object is locked skipped
C:\Documents and Settings\Suffer\Local Settings\Application Data\Google\Google Desktop Search\dbvmh.ht1 Object is locked skipped
C:\Documents and Settings\Suffer\Local Settings\Application Data\Google\Google Desktop Search\fii.cf1 Object is locked skipped
C:\Documents and Settings\Suffer\Local Settings\Application Data\Google\Google Desktop Search\fiih.ht1 Object is locked skipped
C:\Documents and Settings\Suffer\Local Settings\Application Data\Google\Google Desktop Search\fim1i.cf1 Object is locked skipped
C:\Documents and Settings\Suffer\Local Settings\Application Data\Google\Google Desktop Search\fim1ih.ht1 Object is locked skipped
C:\Documents and Settings\Suffer\Local Settings\Application Data\Google\Google Desktop Search\fim2i.cf1 Object is locked skipped
C:\Documents and Settings\Suffer\Local Settings\Application Data\Google\Google Desktop Search\fim2ih.ht1 Object is locked skipped
C:\Documents and Settings\Suffer\Local Settings\Application Data\Google\Google Desktop Search\hp Object is locked skipped
C:\Documents and Settings\Suffer\Local Settings\Application Data\Google\Google Desktop Search\hpt2i.ht1 Object is locked skipped
C:\Documents and Settings\Suffer\Local Settings\Application Data\Google\Google Desktop Search\rpm.cf1 Object is locked skipped
C:\Documents and Settings\Suffer\Local Settings\Application Data\Google\Google Desktop Search\rpm1n.cf1 Object is locked skipped
C:\Documents and Settings\Suffer\Local Settings\Application Data\Google\Google Desktop Search\rpm1n1m.cf1 Object is locked skipped
C:\Documents and Settings\Suffer\Local Settings\Application Data\Google\Google Desktop Search\rpm1n1mh.ht1 Object is locked skipped
C:\Documents and Settings\Suffer\Local Settings\Application Data\Google\Google Desktop Search\rpm1nh.ht1 Object is locked skipped
C:\Documents and Settings\Suffer\Local Settings\Application Data\Google\Google Desktop Search\rpmh.ht1 Object is locked skipped
C:\Documents and Settings\Suffer\Local Settings\Application Data\Google\Google Desktop Search\safeweb\goog-black-enchashm.cf1 Object is locked skipped
C:\Documents and Settings\Suffer\Local Settings\Application Data\Google\Google Desktop Search\safeweb\goog-black-enchashmh.ht1 Object is locked skipped
C:\Documents and Settings\Suffer\Local Settings\Application Data\Google\Google Desktop Search\safeweb\goog-black-urlm.cf1 Object is locked skipped
C:\Documents and Settings\Suffer\Local Settings\Application Data\Google\Google Desktop Search\safeweb\goog-black-urlmh.ht1 Object is locked skipped
C:\Documents and Settings\Suffer\Local Settings\Application Data\Google\Google Desktop Search\safeweb\goog-malware-domainm.cf1 Object is locked skipped
C:\Documents and Settings\Suffer\Local Settings\Application Data\Google\Google Desktop Search\safeweb\goog-malware-domainmh.ht1 Object is locked skipped
C:\Documents and Settings\Suffer\Local Settings\Application Data\Google\Google Desktop Search\safeweb\goog-white-domainm.cf1 Object is locked skipped
C:\Documents and Settings\Suffer\Local Settings\Application Data\Google\Google Desktop Search\safeweb\goog-white-domainmh.ht1 Object is locked skipped
C:\Documents and Settings\Suffer\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Persoonlijke mappen/Postvak IN/08 Jul 2001 10:06 to undisclosed-recipients::AMO 31 mei 2001.eml/SYSMON.EXE Infected: Email-Worm.Win32.Magistr.a skipped
C:\Documents and Settings\Suffer\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Persoonlijke mappen/Postvak IN/08 Jul 2001 10:06 to undisclosed-recipients::AMO 31 mei 2001.eml Infected: Email-Worm.Win32.Magistr.a skipped
C:\Documents and Settings\Suffer\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Persoonlijke mappen/Postvak IN/03 Apr 2004 07:22 from MAILER-DAEMON@ms06.t-net.net.ve :failure n.eml/[From sufsufs@sci.kun.nl ][Date Sat, 3 Apr 2004 08:22:19 +0100]/UNNAMED/message27264.zip/msg.eml .scr Infected: Email-Worm.Win32.NetSky.r skipped
C:\Documents and Settings\Suffer\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Persoonlijke mappen/Postvak IN/03 Apr 2004 07:22 from MAILER-DAEMON@ms06.t-net.net.ve :failure n.eml/[From sufsufs@sci.kun.nl ][Date Sat, 3 Apr 2004 08:22:19 +0100]/UNNAMED/message27264.zip Infected: Email-Worm.Win32.NetSky.r skipped
C:\Documents and Settings\Suffer\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Persoonlijke mappen/Postvak IN/03 Apr 2004 07:22 from MAILER-DAEMON@ms06.t-net.net.ve :failure n.eml/[From sufsuf@sci.kun.nl ][Date Sat, 3 Apr 2004 08:22:19 +0100]/UNNAMED Infected: Email-Worm.Win32.NetSky.r skipped
C:\Documents and Settings\Suffer\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Persoonlijke mappen/Postvak IN/03 Apr 2004 07:22 from MAILER-DAEMON@ms06.t-net.net.ve :failure n.eml Infected: Email-Worm.Win32.NetSky.r skipped
C:\Documents and Settings\Suffer\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Persoonlijke mappen/Postvak IN/22 Apr 2004 19:31 from MAILER-DAEMON@travinfo.net :failure notice.eml/[From suf.suffen@sci.kun.nl ][Date Thu, 22 Apr 2004 11:31:21 -0600]/UNNAMED/game.zip/document.txt .exe Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\Suffer\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Persoonlijke mappen/Postvak IN/22 Apr 2004 19:31 from MAILER-DAEMON@travinfo.net :failure notice.eml/[From suf.suffen@sci.kun.nl ][Date Thu, 22 Apr 2004 11:31:21 -0600]/UNNAMED/game.zip Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\Suffer\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Persoonlijke mappen/Postvak IN/22 Apr 2004 19:31 from MAILER-DAEMON@travinfo.net :failure notice.eml/[From suf.suffen@sci.kun.nl ][Date Thu, 22 Apr 2004 11:31:21 -0600]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\Suffer\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Persoonlijke mappen/Postvak IN/22 Apr 2004 19:31 from MAILER-DAEMON@travinfo.net :failure notice.eml Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\Suffer\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Persoonlijke mappen/Postvak IN/12 Sep 2007 01:29 from PayPal:PayPal. Account Review Department.html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\Suffer\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Persoonlijke mappen/Postvak IN/06 Nov 2006 00:44 from PayPal:Account Compromised : Billing Info.html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\Suffer\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Persoonlijke mappen/Postvak IN/06 Nov 2006 05:42 from PayPal:Account Compromised : Billing Info.html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\Suffer\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Persoonlijke mappen/Postvak IN/16 Feb 2007 04:21 to suf.suffen@sci.kun.nl :PayPal Security Measu.html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\Suffer\Local Settings\Application Data\Microsoft\Outlook\outlook.pst MailMSMaill: infected - 10, suspicious - 4 skipped
C:\Documents and Settings\Suffer\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Suffer\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Suffer\Local Settings\Geschiedenis\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Suffer\Local Settings\Temp\sqlite_3cKrGUj6r5cm8GS Object is locked skipped
C:\Documents and Settings\Suffer\Local Settings\Temp\sqlite_8SozPaLKjhpnWVs Object is locked skipped
C:\Documents and Settings\Suffer\Local Settings\Temp\~DF1D27.tmp Object is locked skipped
C:\Documents and Settings\Suffer\Local Settings\Temp\~DF597C.tmp Object is locked skipped
C:\Documents and Settings\Suffer\Local Settings\Temp\~DFE83C.tmp Object is locked skipped
C:\Documents and Settings\Suffer\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Suffer\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Suffer\Mijn documenten\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Jan Jansen\Mijn documenten\SmitfraudFix.exe/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Suffer\Mijn documenten\SmitfraudFix.exe RAR: infected - 1 skipped
C:\Documents and Settings\Suffer\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Suffer\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Geschiedenis\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Eudora5\Mail\In.mbx/[From Floris Vanderhaeghe <Floris.Vanderhaeghe@rug.ac.be>][Date Sun, 24 Jun 2001 23:33:59 +0200 (MEST)]/UNNAMED/[From "floris vanderhaeghe" <Floris.Vanderhaeghe@rug.ac.be>][Date Mon, 25 Jun 2001 17:09:15 +0200]/text/[From "Carlos Gomes"<cpgomes@uevora.pt>][Date Sat, 7 Jul 2001 04:58:55 +0100]/UNNAMED/SYSMON.EXE Infected: Email-Worm.Win32.Magistr.a skipped
C:\Program Files\Eudora5\Mail\In.mbx/[From Floris Vanderhaeghe <Floris.Vanderhaeghe@rug.ac.be>][Date Sun, 24 Jun 2001 23:33:59 +0200 (MEST)]/UNNAMED/[From "floris vanderhaeghe" <Floris.Vanderhaeghe@rug.ac.be>][Date Mon, 25 Jun 2001 17:09:15 +0200]/text/[From "Carlos Gomes"<cpgomes@uevora.pt>][Date Sat, 7 Jul 2001 04:58:55 +0100]/UNNAMED Infected: Email-Worm.Win32.Magistr.a skipped
C:\Program Files\Eudora5\Mail\In.mbx/[From Floris Vanderhaeghe <Floris.Vanderhaeghe@rug.ac.be>][Date Sun, 24 Jun 2001 23:33:59 +0200 (MEST)]/UNNAMED/[From "floris vanderhaeghe" <Floris.Vanderhaeghe@rug.ac.be>][Date Mon, 25 Jun 2001 17:09:15 +0200]/text Infected: Email-Worm.Win32.Magistr.a skipped
C:\Program Files\Eudora5\Mail\In.mbx/[From Floris Vanderhaeghe <Floris.Vanderhaeghe@rug.ac.be>][Date Sun, 24 Jun 2001 23:33:59 +0200 (MEST)]/UNNAMED Infected: Email-Worm.Win32.Magistr.a skipped
C:\Program Files\Eudora5\Mail\In.mbx/[From "Frans van Erve" <fransvanerve@tele2.nl>][Date Thu, 8 Dec 2005 01:26:59 +0100]/UNNAMED/[From "PayPal"<update@paypal.com>][Date Sun, 5 Nov 2006 16:21:52 -0500]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Program Files\Eudora5\Mail\In.mbx/[From "Frans van Erve" <fransvanerve@tele2.nl>][Date Thu, 8 Dec 2005 01:26:59 +0100]/UNNAMED/[From Halifax Online Banking <securityservices@halifax.co.uk>][Date Mon, 24 Sep 2007 13:26:25 +0200 (MEST)]/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Program Files\Eudora5\Mail\In.mbx/[From "Frans van Erve" <fransvanerve@tele2.nl>][Date Thu, 8 Dec 2005 01:26:59 +0100]/UNNAMED/[From Lloyds Tsb Online Security <securityservices@lloydstsb.co.uk>][Date 25 Sep 2007 12:36:45 -0000]/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Program Files\Eudora5\Mail\In.mbx/[From "Frans van Erve" <fransvanerve@tele2.nl>][Date Thu, 8 Dec 2005 01:26:59 +0100]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Program Files\Eudora5\Mail\In.mbx MailBerkeleymboxx: infected - 4, suspicious - 4 skipped
C:\Program Files\Eudora5\Mail\In.mbx.001/[From Floris Vanderhaeghe <Floris.Vanderhaeghe@rug.ac.be>][Date Sun, 24 Jun 2001 23:33:59 +0200 (MEST)]/UNNAMED/[From "floris vanderhaeghe" <Floris.Vanderhaeghe@rug.ac.be>][Date Mon, 25 Jun 2001 17:09:15 +0200]/text/[From "Carlos Gomes"<cpgomes@uevora.pt>][Date Sat, 7 Jul 2001 04:58:55 +0100]/UNNAMED/SYSMON.EXE Infected: Email-Worm.Win32.Magistr.a skipped
C:\Program Files\Eudora5\Mail\In.mbx.001/[From Floris Vanderhaeghe <Floris.Vanderhaeghe@rug.ac.be>][Date Sun, 24 Jun 2001 23:33:59 +0200 (MEST)]/UNNAMED/[From "floris vanderhaeghe" <Floris.Vanderhaeghe@rug.ac.be>][Date Mon, 25 Jun 2001 17:09:15 +0200]/text/[From "Carlos Gomes"<cpgomes@uevora.pt>][Date Sat, 7 Jul 2001 04:58:55 +0100]/UNNAMED Infected: Email-Worm.Win32.Magistr.a skipped
C:\Program Files\Eudora5\Mail\In.mbx.001/[From Floris Vanderhaeghe <Floris.Vanderhaeghe@rug.ac.be>][Date Sun, 24 Jun 2001 23:33:59 +0200 (MEST)]/UNNAMED/[From "floris vanderhaeghe" <Floris.Vanderhaeghe@rug.ac.be>][Date Mon, 25 Jun 2001 17:09:15 +0200]/text Infected: Email-Worm.Win32.Magistr.a skipped
C:\Program Files\Eudora5\Mail\In.mbx.001/[From Floris Vanderhaeghe <Floris.Vanderhaeghe@rug.ac.be>][Date Sun, 24 Jun 2001 23:33:59 +0200 (MEST)]/UNNAMED Infected: Email-Worm.Win32.Magistr.a skipped
C:\Program Files\Eudora5\Mail\In.mbx.001/[From "Frans van Erve" <fransvanerve@tele2.nl>][Date Thu, 8 Dec 2005 01:26:59 +0100]/UNNAMED/[From "PayPal"<update@paypal.com>][Date Sun, 5 Nov 2006 16:21:52 -0500]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Program Files\Eudora5\Mail\In.mbx.001/[From "Frans van Erve" <fransvanerve@tele2.nl>][Date Thu, 8 Dec 2005 01:26:59 +0100]/UNNAMED/[From "eBay" <csteam.refo1369186vo.nf@ebay.com>][Date Mon, 23 Jul 2007 16:08:21 +0200 (MEST)]/UNNAMED/[From "eBay" <csteam.refo1369186vo.nf@ebay.com>]/UNNAMED/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Program Files\Eudora5\Mail\In.mbx.001/[From "Frans van Erve" <fransvanerve@tele2.nl>][Date Thu, 8 Dec 2005 01:26:59 +0100]/UNNAMED/[From "eBay" <csteam.refo1369186vo.nf@ebay.com>][Date Mon, 23 Jul 2007 16:08:21 +0200 (MEST)]/UNNAMED/[From "eBay" <csteam.refo1369186vo.nf@ebay.com>]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Program Files\Eudora5\Mail\In.mbx.001/[From "Frans van Erve" <fransvanerve@tele2.nl>][Date Thu, 8 Dec 2005 01:26:59 +0100]/UNNAMED/[From "eBay" <csteam.refo1369186vo.nf@ebay.com>][Date Mon, 23 Jul 2007 16:08:21 +0200 (MEST)]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Program Files\Eudora5\Mail\In.mbx.001/[From "Frans van Erve" <fransvanerve@tele2.nl>][Date Thu, 8 Dec 2005 01:26:59 +0100]/UNNAMED/[From "eBay" <customersupportteam.refd49814502710.nf@ebay.com>][Date Mon, 23 Jul 2007 16:19:48 +0200 (MEST)]/UNNAMED/[From "eBay" <customersupportteam.refd49814502710.nf@ebay.com>]/UNNAMED/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Program Files\Eudora5\Mail\In.mbx.001/[From "Frans van Erve" <fransvanerve@tele2.nl>][Date Thu, 8 Dec 2005 01:26:59 +0100]/UNNAMED/[From "eBay" <customersupportteam.refd49814502710.nf@ebay.com>][Date Mon, 23 Jul 2007 16:19:48 +0200 (MEST)]/UNNAMED/[From "eBay" <customersupportteam.refd49814502710.nf@ebay.com>]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Program Files\Eudora5\Mail\In.mbx.001/[From "Frans van Erve" <fransvanerve@tele2.nl>][Date Thu, 8 Dec 2005 01:26:59 +0100]/UNNAMED/[From "eBay" <customersupportteam.refd49814502710.nf@ebay.com>][Date Mon, 23 Jul 2007 16:19:48 +0200 (MEST)]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Program Files\Eudora5\Mail\In.mbx.001/[From "Frans van Erve" <fransvanerve@tele2.nl>][Date Thu, 8 Dec 2005 01:26:59 +0100]/UNNAMED/[From Lloyds TSB Bank plc <customer.relations@lloydstsb.com>][Date Tue, 24 Jul 2007 04:28:46 +0200 (CEST)]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Program Files\Eudora5\Mail\In.mbx.001/[From "Frans van Erve" <fransvanerve@tele2.nl>][Date Thu, 8 Dec 2005 01:26:59 +0100]/UNNAMED/[From Lloyds TSB Bank plc <customer.relations@lloydstsb.com>][Date Wed, 25 Jul 2007 14:59:55 +0200]/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Program Files\Eudora5\Mail\In.mbx.001/[From "Frans van Erve" <fransvanerve@tele2.nl>][Date Thu, 8 Dec 2005 01:26:59 +0100]/UNNAMED/[From LloydsTSB <customer.service@lloydstsb.com>][Date Thu, 26 Jul 2007 13:13:43 -0400]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Program Files\Eudora5\Mail\In.mbx.001/[From "Frans van Erve" <fransvanerve@tele2.nl>][Date Thu, 8 Dec 2005 01:26:59 +0100]/UNNAMED/[From "eBay" <csteam.ref23197452922373.nf@ebay.com>][Date Fri, 27 Jul 2007 01:43:03 +0200 (MEST)]/UNNAMED/[From "eBay" <csteam.ref23197452922373.nf@ebay.com>]/UNNAMED/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Program Files\Eudora5\Mail\In.mbx.001/[From "Frans van Erve" <fransvanerve@tele2.nl>][Date Thu, 8 Dec 2005 01:26:59 +0100]/UNNAMED/[From "eBay" <csteam.ref23197452922373.nf@ebay.com>][Date Fri, 27 Jul 2007 01:43:03 +0200 (MEST)]/UNNAMED/[From "eBay" <csteam.ref23197452922373.nf@ebay.com>]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Program Files\Eudora5\Mail\In.mbx.001/[From "Frans van Erve" <fransvanerve@tele2.nl>][Date Thu, 8 Dec 2005 01:26:59 +0100]/UNNAMED/[From "eBay" <csteam.ref23197452922373.nf@ebay.com>][Date Fri, 27 Jul 2007 01:43:03 +0200 (MEST)]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Program Files\Eudora5\Mail\In.mbx.001/[From "Frans van Erve" <fransvanerve@tele2.nl>][Date Thu, 8 Dec 2005 01:26:59 +0100]/UNNAMED/[From "Paypal"<service@paypal.com>][Date Fri, 27 Jul 2007 01:06:12 -0500]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Program Files\Eudora5\Mail\In.mbx.001/[From "Frans van Erve" <fransvanerve@tele2.nl>][Date Thu, 8 Dec 2005 01:26:59 +0100]/UNNAMED/[From "eBay" <customersupportteam.refsj29871776z.nf@ebay.com>][Date Mon, 30 Jul 2007 17:51:10 +0200 (MEST)]/UNNAMED/[From "eBay" <customersupportteam.refsj29871776z.nf@ebay.com>]/UNNAMED/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Program Files\Eudora5\Mail\In.mbx.001/[From "Frans van Erve" <fransvanerve@tele2.nl>][Date Thu, 8 Dec 2005 01:26:59 +0100]/UNNAMED/[From "eBay" <customersupportteam.refsj29871776z.nf@ebay.com>][Date Mon, 30 Jul 2007 17:51:10 +0200 (MEST)]/UNNAMED/[From "eBay" <customersupportteam.refsj29871776z.nf@ebay.com>]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Program Files\Eudora5\Mail\In.mbx.001/[From "Frans van Erve" <fransvanerve@tele2.nl>][Date Thu, 8 Dec 2005 01:26:59 +0100]/UNNAMED/[From "eBay" <customersupportteam.refsj29871776z.nf@ebay.com>][Date Mon, 30 Jul 2007 17:51:10 +0200 (MEST)]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Program Files\Eudora5\Mail\In.mbx.001/[From "Frans van Erve" <fransvanerve@tele2.nl>][Date Thu, 8 Dec 2005 01:26:59 +0100]/UNNAMED/[From "eBay" <customersupport.refnh3229174.nf@ebay.com>][Date Wed, 8 Aug 2007 02:46:46 +0200 (MEST)]/UNNAMED/[From "eBay" <customersupport.refnh3229174.nf@ebay.com>]/UNNAMED/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Program Files\Eudora5\Mail\In.mbx.001/[From "Frans van Erve" <fransvanerve@tele2.nl>][Date Thu, 8 Dec 2005 01:26:59 +0100]/UNNAMED/[From "eBay" <customersupport.refnh3229174.nf@ebay.com>][Date Wed, 8 Aug 2007 02:46:46 +0200 (MEST)]/UNNAMED/[From "eBay" <customersupport.refnh3229174.nf@ebay.com>]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Program Files\Eudora5\Mail\In.mbx.001/[From "Frans van Erve" <fransvanerve@tele2.nl>][Date Thu, 8 Dec 2005 01:26:59 +0100]/UNNAMED/[From "eBay" <customersupport.refnh3229174.nf@ebay.com>][Date Wed, 8 Aug 2007 02:46:46 +0200 (MEST)]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Program Files\Eudora5\Mail\In.mbx.001/[From "Frans van Erve" <fransvanerve@tele2.nl>][Date Thu, 8 Dec 2005 01:26:59 +0100]/UNNAMED/[From "PayPal Inc"<service@ws.com>][Date Tue, 4 Sep 2007 06:22:18 -1000]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Program Files\Eudora5\Mail\In.mbx.001/[From "Frans van Erve" <fransvanerve@tele2.nl>][Date Thu, 8 Dec 2005 01:26:59 +0100]/UNNAMED/[From "PayPal" <support@paypal.com>][Date Tue, 12 Sep 2006 19:39:53 -0300]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Program Files\Eudora5\Mail\In.mbx.001/[From "Frans van Erve" <fransvanerve@tele2.nl>][Date Thu, 8 Dec 2005 01:26:59 +0100]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Program Files\Eudora5\Mail\In.mbx.001 MailBerkeleymboxx: infected - 4, suspicious - 23 skipped
C:\Program Files\Eudora5\Mail\In.mbx.002/[From Floris Vanderhaeghe <Floris.Vanderhaeghe@rug.ac.be>][Date Sun, 24 Jun 2001 23:33:59 +0200 (MEST)]/UNNAMED/[From "floris vanderhaeghe" <Floris.Vanderhaeghe@rug.ac.be>][Date Mon, 25 Jun 2001 17:09:15 +0200]/text/[From "Carlos Gomes"<cpgomes@uevora.pt>][Date Sat, 7 Jul 2001 04:58:55 +0100]/UNNAMED/SYSMON.EXE Infected: Email-Worm.Win32.Magistr.a skipped
C:\Program Files\Eudora5\Mail\In.mbx.002/[From Floris Vanderhaeghe <Floris.Vanderhaeghe@rug.ac.be>][Date Sun, 24 Jun 2001 23:33:59 +0200 (MEST)]/UNNAMED/[From "floris vanderhaeghe" <Floris.Vanderhaeghe@rug.ac.be>][Date Mon, 25 Jun 2001 17:09:15 +0200]/text/[From "Carlos Gomes"<cpgomes@uevora.pt>][Date Sat, 7 Jul 2001 04:58:55 +0100]/UNNAMED Infected: Email-Worm.Win32.Magistr.a skipped
C:\Program Files\Eudora5\Mail\In.mbx.002/[From Floris Vanderhaeghe <Floris.Vanderhaeghe@rug.ac.be>][Date Sun, 24 Jun 2001 23:33:59 +0200 (MEST)]/UNNAMED/[From "floris vanderhaeghe" <Floris.Vanderhaeghe@rug.ac.be>][Date Mon, 25 Jun 2001 17:09:15 +0200]/text Infected: Email-Worm.Win32.Magistr.a skipped
C:\Program Files\Eudora5\Mail\In.mbx.002/[From Floris Vanderhaeghe <Floris.Vanderhaeghe@rug.ac.be>][Date Sun, 24 Jun 2001 23:33:59 +0200 (MEST)]/UNNAMED Infected: Email-Worm.Win32.Magistr.a skipped
C:\Program Files\Eudora5\Mail\In.mbx.002/[From "Frans van Erve" <fransvanerve@tele2.nl>][Date Thu, 8 Dec 2005 01:26:59 +0100]/UNNAMED/[From "PayPal"<update@paypal.com>][Date Sun, 5 Nov 2006 16:21:52 -0500]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Program Files\Eudora5\Mail\In.mbx.002/[From "Frans van Erve" <fransvanerve@tele2.nl>][Date Thu, 8 Dec 2005 01:26:59 +0100]/UNNAMED/[From "eBay" <csteam.refo1369186vo.nf@ebay.com>][Date Mon, 23 Jul 2007 16:08:21 +0200 (MEST)]/UNNAMED/[From "eBay" <csteam.refo1369186vo.nf@ebay.com>]/UNNAMED/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Program Files\Eudora5\Mail\In.mbx.002/[From "Frans van Erve" <fransvanerve@tele2.nl>][Date Thu, 8 Dec 2005 01:26:59 +0100]/UNNAMED/[From "eBay" <csteam.refo1369186vo.nf@ebay.com>][Date Mon, 23 Jul 2007 16:08:21 +0200 (MEST)]/UNNAMED/[From "eBay" <csteam.refo1369186vo.nf@ebay.com>]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Program Files\Eudora5\Mail\In.mbx.002/[From "Frans van Erve" <fransvanerve@tele2.nl>][Date Thu, 8 Dec 2005 01:26:59 +0100]/UNNAMED/[From "eBay" <csteam.refo1369186vo.nf@ebay.com>][Date Mon, 23 Jul 2007 16:08:21 +0200 (MEST)]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Program Files\Eudora5\Mail\In.mbx.002/[From "Frans van Erve" <fransvanerve@tele2.nl>][Date Thu, 8 Dec 2005 01:26:59 +0100]/UNNAMED/[From "eBay" <customersupportteam.refd49814502710.nf@ebay.com>][Date Mon, 23 Jul 2007 16:19:48 +0200 (MEST)]/UNNAMED/[From "eBay" <customersupportteam.refd49814502710.nf@ebay.com>]/UNNAMED/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Program Files\Eudora5\Mail\In.mbx.002/[From "Frans van Erve" <fransvanerve@tele2.nl>][Date Thu, 8 Dec 2005 01:26:59 +0100]/UNNAMED/[From "eBay" <customersupportteam.refd49814502710.nf@ebay.com>][Date Mon, 23 Jul 2007 16:19:48 +0200 (MEST)]/UNNAMED/[From "eBay" <customersupportteam.refd49814502710.nf@ebay.com>]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Program Files\Eudora5\Mail\In.mbx.002/[From "Frans van Erve" <fransvanerve@tele2.nl>][Date Thu, 8 Dec 2005 01:26:59 +0100]/UNNAMED/[From "eBay" <customersupportteam.refd49814502710.nf@ebay.com>][Date Mon, 23 Jul 2007 16:19:48 +0200 (MEST)]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Program Files\Eudora5\Mail\In.mbx.002/[From "Frans van Erve" <fransvanerve@tele2.nl>][Date Thu, 8 Dec 2005 01:26:59 +0100]/UNNAMED/[From Lloyds TSB Bank plc <customer.relations@lloydstsb.com>][Date Tue, 24 Jul 2007 04:28:46 +0200 (CEST)]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Program Files\Eudora5\Mail\In.mbx.002/[From "Frans van Erve" <fransvanerve@tele2.nl>][Date Thu, 8 Dec 2005 01:26:59 +0100]/UNNAMED/[From Lloyds TSB Bank plc <customer.relations@lloydstsb.com>][Date Wed, 25 Jul 2007 14:59:55 +0200]/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Program Files\Eudora5\Mail\In.mbx.002/[From "Frans van Erve" <fransvanerve@tele2.nl>][Date Thu, 8 Dec 2005 01:26:59 +0100]/UNNAMED/[From LloydsTSB <customer.service@lloydstsb.com>][Date Thu, 26 Jul 2007 13:13:43 -0400]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Program Files\Eudora5\Mail\In.mbx.002/[From "Frans van Erve" <fransvanerve@tele2.nl>][Date Thu, 8 Dec 2005 01:26:59 +0100]/UNNAMED/[From "eBay" <csteam.ref23197452922373.nf@ebay.com>][Date Fri, 27 Jul 2007 01:43:03 +0200 (MEST)]/UNNAMED/[From "eBay" <csteam.ref23197452922373.nf@ebay.com>]/UNNAMED/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Program Files\Eudora5\Mail\In.mbx.002/[From "Frans van Erve" <fransvanerve@tele2.nl>][Date Thu, 8 Dec 2005 01:26:59 +0100]/UNNAMED/[From "eBay" <csteam.ref23197452922373.nf@ebay.com>][Date Fri, 27 Jul 2007 01:43:03 +0200 (MEST)]/UNNAMED/[From "eBay" <csteam.ref23197452922373.nf@ebay.com>]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Program Files\Eudora5\Mail\In.mbx.002/[From "Frans van Erve" <fransvanerve@tele2.nl>][Date Thu, 8 Dec 2005 01:26:59 +0100]/UNNAMED/[From "eBay" <csteam.ref23197452922373.nf@ebay.com>][Date Fri, 27 Jul 2007 01:43:03 +0200 (MEST)]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Program Files\Eudora5\Mail\In.mbx.002/[From "Frans van Erve" <fransvanerve@tele2.nl>][Date Thu, 8 Dec 2005 01:26:59 +0100]/UNNAMED/[From "Paypal"<service@paypal.com>][Date Fri, 27 Jul 2007 01:06:12 -0500]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Program Files\Eudora5\Mail\In.mbx.002/[From "Frans van Erve" <fransvanerve@tele2.nl>][Date Thu, 8 Dec 2005 01:26:59 +0100]/UNNAMED/[From "eBay" <customersupportteam.refsj29871776z.nf@ebay.com>][Date Mon, 30 Jul 2007 17:51:10 +0200 (MEST)]/UNNAMED/[From "eBay" <customersupportteam.refsj29871776z.nf@ebay.com>]/UNNAMED/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Program Files\Eudora5\Mail\In.mbx.002/[From "Frans van Erve" <fransvanerve@tele2.nl>][Date Thu, 8 Dec 2005 01:26:59 +0100]/UNNAMED/[From "eBay" <customersupportteam.refsj29871776z.nf@ebay.com>][Date Mon, 30 Jul 2007 17:51:10 +0200 (MEST)]/UNNAMED/[From "eBay" <customersupportteam.refsj29871776z.nf@ebay.com>]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Program Files\Eudora5\Mail\In.mbx.002/[From "Frans van Erve" <fransvanerve@tele2.nl>][Date Thu, 8 Dec 2005 01:26:59 +0100]/UNNAMED/[From "eBay" <customersupportteam.refsj29871776z.nf@ebay.com>][Date Mon, 30 Jul 2007 17:51:10 +0200 (MEST)]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Program Files\Eudora5\Mail\In.mbx.002/[From "Frans van Erve" <fransvanerve@tele2.nl>][Date Thu, 8 Dec 2005 01:26:59 +0100]/UNNAMED/[From "eBay" <customersupport.refnh3229174.nf@ebay.com>][Date Wed, 8 Aug 2007 02:46:46 +0200 (MEST)]/UNNAMED/[From "eBay" <customersupport.refnh3229174.nf@ebay.com>]/UNNAMED/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Program Files\Eudora5\Mail\In.mbx.002/[From "Frans van Erve" <fransvanerve@tele2.nl>][Date Thu, 8 Dec 2005 01:26:59 +0100]/UNNAMED/[From "eBay" <customersupport.refnh3229174.nf@ebay.com>][Date Wed, 8 Aug 2007 02:46:46 +0200 (MEST)]/UNNAMED/[From "eBay" <customersupport.refnh3229174.nf@ebay.com>]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Program Files\Eudora5\Mail\In.mbx.002/[From "Frans van Erve" <fransvanerve@tele2.nl>][Date Thu, 8 Dec 2005 01:26:59 +0100]/UNNAMED/[From "eBay" <customersupport.refnh3229174.nf@ebay.com>][Date Wed, 8 Aug 2007 02:46:46 +0200 (MEST)]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Program Files\Eudora5\Mail\In.mbx.002/[From "Frans van Erve" <fransvanerve@tele2.nl>][Date Thu, 8 Dec 2005 01:26:59 +0100]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Program Files\Eudora5\Mail\In.mbx.002 MailBerkeleymboxx: infected - 4, suspicious - 21 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{BA101CE7-9C9C-489B-830F-00C92A3D33D1}\RP554\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\mcmsc_DktD7afmFPAaD9S Object is locked skipped
C:\WINDOWS\Temp\mcmsc_jJseS18EGdWmxj7 Object is locked skipped
C:\WINDOWS\Temp\mcmsc_Nfe8XQeXyfj3B2E Object is locked skipped
C:\WINDOWS\Temp\mcmsc_qC5uhK2l8ChjAof Object is locked skipped
C:\WINDOWS\Temp\mcmsc_TxPrYwOaj2WisdA Object is locked skipped
C:\WINDOWS\Temp\sqlite_1X0H7Gd1VwqT5Iu Object is locked skipped
C:\WINDOWS\Temp\sqlite_lFVMUVC7sa44rre Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

----------------------------------

All the best,

Suffer
Suffer
Regular Member
 
Posts: 18
Joined: June 23rd, 2008, 5:50 am

Re: strange sound, virus?trojan? logfileHijackthis

Unread postby Blade81 » June 26th, 2008, 1:13 pm

Hi

Remove those email messages found by Kaspersky.

Then we need to do following part in safe mode cos most likely McAfee is preventing entry removal.

Reboot into safe mode.

Start hjt, do a system scan, check (if found):
O20 - Winlogon Notify: yayywxw - C:\WINDOWS\

Close browsers and fix checked.

Reboot back into normal mode and post a fresh hjt log, please. How's the system running?
User avatar
Blade81
Admin/Teacher
Admin/Teacher
 
Posts: 5207
Joined: July 17th, 2006, 3:36 am
Location: Finland

Re: strange sound, virus?trojan? logfileHijackthis

Unread postby Suffer » June 27th, 2008, 1:01 am

Hi Blade 81,

I have the e-mails found by Kaspersky, 2 x deleted from the mailbox and the trash bin. The Eudora was my old mail program, now I use Outlook because we had a new server.
Then I rebooted in safe mode and did a hjt but the file "O20 - Winlogon Notify: yayywxw - C:\WINDOWS\" was not found in the report.
Afterwards I tried to reboot in normal mode but each time I got into BIOS and then after a while trying Windows started up. Now I do not know whether it started in normal mode or not.
In the meanwhile the sound is still there.
The system is very slow (as it was already before).

Thanks so far.

Within a couple of hours I will be away and expect to be back late Sunday afternoon. Perhaps you can manage to respond within a few hours? Or else I would only be able to answer from late Sunday afternoon (Dutch time).

Excellent weekend and here is the hjtlog:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 06:42:16, on 27/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Packard Bell Data Secure\PBDataSecure.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\WLAN Technology Corporation\802.11g_Utility\ZDWlan.exe
C:\Turbowin\X_UpdNedS.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\AddOn\AcrobatReader\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Packard Bell Data Secure] C:\Program Files\Packard Bell Data Secure\PBDataSecure.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: 802.11g USB 2.0 WLan Utility.lnk = C:\Program Files\WLAN Technology Corporation\802.11g_Utility\ZDWlan.exe
O4 - Startup: Turboveg for Windows - Auto Update.lnk = C:\Turbowin\UpdNedS.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.nl/scanforvirus-en ... nicode.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/sho ... wflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: ua - {3E519A10-7A92-40DF-BA57-5DB09A0BFBFD} - Uade4Web.dll (file missing)
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe

--
End of file - 8096 bytes
Suffer
Regular Member
 
Posts: 18
Joined: June 23rd, 2008, 5:50 am

Re: strange sound, virus?trojan? logfileHijackthis

Unread postby Blade81 » June 27th, 2008, 4:26 am

Hi

Since you seem to have SuperAntiSpyware (SAS) installed please run it by following instructions below:

* Start SAS.
* If it asks whether or not you want to Update the program definitions, click Yes.
* Under Configuration and Preferences, click the Preferences button.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked:
  • Close browsers before scanning
  • Scan for tracking cookies
  • Terminate memory threats before quarantining.
  • Please leave the others unchecked.
  • Click the Close button to leave the control center screen.
* On the main screen, under Scan for Harmful Software click Scan your computer.
* On the left check C:\Fixed Drive.
* On the right, under Complete Scan, choose Perform Complete Scan.
* Click Next to start the scan. Please be patient while it scans your computer.
* After the scan is complete a summary box will appear. Click OK.
* Make sure everything in the white box has a check next to it, then click Next.
* It will quarantine what it found and if it asks if you want to reboot, click Yes.
* To retrieve the removal information please do the following:
  • After reboot, double-click the SUPERAntiSpyware icon on your desktop.
  • Click Preferences. Click the Statistics/Logs tab.
  • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
  • It will open in your default text editor (such as Notepad/Wordpad).
  • Save the notepad file to your desktop by clicking (in notepad) "File" "Save As"
* Save the log somewhere you can easily find it. (normally the desktop)
* Click close and close again to exit the program.
* Please add the log as an attachment in your post.

For slowness I recommend to try defragging hard drive(s) and see if it helps. That noise you hear might be an issue with hardware..
User avatar
Blade81
Admin/Teacher
Admin/Teacher
 
Posts: 5207
Joined: July 17th, 2006, 3:36 am
Location: Finland

Re: strange sound, virus?trojan? logfileHijackthis

Unread postby Suffer » June 27th, 2008, 7:05 am

Hi Blade 81,

Thanks for coming back to me so quickly.


Sorry but I receive the message that the extension log is not allowed by the forum
It is the following SAS logfile "SUPERAntiSpyware Scan Log - 06-27-2008 - 12-27-31"
I tried to rename it several times such as Log.txt and some more but each time I failed to post.
Shall I paste it in the message itself?

By the way since the current fell out during holiday on Crete 4 weeks ago, I have also a problem that when I start the computer I get a blue screen and it says that the NTFS is checked on consistency. Then I have 10 seconds to click it away. The blue screen comes up every time before windows starts. If I do not click within 10 seconds windows never starts. Has this something to do with McCafee protection or is it pure hardware? Sorry perhaps I had to note this earlier.

Probably a very stupid question but what would be the way to defragment?



Cheers
Suffer
Regular Member
 
Posts: 18
Joined: June 23rd, 2008, 5:50 am

Re: strange sound, virus?trojan? logfileHijackthis

Unread postby Blade81 » June 27th, 2008, 12:12 pm

Sorry but I receive the message that the extension log is not allowed by the forum
It is the following SAS logfile "SUPERAntiSpyware Scan Log - 06-27-2008 - 12-27-31"
I tried to rename it several times such as Log.txt and some more but each time I failed to post.
Shall I paste it in the message itself?

Hi

Yes, paste the log as text in the message.


By the way since the current fell out during holiday on Crete 4 weeks ago, I have also a problem that when I start the computer I get a blue screen and it says that the NTFS is checked on consistency. Then I have 10 seconds to click it away. The blue screen comes up every time before windows starts. If I do not click within 10 seconds windows never starts. Has this something to do with McCafee protection or is it pure hardware? Sorry perhaps I had to note this earlier.

Probably a very stupid question but what would be the way to defragment?

Defragmentation tool may help with that problem. I recommend running free JkDefrag. It does good work and is easy to use. Just download JkDefrag-3.34.zip to your desktop, extract to suitable folder (for example c:\jkdefrag) and run JkDefrag.exe file. It will check all hard drives through without any special command. :)
User avatar
Blade81
Admin/Teacher
Admin/Teacher
 
Posts: 5207
Joined: July 17th, 2006, 3:36 am
Location: Finland

Re: strange sound, virus?trojan? logfileHijackthis

Unread postby Suffer » June 29th, 2008, 1:04 pm

Hi Blade 81,

Here is the logfile. I have changed my name into Suffer:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/27/2008 at 12:27 PM

Application Version : 4.15.1000

Core Rules Database Version : 3487
Trace Rules Database Version: 1478

Scan type : Complete Scan
Total Scan Time : 01:31:46

Memory items scanned : 414
Memory threats detected : 0
Registry items scanned : 5505
Registry threats detected : 0
File items scanned : 79919
File threats detected : 21

Adware.Tracking Cookie
C:\Documents and Settings\Suffer\Cookies\Suffer@ad.yieldmanager[3].txt
C:\Documents and Settings\Suffer\Cookies\Suffer@revsci[3].txt
C:\Documents and Settings\Suffer\Cookies\Suffer@weborama[1].txt
C:\Documents and Settings\Suffer\Cookies\Suffer@doubleclick[2].txt
C:\Documents and Settings\Suffer\Cookies\Suffer@serving-sys[3].txt
C:\Documents and Settings\Suffer\Cookies\Suffer@bs.serving-sys[3].txt
C:\Documents and Settings\Suffer\Cookies\Suffer@bluemango.solution.weborama[2].txt
C:\Documents and Settings\Suffer\Cookies\Suffer@statcounter[3].txt
C:\Documents and Settings\Suffer\Cookies\Suffer@ads.adbrite[2].txt
C:\Documents and Settings\Suffer\Cookies\Suffer@adbrite[2].txt
C:\Documents and Settings\Suffer\Cookies\Suffer@ad.yieldmanager[2].txt
C:\Documents and Settings\Suffer\Cookies\Suffer@adbrite[1].txt
C:\Documents and Settings\Suffer\Cookies\Suffer@apmebf[1].txt
C:\Documents and Settings\Suffer\Cookies\Suffer@atdmt[1].txt
C:\Documents and Settings\Suffer\Cookies\Suffer@bs.serving-sys[2].txt
C:\Documents and Settings\Suffer\Cookies\Suffer@doubleclick[1].txt
C:\Documents and Settings\Suffer\Cookies\Suffer@fastclick[1].txt
C:\Documents and Settings\Suffer\Cookies\Suffer@revsci[2].txt
C:\Documents and Settings\Suffer\Cookies\Suffer@serving-sys[2].txt
C:\Documents and Settings\Suffer\Cookies\Suffer@statcounter[2].txt
C:\Documents and Settings\Suffer\Cookies\Suffer@yadro[1].txt
------------------------------------------------------------------------
I just arrived home and immediately posted the logfile.
Later tonight I will follow your advice with repsect to defragmentation and will inform you about the results in my next post when I respond to your next reponse.

Thanks for everything so far,
Cheers :)
Suffer
Regular Member
 
Posts: 18
Joined: June 23rd, 2008, 5:50 am

Re: strange sound, virus?trojan? logfileHijackthis

Unread postby Blade81 » June 29th, 2008, 1:26 pm

Good. SAS found only cookies. :) Let me know did defragging have any positive impact to performance when ready.
User avatar
Blade81
Admin/Teacher
Admin/Teacher
 
Posts: 5207
Joined: July 17th, 2006, 3:36 am
Location: Finland

Re: strange sound, virus?trojan? logfileHijackthis

Unread postby Suffer » June 30th, 2008, 2:48 am

Defragging did not seem to have any effect on the performance of the computer. :( Do you need the report of the defragmentation process?

And what to do with the cookies found?

Cheers
Suffer
Regular Member
 
Posts: 18
Joined: June 23rd, 2008, 5:50 am

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 38 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware