Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

keylogger?

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

keylogger?

Unread postby unbri » August 24th, 2006, 10:56 pm

I had a keylogger on my computer recently and I used my avg antivirus and spysweeper to get rid of the file but I still can't use regedit and cmd prompt? i fixed the task manager and it works fine now, but I want to know what i need to do to fix it I ran hijackthis and here is my logfile...can anyone tell me if there is anything suspicious in the file thanks.

Logfile of HijackThis v1.99.1
Scan saved at 10:56:13 PM, on 8/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\utorrent\utorrent.exe
C:\WINDOWS\Integrator.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Unbrix\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\scvhost.exe
F3 - REG:win.ini: load=C:\WINDOWS\system32\scvhost.exe
F3 - REG:win.ini: run=C:\WINDOWS\system32\scvhost.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: CDLPObj Object - {BE2ED590-CA49-46B5-8CCE-244FB2E0D1AA} - C:\WINDOWS\DLP.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [µTorrent] "C:\Program Files\utorrent\utorrent.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: AntiCrash.lnk = C:\Program Files\Dachshund Software\AntiCrash\AntiCrash.exe
O4 - Startup: Hare.lnk = C:\Program Files\Dachshund Software\Hare\Hare.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar3.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} - http://awbeta.net-nucleus.com/FIX/WinATS.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1910EF38-D2DB-4288-960E-265148A163F1}: NameServer = 192.168.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{1910EF38-D2DB-4288-960E-265148A163F1}: NameServer = 192.168.1.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{1910EF38-D2DB-4288-960E-265148A163F1}: NameServer = 192.168.1.1
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
unbri
Regular Member
 
Posts: 25
Joined: August 24th, 2006, 10:54 pm
Advertisement
Register to Remove

Unread postby Bob4 » August 25th, 2006, 7:03 am

_________________________________
Welcome to the Malware removal forums. I will be more than happy to help you work on your problems.
The fixes we will use are specific to your problems and should only be used for this issue on this machine.
Please only use this topic to reply to. Do not start another thread.
If any other issues arise let me know.
The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear. So lets do this to the end!
Please if you decide to seek help at another forum let us know. There is a shortage of helpers and tying 2 of us up is a waste of time.
If you have any questions about any advice given here please STOP and ask!


C:\WINDOWS\system32\scvhost.exe

I still see signs of a backdoor trojan here. And if you had a keylogger and removed it I suggest you read the following.
It looks like you have been infected by a backdoor trojan.
This allows hackers to remotely control your computer, steal critical system information and Download and Execute files
Its very possible that anything could have been installed on your computer by the remote attacker, including opening other backdoors and installing rootkits. While we can attempt to clean what we see in your logs, we can't guarantee that your computer will be completely in the clear since we have no way of knowing that has been done to the computer. Your computer could be completely compromised at this moment. It may be prudent to backup your information, reformat, and reinstall.
More information on Remote Access Trojans can be found
here
I suggest you do the following immediately:
  • Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.
  • From a clean computer, change *all* your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups you belong to.
  • Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passords and transaction information.

If, however, you decide that the computer is not used for any sensitive work, or if you do not wish to reformat at this time, I can help you clean your computer to the best of my abilities.
Should you have any questions, please feel free to ask.
Please let me know what you decide to do in your next post.
Should you decide to clean this machine start by doing the following.




You are running HJT directly from the desktop.
Create a folder called HJT either in C: or My documents and place the
hijackthis.exe in there.
This will ensure we have back ups made and it doesn't get deleted .



________________________________
Please disable SpySweeper, as it may hinder the removal of some entries. You can re-enable it after you're clean.
To disable SpySweeper:
Open it click >Options over to the left then >program options >Uncheck "load at windows startup".
Over to the left click "shields" and uncheck all there.
Uncheck "home page shield".
Uncheck "automatically restore default without notification".


______________________________
HJT
Run hijackthis and choose scan only and place a check by the following lines if present.
Close all other windows and browsers except HJT before clicking on Fix Checked
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\scvhost.exe
F3 - REG:win.ini: load=C:\WINDOWS\system32\scvhost.exe
F3 - REG:win.ini: run=C:\WINDOWS\system32\scvhost.exe
O2 - BHO: CDLPObj Object - {BE2ED590-CA49-46B5-8CCE-244FB2E0D1AA} - C:\WINDOWS\DLP.dll
O15 - Trusted Zone: <http://click.getmirar.com> (HKLM)
O15 - Trusted Zone: <http://click.mirarsearch.com> (HKLM)
O15 - Trusted Zone: <http://redirect.mirarsearch.com> (HKLM)
O15 - Trusted Zone: <http://awbeta.net-nucleus.com> (HKLM)
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} - <http://awbeta.net-nucleus.com/FIX/WinATS.cab>




___________________________________
Search for and remove
Now I want you to search for and delete the following folder and all it's contents if present. If you need help finding them.
Click start /search/ all files and folders/ look for More advanced options. once in there select the first 3 boxes.
Please just remove the files/folders I listed in BOLD


C:\WINDOWS\system32\scvhost.exe
DO NOT CONFUSE THIS FILE WITH SVCHOST.EXE WHICH IS LEGITIMATE!




ATF Cleaner
Please downloadATF Cleaner by Atribune©
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
You may opt out of cleaning cookies. If you clean them alls you will have to do is retype names and passwords for places you visit on the net 1 time. If you havent cleaned them out in a while I would clean them all.
Click the Empty Selected button.




Ewido

Download Ewido 4.0
Install ewido
You will need to update ewido to the latest definition files.
On the top of the main screen click update
Click on Start
The update will start and a progress bar will show the updates being installed. After the updates are installed,
exit ewido.

If you have trouble updating go to
http://www.ewido.net/en/download/updates/
and download the full signature data base.
Close ewido and click on the file you just downloaded from them
Do Not Use It Yet.

________________________________________
Safe mode:
Please reboot to safe mode:
After the very first black screen start tapping the
F8 key untill prompted with a list choose safe
mode.




_________________________________________
Ewido Part 2
Ewido
Close all open windows/programs/folders. Have nothing else open while ewido performs its scan!
Click on scanner
Click on Settings
Under How to act
Choose quarintine

Under Reports check automatically create report after every scan.
Now back to the scan tab andClick on Complete system scan

Let the program scan the machine .
When finished click apply all actions.

Post the report in your next reply.
Exit ewido.

Reboot Normally and post a new HJT log and the results from Ewido.
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6073
Joined: November 12th, 2005, 11:26 am
Location: Florida

Unread postby unbri » August 25th, 2006, 10:30 am

thanks a lot i will do this right now...I just want to clarify that I'm not sure if I had a keylogger on my computer being that I've never had one before...i told a buddy of mine that my task manager, cmd prompt, and regedit were disabled and he said it might be a keylogger...could you please let me know if you think that would be a keylogger or just a backdoor trojan? Also, once I do all this will my cmd prompt and regedit be enabled again or will i have to do it manually because I don't know how I'd manually change them? Thanks for your help and sorry for all the questions.
unbri
Regular Member
 
Posts: 25
Joined: August 24th, 2006, 10:54 pm

Unread postby unbri » August 25th, 2006, 12:29 pm

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 12:24:31 PM 8/25/2006

+ Scan result:



HKU\S-1-5-21-839522115-1078081533-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{590FFB84-6A29-4797-9C0E-B15DF2C4CDCB} -> Adware.TrustCleaner : Cleaned with backup (quarantined).
HKU\S-1-5-21-839522115-1078081533-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{BE2ED590-CA49-46B5-8CCE-244FB2E0D1AA} -> Adware.WebDir : Cleaned with backup (quarantined).
C:\Program Files\Trend Micro\Internet Security 12\VSS5O9J7.12L -> Dropper.Delf.yb : Cleaned with backup (quarantined).
C:\Program Files\DIGStream\digstream.exe -> Not-A-Virus.Downloader.Win32.DigStream : Ignored.
C:\Program Files\Common Files\Microsoft Shared\Speech\divxupd.exe -> Proxy.Small : Cleaned with backup (quarantined).
:mozilla.118:C:\Documents and Settings\Unbrix\Application Data\Mozilla\Firefox\Profiles\syi5scha.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.144:C:\Documents and Settings\Unbrix\Application Data\Mozilla\Firefox\Profiles\syi5scha.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.177:C:\Documents and Settings\Unbrix\Application Data\Mozilla\Firefox\Profiles\syi5scha.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.178:C:\Documents and Settings\Unbrix\Application Data\Mozilla\Firefox\Profiles\syi5scha.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.179:C:\Documents and Settings\Unbrix\Application Data\Mozilla\Firefox\Profiles\syi5scha.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.180:C:\Documents and Settings\Unbrix\Application Data\Mozilla\Firefox\Profiles\syi5scha.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Unbrix\Cookies\unbrix@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.48:C:\Documents and Settings\Unbrix\Application Data\Mozilla\Firefox\Profiles\syi5scha.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.49:C:\Documents and Settings\Unbrix\Application Data\Mozilla\Firefox\Profiles\syi5scha.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.17:C:\Documents and Settings\Unbrix\Application Data\Mozilla\Firefox\Profiles\syi5scha.default\cookies.txt -> TrackingCookie.Adtech : Cleaned.
:mozilla.19:C:\Documents and Settings\Unbrix\Application Data\Mozilla\Firefox\Profiles\syi5scha.default\cookies.txt -> TrackingCookie.Adtech : Cleaned.
:mozilla.20:C:\Documents and Settings\Unbrix\Application Data\Mozilla\Firefox\Profiles\syi5scha.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.21:C:\Documents and Settings\Unbrix\Application Data\Mozilla\Firefox\Profiles\syi5scha.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.22:C:\Documents and Settings\Unbrix\Application Data\Mozilla\Firefox\Profiles\syi5scha.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.23:C:\Documents and Settings\Unbrix\Application Data\Mozilla\Firefox\Profiles\syi5scha.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\Unbrix\Cookies\unbrix@advertising[2].txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.188:C:\Documents and Settings\Unbrix\Application Data\Mozilla\Firefox\Profiles\syi5scha.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Unbrix\Cookies\unbrix@atdmt[1].txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.82:C:\Documents and Settings\Unbrix\Application Data\Mozilla\Firefox\Profiles\syi5scha.default\cookies.txt -> TrackingCookie.Burstbeacon : Cleaned.
:mozilla.84:C:\Documents and Settings\Unbrix\Application Data\Mozilla\Firefox\Profiles\syi5scha.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.85:C:\Documents and Settings\Unbrix\Application Data\Mozilla\Firefox\Profiles\syi5scha.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.174:C:\Documents and Settings\Unbrix\Application Data\Mozilla\Firefox\Profiles\syi5scha.default\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.83:C:\Documents and Settings\Unbrix\Application Data\Mozilla\Firefox\Profiles\syi5scha.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Unbrix\Cookies\unbrix@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.129:C:\Documents and Settings\Unbrix\Application Data\Mozilla\Firefox\Profiles\syi5scha.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\Unbrix\Cookies\unbrix@ehg-sonycomputer.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.33:C:\Documents and Settings\Unbrix\Application Data\Mozilla\Firefox\Profiles\syi5scha.default\cookies.txt -> TrackingCookie.Masterstats : Cleaned.
:mozilla.149:C:\Documents and Settings\Unbrix\Application Data\Mozilla\Firefox\Profiles\syi5scha.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.190:C:\Documents and Settings\Unbrix\Application Data\Mozilla\Firefox\Profiles\syi5scha.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.90:C:\Documents and Settings\Unbrix\Application Data\Mozilla\Firefox\Profiles\syi5scha.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.42:C:\Documents and Settings\Unbrix\Application Data\Mozilla\Firefox\Profiles\syi5scha.default\cookies.txt -> TrackingCookie.Starware : Cleaned.
:mozilla.43:C:\Documents and Settings\Unbrix\Application Data\Mozilla\Firefox\Profiles\syi5scha.default\cookies.txt -> TrackingCookie.Starware : Cleaned.
:mozilla.44:C:\Documents and Settings\Unbrix\Application Data\Mozilla\Firefox\Profiles\syi5scha.default\cookies.txt -> TrackingCookie.Starware : Cleaned.
:mozilla.45:C:\Documents and Settings\Unbrix\Application Data\Mozilla\Firefox\Profiles\syi5scha.default\cookies.txt -> TrackingCookie.Starware : Cleaned.
:mozilla.91:C:\Documents and Settings\Unbrix\Application Data\Mozilla\Firefox\Profiles\syi5scha.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.92:C:\Documents and Settings\Unbrix\Application Data\Mozilla\Firefox\Profiles\syi5scha.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.93:C:\Documents and Settings\Unbrix\Application Data\Mozilla\Firefox\Profiles\syi5scha.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.86:C:\Documents and Settings\Unbrix\Application Data\Mozilla\Firefox\Profiles\syi5scha.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.87:C:\Documents and Settings\Unbrix\Application Data\Mozilla\Firefox\Profiles\syi5scha.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.18:C:\Documents and Settings\Unbrix\Application Data\Mozilla\Firefox\Profiles\syi5scha.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned.
:mozilla.146:C:\Documents and Settings\Unbrix\Application Data\Mozilla\Firefox\Profiles\syi5scha.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.38:C:\Documents and Settings\Unbrix\Application Data\Mozilla\Firefox\Profiles\syi5scha.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.39:C:\Documents and Settings\Unbrix\Application Data\Mozilla\Firefox\Profiles\syi5scha.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.40:C:\Documents and Settings\Unbrix\Application Data\Mozilla\Firefox\Profiles\syi5scha.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.41:C:\Documents and Settings\Unbrix\Application Data\Mozilla\Firefox\Profiles\syi5scha.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
HKLM\SOFTWARE\Classes\CLSID\{E14DCE67-8FB7-4721-8149-179BAA4D792C} -> Trojan.Ciadoor.m : Cleaned with backup (quarantined).
HKU\S-1-5-21-839522115-1078081533-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E14DCE67-8FB7-4721-8149-179BAA4D792C} -> Trojan.Ciadoor.m : Cleaned with backup (quarantined).
C:\Program Files\Trend Micro\Internet Security 12\VSS5O9J7.12M -> Trojan.Delf.DM : Cleaned with backup (quarantined).


::Report end
unbri
Regular Member
 
Posts: 25
Joined: August 24th, 2006, 10:54 pm

Unread postby Bob4 » August 25th, 2006, 3:10 pm

http://www.liutilities.com/products/win ... y/scvhost/

This is a remote access Trojan. ( RAT)

Description:
scvhost.exe is a process which is registered as W32/Agobot-S virus. This Trojan allows attackers to access your computer from remote locations, stealing passwords, Internet banking and personal data. This is about as bad as it gets. You should follow the directions listed above to secure your bank accounts passwords and all online information.

I will need to see another Hijack this log please.
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6073
Joined: November 12th, 2005, 11:26 am
Location: Florida

Unread postby unbri » August 25th, 2006, 10:23 pm

ok, well i think hijackthis and ewido got rid of everything but i'm really pissed i got that trojan...it's probly cuz i tried to download a speed patch for my torrent program and I later found out it was a trojan that installed other trojans...luckily i don't have my bank account information on my computer anywhere...but do you think i should still change my passwords?
unbri
Regular Member
 
Posts: 25
Joined: August 24th, 2006, 10:54 pm

Unread postby unbri » August 25th, 2006, 10:26 pm

oops heres my other log...also I forgot to tell you I really appreciate all you've helped me out with thus far...I've stopped taking stuff to computer repair places because they rip you off and most stuff I can usually get off by manually editing the registry...only problem is regedit and cmd prompt are disabled...if I ask my parents I'll try to donate you some money for your helping me.
unbri
Regular Member
 
Posts: 25
Joined: August 24th, 2006, 10:54 pm

Unread postby Bob4 » August 26th, 2006, 7:26 am

Belive me when I say HJT and ewido are good . But they are not the end all.

Well in order for me to help you I realy need that HJT log please. ;)
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6073
Joined: November 12th, 2005, 11:26 am
Location: Florida

Unread postby unbri » August 26th, 2006, 5:03 pm

Logfile of HijackThis v1.99.1
Scan saved at 5:02:47 PM, on 8/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\utorrent\utorrent.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\Integrator.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\vso\ConvertXtoDVD\ConvertXtoDvd.exe
C:\Program Files\Adobe\Adobe Photoshop CS2\Photoshop.exe
C:\DOCUME~1\Unbrix\LOCALS~1\Temp\Adobelm_Cleanup.0001
C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
C:\DOCUME~1\Unbrix\LOCALS~1\Temp\Adobelm_Cleanup.0001
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Unbrix\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe"
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [µTorrent] "C:\Program Files\utorrent\utorrent.exe"
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [Uniblue Registry Booster] C:\Program Files\Uniblue\Registry Booster\RegistryBooster.exe /S
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: AntiCrash.lnk = C:\Program Files\Dachshund Software\AntiCrash\AntiCrash.exe
O4 - Startup: Hare.lnk = C:\Program Files\Dachshund Software\Hare\Hare.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar3.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} - http://awbeta.net-nucleus.com/FIX/WinATS.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1910EF38-D2DB-4288-960E-265148A163F1}: NameServer = 192.168.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{1910EF38-D2DB-4288-960E-265148A163F1}: NameServer = 192.168.1.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{1910EF38-D2DB-4288-960E-265148A163F1}: NameServer = 192.168.1.1
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe



theres my log i forgot to post it last time.
unbri
Regular Member
 
Posts: 25
Joined: August 24th, 2006, 10:54 pm

Unread postby Bob4 » August 26th, 2006, 7:10 pm

Ok that's looking pretty good. A few more things and 1 more scan to be sure nothing is hiding from us. ;)





______________________________
HJT
Run hijackthis and choose scan only and place a check by the following lines if present.
Close all other windows and browsers except HJT before clicking on Fix Checked



R3 - Default URLSearchHook is missing

O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} - <http://awbeta.net-nucleus.com/FIX/WinATS.cab>



________________________
A few optional fixes to consider.
______________________________
You have iTunesHelper.exe running at Startup. iTunesHelper.exe is a process belonging to Itunes MP3 streaming tool
by Apple which allows you to play MP3's. This process speeds up iTunes when it starts, and the program also monitors
for connected iPod devices. This program is not required to start automatically as you can start it manually if you need it.
It is advised that you disable this program so that it does not take up necessary resources. It may be worthwhile to fix it with HijackThis.
This is the item to fix in HijackThis:

O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe


____________________________
You have QuickTime running at Startup. This is QuickTime's system tray icon and not necessary for the program to function properly. It is considered to be a resource hog.
You will still be able to start it manually if you need it. You can fix this with HijackThis, but you will need to change the setting in QuickTime
Player itself to keep it from resetting itself.. This is the item to fix in HijackThis:

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime







_________________________________
Please do an online scan with Kaspersky Online Scanner
Click on Kaspersky Online Scanner
You will be promted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings
In the scan settings make sure that the following are selected:
Scan using the following Anti-Virus database:

Extended (If available otherwise Standard)
Scan Options:
Scan Archives
Scan Mail Bases
Click OK

Now under select a target to scan select My Computer

The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.

Now click on the Save as Text button:

Save the file to your desktop.

Copy and paste that information in your next post.

and 1 more HJT log.
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6073
Joined: November 12th, 2005, 11:26 am
Location: Florida

Unread postby unbri » August 27th, 2006, 5:37 pm

i ran the scan and nothing was infected but i forgot to save the file so i'll do a scan again later...here is my hjt log

Logfile of HijackThis v1.99.1
Scan saved at 5:34:58 PM, on 8/27/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\Integrator.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\utorrent\utorrent.exe
C:\Program Files\East-Tec Eraser 2006\Eraser.exe
C:\Program Files\East-Tec Eraser 2006\silent.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Unbrix\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe"
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [AIM] "C:\Program Files\AIM\aim.exe" -cnetwait.odl
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [µTorrent] "C:\Program Files\utorrent\utorrent.exe"
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\RunOnce: [East-Tec Eraser 2006] "C:\Program Files\East-Tec Eraser 2006\silent.exe" /R
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: AntiCrash.lnk = C:\Program Files\Dachshund Software\AntiCrash\AntiCrash.exe
O4 - Startup: Hare.lnk = C:\Program Files\Dachshund Software\Hare\Hare.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar3.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} - http://awbeta.net-nucleus.com/FIX/WinATS.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1910EF38-D2DB-4288-960E-265148A163F1}: NameServer = 192.168.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{1910EF38-D2DB-4288-960E-265148A163F1}: NameServer = 192.168.1.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{1910EF38-D2DB-4288-960E-265148A163F1}: NameServer = 192.168.1.1
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
unbri
Regular Member
 
Posts: 25
Joined: August 24th, 2006, 10:54 pm

Unread postby unbri » August 28th, 2006, 7:12 pm

Monday, August 28, 2006 7:07:53 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 28/08/2006
Kaspersky Anti-Virus database records: 218936


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
D:\
E:\

Scan Statistics
Total number of scanned objects 57007
Number of viruses found 8
Number of infected objects 97 / 0
Number of suspicious objects 0
Duration of the scan process 01:26:32

Infected Object Name Virus Name Last Action
C:\Documents and Settings\Administrator\Desktop\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\Documents and Settings\Administrator\Desktop\SmitfraudFix.zip/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\Documents and Settings\Administrator\Desktop\SmitfraudFix.zip ZIP: infected - 1 skipped

C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Data\settings.dat Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS03127585-4F32-40AE-9251-76BD47F9F992.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS034B982A-4D97-4769-A9B1-A541216CA336.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS0A432CC7-13DF-4AD5-8E90-66D5B668007C.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS0ED052C5-9E34-48D9-B8B9-173B2E3FF2B3.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS1769F5DF-D0DA-4C98-9298-BFC6896419BC.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS1CB865DB-AC9A-4748-A94D-35A96029CA2B.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS25A40C7F-67A4-43B1-B0F8-BAE361E94125.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS2879D183-5442-4B1A-8613-61A694FEC0A6.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS2895BA02-DFBF-4C22-BB81-71E2B32FE166.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS2DFDBC3B-B8B6-4601-90EB-82E445C3A21E.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS2F4B7503-248E-4176-8AD9-9090A4339A91.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS3561D064-46DF-4052-9FCF-22C476D871B4.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS3669C1A0-65D5-4435-AAE1-997104F26D47.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS37CD7BF7-981A-40C7-8A6C-B79F8936B4ED.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS3EBB3202-F007-4239-BB35-C7CE8A4328C6.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS4A9DBAB2-CAA5-40E4-8502-EF50EA18B372.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS4B49D92A-AB4F-47FF-94F5-C06418E68CD0.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS57280B67-81B6-4769-806A-1EB66BE5CDB6.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS587DE66A-3A0B-48EC-87C4-4484A6A53A8D.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS5EE96E3B-74D4-4408-8F3B-D91C43A001CC.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS6A801C34-D0D0-47F5-99C0-81845EC07B12.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS6FAD21F0-B1E8-4B1C-B67B-3CD8E413AC83.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS72B920D7-AB82-41F6-BB23-509683B822ED.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS746569B2-CA6F-498B-BA33-DE1C56F5E4A4.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS7DC43A84-3EB4-47E6-AE6D-F5EEAF9B2223.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS819B3939-5179-4899-A8AD-26F642369274.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS82333BEC-DDD2-4795-AD14-B7317AD5F5CA.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS871A9C1A-5E9F-4CD0-AACC-942A605BC545.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS897EAAE3-2CC8-4D94-9699-33CCC3CBB77B.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS89BC1075-7578-47C5-9FAB-D220BA1BE153.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS8C2AC063-2150-4E0D-96E3-C1BDF0AB501B.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS8D28C04D-3E78-4554-8FFF-3CC236A41138.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS8D4EB8BE-5904-4C7E-8F94-98398DF5F037.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS8E6FA302-1764-4CDE-92AA-750F1FD7F076.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS90F52B8A-DDA7-4B1D-8994-7673EB9C7C4D.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS91B54EBB-BAA9-498F-891F-365CE293FE70.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS923E4F68-00A9-4B33-9C09-CD099C79467B.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS93CEC9F5-37D3-4449-9364-7E748DB8D8C1.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS9E427CFE-C0BA-42D9-BAE8-C81059AD6E42.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSA5B83C3C-B47E-4056-B4D2-E11201E4B8AE.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSB079ABB8-7495-4348-A6B9-24AB73087276.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSB5C9A000-3B9E-4EA9-89A4-0A3EF12C9B81.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSB5FCDA5B-A05A-454E-A25B-D85565695B38.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSB6E1A68B-65C7-4E26-A5FC-159F4E158948.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSB76DE399-24FB-4DFE-BF08-E49F4CF2300A.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSB7E3C615-0BAE-4A82-960D-F9D2B1E47C20.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSB95E0CFD-89E4-4EC7-9F2B-C6850F0E673B.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSBB135AD7-F9B4-4C86-8919-8218EB33ACE5.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSBC89D56A-C0E3-42EB-BC56-5951555D2430.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSBD998AD5-4369-43D5-9E08-E4183803A681.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSC07B3C65-B259-48DF-AA9A-5DCD5EF71329.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSC1143794-A9ED-4B13-84DD-9648F4240E7B.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSC93AF0C0-289A-41D5-8714-9401D49716BF.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSCCC7C97D-B8B9-4E5E-A87E-6980963F655C.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSD1F3F962-C035-44E0-BFFE-8153AA2EF10D.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSDE2217C1-DE0E-4C40-ADB2-E5FC75C93E27.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSDEE54CA2-C93B-4C12-9376-8EA5C2A7AD6D.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSE1B5FD97-1878-468A-BED6-4DDBAE788504.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSE38F16F1-4158-4994-959D-C95DC38C781A.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSE80C450D-0CB7-4840-9811-957A4FF558E2.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSECA03C05-4602-4FA2-9271-80EF82A7264A.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSEEEDAA67-1229-4B5E-9AC2-7B8873E3AF1A.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSF0C5D268-975A-4E35-A464-EE0BBF8542AA.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSF19F8ED0-2F12-430F-AB6E-1DB9EA780A3C.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSF1CD0F37-0830-4D53-BED5-75994728986A.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSF2AB5799-28A5-491B-BD08-C16B019A0E6D.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSF65D1EE3-D425-4716-8F4E-65F54FD2C821.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSFE76742A-DD61-4267-A186-CF53C6774347.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSFFDDC96D-49D7-48F4-98AF-2107CD065C9C.tmp Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\Unbrix\Application Data\Aim\ebvydlzv\unbri103\cert8.db Object is locked skipped

C:\Documents and Settings\Unbrix\Application Data\Aim\ebvydlzv\unbri103\key3.db Object is locked skipped

C:\Documents and Settings\Unbrix\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Unbrix\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Unbrix\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Unbrix\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Unbrix\Local Settings\History\History.IE5\MSHist012006082820060829\index.dat Object is locked skipped

C:\Documents and Settings\Unbrix\Local Settings\Temp\Perflib_Perfdata_6ec.dat Object is locked skipped

C:\Documents and Settings\Unbrix\Local Settings\Temp\~DF486C.tmp Object is locked skipped

C:\Documents and Settings\Unbrix\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Unbrix\ntuser.dat Object is locked skipped

C:\Documents and Settings\Unbrix\NTUSER.DAT.LOG Object is locked skipped

C:\Program Files\Common Files\Ahead\Lib\NEROINST.DB Object is locked skipped

C:\Program Files\Trend Micro\Internet Security 12\Quarantine\100.tmp Infected: Backdoor.Win32.SubSeven.22.b2 skipped

C:\Program Files\Trend Micro\Internet Security 12\Quarantine\102.tmp Infected: Backdoor.Win32.SubSeven.22.plugin skipped

C:\Program Files\Trend Micro\Internet Security 12\Quarantine\103.tmp Infected: Backdoor.Win32.SubSeven.22.plugin skipped

C:\Program Files\Trend Micro\Internet Security 12\Quarantine\105.tmp Infected: Backdoor.Win32.SubSeven.22.plugin skipped

C:\Program Files\Trend Micro\Internet Security 12\Quarantine\106.tmp Infected: Backdoor.Win32.SubSeven.22.plugin skipped

C:\Program Files\Trend Micro\Internet Security 12\Quarantine\108.tmp Infected: Backdoor.Win32.SubSeven.22.plugin skipped

C:\Program Files\Trend Micro\Internet Security 12\Quarantine\10A.tmp Infected: Backdoor.Win32.SubSeven.22.plugin skipped

C:\Program Files\Trend Micro\Internet Security 12\Quarantine\10F.tmp Infected: Backdoor.Win32.SubSeven.22.plugin skipped

C:\Program Files\Trend Micro\Internet Security 12\Quarantine\111.tmp Infected: Backdoor.Win32.SubSeven.22.plugin skipped

C:\Program Files\Trend Micro\Internet Security 12\Quarantine\112.tmp Infected: Backdoor.Win32.SubSeven.22 skipped

C:\Program Files\Trend Micro\Internet Security 12\Quarantine\115.tmp Infected: Backdoor.Win32.SubSeven.22.a skipped

C:\Program Files\Trend Micro\Internet Security 12\Quarantine\119.tmp Infected: Backdoor.Win32.SubSeven.22.a skipped

C:\Program Files\Trend Micro\Internet Security 12\Quarantine\11B.tmp Infected: Backdoor.Win32.SubSeven.22.a skipped

C:\Program Files\Trend Micro\Internet Security 12\Quarantine\11C.tmp Infected: Backdoor.Win32.SubSeven.22.a skipped

C:\Program Files\Trend Micro\Internet Security 12\Quarantine\120.tmp Infected: Backdoor.Win32.SubSeven.22.a skipped

C:\Program Files\Trend Micro\Internet Security 12\Quarantine\122.tmp Infected: Backdoor.Win32.SubSeven.22.plugin skipped

C:\Program Files\Trend Micro\Internet Security 12\Quarantine\124.tmp Infected: Backdoor.Win32.SubSeven.22.plugin skipped

C:\Program Files\Trend Micro\Internet Security 12\Quarantine\126.tmp Infected: Backdoor.Win32.SubSeven.22.plugin skipped

C:\Program Files\Trend Micro\Internet Security 12\Quarantine\128.tmp Infected: Backdoor.Win32.SubSeven.22.plugin skipped

C:\Program Files\Trend Micro\Internet Security 12\Quarantine\129.tmp Infected: Backdoor.Win32.SubSeven.22.b2 skipped

C:\Program Files\Trend Micro\Internet Security 12\Quarantine\12B.tmp Infected: Backdoor.Win32.SubSeven.22.plugin skipped

C:\Program Files\Trend Micro\Internet Security 12\Quarantine\12C.tmp Infected: Backdoor.Win32.SubSeven.22.plugin skipped

C:\Program Files\Trend Micro\Internet Security 12\Quarantine\12D.tmp Infected: Backdoor.Win32.SubSeven.22.plugin skipped

C:\Program Files\Trend Micro\Internet Security 12\Quarantine\12F.tmp Infected: Backdoor.Win32.SubSeven.22.plugin skipped

C:\Program Files\Trend Micro\Internet Security 12\Quarantine\130.tmp Infected: Backdoor.Win32.SubSeven.22.plugin skipped

C:\Program Files\Trend Micro\Internet Security 12\Quarantine\132.tmp Infected: Backdoor.Win32.SubSeven.22.plugin skipped

C:\Program Files\Trend Micro\Internet Security 12\Quarantine\133.tmp Infected: Backdoor.Win32.SubSeven.22.plugin skipped

C:\Program Files\Trend Micro\Internet Security 12\Quarantine\135.tmp Infected: Backdoor.Win32.SubSeven.22.plugin skipped

C:\Program Files\Trend Micro\Internet Security 12\Quarantine\139.tmp Infected: Backdoor.Win32.SubSeven.22 skipped

C:\Program Files\Trend Micro\Internet Security 12\Quarantine\13D.tmp Infected: Backdoor.Win32.SubSeven.22.a skipped

C:\Program Files\Trend Micro\Internet Security 12\Quarantine\141.tmp Infected: Backdoor.Win32.SubSeven.22.a skipped

C:\Program Files\Trend Micro\Internet Security 12\Quarantine\144.tmp Infected: Backdoor.Win32.SubSeven.22.a skipped

C:\Program Files\Trend Micro\Internet Security 12\Quarantine\145.tmp Infected: Backdoor.Win32.SubSeven.22.a skipped

C:\Program Files\Trend Micro\Internet Security 12\Quarantine\146.tmp Infected: Backdoor.Win32.SubSeven.22.a skipped

C:\Program Files\Trend Micro\Internet Security 12\Quarantine\147.tmp Infected: Backdoor.Win32.SubSeven.22.plugin skipped

C:\Program Files\Trend Micro\Internet Security 12\Quarantine\148.tmp Infected: Backdoor.Win32.SubSeven.22.plugin skipped

C:\Program Files\Trend Micro\Internet Security 12\Quarantine\149.tmp Infected: Backdoor.Win32.SubSeven.22.plugin skipped

C:\Program Files\Trend Micro\Internet Security 12\Quarantine\14A.tmp Infected: Backdoor.Win32.SubSeven.22.plugin skipped

C:\Program Files\Trend Micro\Internet Security 12\Quarantine\14B.tmp Infected: Backdoor.Win32.SubSeven.22.b2 skipped

C:\Program Files\Trend Micro\Internet Security 12\Quarantine\14C.tmp Infected: Backdoor.Win32.SubSeven.22.plugin skipped

C:\Program Files\Trend Micro\Internet Security 12\Quarantine\14D.tmp Infected: Backdoor.Win32.SubSeven.22.plugin skipped

C:\Program Files\Trend Micro\Internet Security 12\Quarantine\14E.tmp Infected: Backdoor.Win32.SubSeven.22.plugin skipped

C:\Program Files\Trend Micro\Internet Security 12\Quarantine\14F.tmp Infected: Backdoor.Win32.SubSeven.22.plugin skipped

C:\Program Files\Trend Micro\Internet Security 12\Quarantine\150.tmp Infected: Backdoor.Win32.SubSeven.22.plugin skipped

C:\Program Files\Trend Micro\Internet Security 12\Quarantine\151.tmp Infected: Backdoor.Win32.SubSeven.22.plugin skipped

C:\Program Files\Trend Micro\Internet Security 12\Quarantine\152.tmp Infected: Backdoor.Win32.SubSeven.22.plugin skipped

C:\Program Files\Trend Micro\Internet Security 12\Quarantine\153.tmp Infected: Backdoor.Win32.SubSeven.22.plugin skipped

C:\Program Files\Trend Micro\Internet Security 12\Quarantine\156.tmp Infected: Backdoor.Win32.SubSeven.22 skipped

C:\Program Files\Trend Micro\Internet Security 12\Quarantine\1E1.tmp Infected: Backdoor.Win32.SubSeven.22.a skipped

C:\Program Files\Trend Micro\Internet Security 12\Quarantine\201.tmp/cgi/setup.cgi Infected: Backdoor.Win32.SubSeven.22.a skipped

C:\Program Files\Trend Micro\Internet Security 12\Quarantine\201.tmp/cgi/subseven.cgi Infected: Backdoor.Win32.SubSeven.22.a skipped

C:\Program Files\Trend Micro\Internet Security 12\Quarantine\201.tmp/EditServer.exe Infected: Backdoor.Win32.SubSeven.22.a skipped

C:\Program Files\Trend Micro\Internet Security 12\Quarantine\201.tmp/plugins/icqpwsteal.dll Infected: Backdoor.Win32.SubSeven.22.plugin skipped

C:\Program Files\Trend Micro\Internet Security 12\Quarantine\201.tmp/plugins/matrix.dll Infected: Backdoor.Win32.SubSeven.22.plugin skipped

C:\Program Files\Trend Micro\Internet Security 12\Quarantine\201.tmp/plugins/recmic.dll Infected: Backdoor.Win32.SubSeven.22.plugin skipped

C:\Program Files\Trend Micro\Internet Security 12\Quarantine\201.tmp/plugins/s7advanced.dll Infected: Backdoor.Win32.SubSeven.22.plugin skipped

C:\Program Files\Trend Micro\Internet Security 12\Quarantine\201.tmp/plugins/s7capture.dll Infected: Backdoor.Win32.SubSeven.22.b2 skipped

C:\Program Files\Trend Micro\Internet Security 12\Quarantine\201.tmp/plugins/s7fun1.dll Infected: Backdoor.Win32.SubSeven.22.plugin skipped

C:\Program Files\Trend Micro\Internet Security 12\Quarantine\201.tmp/plugins/s7fun2.dll Infected: Backdoor.Win32.SubSeven.22.plugin skipped

C:\Program Files\Trend Micro\Internet Security 12\Quarantine\201.tmp/plugins/s7keys.dll Infected: Backdoor.Win32.SubSeven.22.plugin skipped

C:\Program Files\Trend Micro\Internet Security 12\Quarantine\201.tmp/plugins/s7moreinfo.dll Infected: Backdoor.Win32.SubSeven.22.plugin skipped

C:\Program Files\Trend Micro\Internet Security 12\Quarantine\201.tmp/plugins/s7passwords.dll Infected: Backdoor.Win32.SubSeven.22.plugin skipped

C:\Program Files\Trend Micro\Internet Security 12\Quarantine\201.tmp/plugins/s7scanner.dll Infected: Backdoor.Win32.SubSeven.22.plugin skipped

C:\Program Files\Trend Micro\Internet Security 12\Quarantine\201.tmp/plugins/s7sniffer.dll Infected: Backdoor.Win32.SubSeven.22.plugin skipped

C:\Program Files\Trend Micro\Internet Security 12\Quarantine\201.tmp/plugins/s7takeover.dll Infected: Backdoor.Win32.SubSeven.22.plugin skipped

C:\Program Files\Trend Micro\Internet Security 12\Quarantine\201.tmp/server.exe Infected: Backdoor.Win32.SubSeven.22 skipped

C:\Program Files\Trend Micro\Internet Security 12\Quarantine\201.tmp/sin.exe Infected: Backdoor.Win32.SubSeven.22.a skipped

C:\Program Files\Trend Micro\Internet Security 12\Quarantine\201.tmp/sub7.exe Infected: Backdoor.Win32.SubSeven.22.a skipped

C:\Program Files\Trend Micro\Internet Security 12\Quarantine\201.tmp ZIP: infected - 19 skipped

C:\Program Files\Trend Micro\Internet Security 12\Quarantine\201.tmp CryptFF.b: infected - 19 skipped

C:\Program Files\Trend Micro\Internet Security 12\Quarantine\209.tmp Infected: Backdoor.Win32.SubSeven.22.a skipped

C:\Program Files\Trend Micro\Internet Security 12\Quarantine\63.tmp Infected: not-a-virus:AdWare.Win32.Agent.y skipped

C:\Program Files\Trend Micro\Internet Security 12\Quarantine\70.tmp/mspass.exe Infected: not-a-virus:PSWTool.Win32.Messen.104 skipped

C:\Program Files\Trend Micro\Internet Security 12\Quarantine\70.tmp ZIP: infected - 1 skipped

C:\Program Files\Trend Micro\Internet Security 12\Quarantine\70.tmp CryptFF.b: infected - 1 skipped

C:\Program Files\Trend Micro\Internet Security 12\Quarantine\CB.tmp/sub7legends/editserver.exe Infected: Backdoor.Win32.SubSeven.215 skipped

C:\Program Files\Trend Micro\Internet Security 12\Quarantine\CB.tmp/sub7legends/server.exe Infected: Backdoor.Win32.SubSeven.215 skipped

C:\Program Files\Trend Micro\Internet Security 12\Quarantine\CB.tmp/sub7legends/SubSeven.exe Infected: Backdoor.Win32.SubSeven.215 skipped

C:\Program Files\Trend Micro\Internet Security 12\Quarantine\CB.tmp ZIP: infected - 3 skipped

C:\Program Files\Trend Micro\Internet Security 12\Quarantine\CB.tmp CryptFF.b: infected - 3 skipped

C:\Program Files\Trend Micro\Internet Security 12\Quarantine\CC.tmp Infected: Backdoor.Win32.SubSeven.215 skipped

C:\Program Files\Trend Micro\Internet Security 12\Quarantine\CF.tmp/ss.2.2.0/cgi/setup.cgi Infected: Backdoor.Win32.SubSeven.22.a skipped

C:\Program Files\Trend Micro\Internet Security 12\Quarantine\CF.tmp/ss.2.2.0/cgi/subseven.cgi Infected: Backdoor.Win32.SubSeven.22.a skipped

C:\Program Files\Trend Micro\Internet Security 12\Quarantine\CF.tmp ZIP: infected - 2 skipped

C:\Program Files\Trend Micro\Internet Security 12\Quarantine\CF.tmp CryptFF.b: infected - 2 skipped

C:\Program Files\Trend Micro\Internet Security 12\Quarantine\F1.tmp Infected: Backdoor.Win32.SubSeven.22.a skipped

C:\Program Files\Trend Micro\Internet Security 12\Quarantine\F2.tmp Infected: Backdoor.Win32.SubSeven.22.a skipped

C:\Program Files\Trend Micro\Internet Security 12\Quarantine\F5.tmp Infected: Backdoor.Win32.SubSeven.22.a skipped

C:\Program Files\Trend Micro\Internet Security 12\Quarantine\F8.tmp Infected: Backdoor.Win32.SubSeven.22.plugin skipped

C:\Program Files\Trend Micro\Internet Security 12\Quarantine\FB.tmp Infected: Backdoor.Win32.SubSeven.22.plugin skipped

C:\Program Files\Trend Micro\Internet Security 12\Quarantine\FC.tmp Infected: Backdoor.Win32.SubSeven.22.plugin skipped

C:\Program Files\Trend Micro\Internet Security 12\Quarantine\FE.tmp Infected: Backdoor.Win32.SubSeven.22.plugin skipped

C:\Program Files\Trend Micro\Internet Security 12\Quarantine\SIN.EXE Infected: Backdoor.Win32.SubSeven.22.a skipped

C:\Program Files\Trend Micro\Internet Security 12\Quarantine\VSS4OVP7.009 Infected: Backdoor.Win32.SubSeven.22.a skipped

C:\Program Files\Webroot\Spy Sweeper\Masters\Masters.const Object is locked skipped

C:\Program Files\Webroot\Spy Sweeper\Masters\Masters.mst Object is locked skipped

C:\Program Files\Webroot\Spy Sweeper\Masters.base Object is locked skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\ModemLog_Conexant D850 56K V.9x DFVc Modem.txt Object is locked skipped

C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{679F8DB6-40F5-44FD-A090-391DE283AED4}.crmlog Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\EventCache\{D04E9803-06A1-478D-B134-3E5BD975A404}.bin Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped

C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped

C:\WINDOWS\system32\config\OSession.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped

C:\WINDOWS\system32\drivers\sptd6333.sys Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.


Someone's definitely been installing programs on my computer because I've never heard of half of these.



HJT log

Logfile of HijackThis v1.99.1
Scan saved at 7:12:42 PM, on 8/28/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\Integrator.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\utorrent\utorrent.exe
C:\WINDOWS\system32\CTPdeSrv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\East-Tec Eraser 2006\Eraser.exe
C:\Program Files\East-Tec Eraser 2006\silent.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Unbrix\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe"
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [AIM] "C:\Program Files\AIM\aim.exe" -cnetwait.odl
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [µTorrent] "C:\Program Files\utorrent\utorrent.exe"
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\RunOnce: [East-Tec Eraser 2006] "C:\Program Files\East-Tec Eraser 2006\silent.exe" /R
O4 - HKCU\..\RunOnce: [Eraser Clear XP] "C:\Program Files\East-Tec Eraser 2006\silent.exe" -XP
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: AntiCrash.lnk = C:\Program Files\Dachshund Software\AntiCrash\AntiCrash.exe
O4 - Startup: Hare.lnk = C:\Program Files\Dachshund Software\Hare\Hare.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar3.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} - http://awbeta.net-nucleus.com/FIX/WinATS.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1910EF38-D2DB-4288-960E-265148A163F1}: NameServer = 192.168.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{1910EF38-D2DB-4288-960E-265148A163F1}: NameServer = 192.168.1.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{1910EF38-D2DB-4288-960E-265148A163F1}: NameServer = 192.168.1.1
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
unbri
Regular Member
 
Posts: 25
Joined: August 24th, 2006, 10:54 pm

Unread postby Bob4 » August 28th, 2006, 7:44 pm

______________________________
HJT
Run hijackthis and choose scan only and place a check by the following lines if present.
Close all other windows and browsers except HJT before clicking on Fix Checked

O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} - <http://awbeta.net-nucleus.com/FIX/WinATS.cab>



________________
1 optional fix for you to consider.

____________________________
You have QuickTime running at Startup. This is QuickTime's system tray icon and not necessary for the program to function properly. It is considered to be a resource hog.
You will still be able to start it manually if you need it. You can fix this with HijackThis, but you will need to change the setting in QuickTime
Player itself to keep it from resetting itself.. This is the item to fix in HijackThis:

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime


_____________________
Great news ! Image

Your log now appears to be clean.

Lets do a few things to tidy up.
Please do these in the order I suggest!


___________________________________
If we have set your computer to see all files and folders we must reprotect them.

UNDO SHOW ALL FILES
click on the My Computer icon.
Select the Tools menu and click Folder Options.
After the new window appears select the View tab.
Deselect in the checkbox labeled Display the contents of system folders.
Deselect the checkbox labeled Show hidden files and folders.
Select the checkmark from the checkbox labeled Hide file extensions for known file types.
Replace the checkmark from the checkbox labeled Hide protected operating system files.
Press the Apply button and then the OK .
Now many important files are safe.


___________________________________
Download and install CCleaner from here.
NOTE: Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation. IF you do NOT want it, REMOVE the checkmark when provided with the option .

If you use either the Firefox or Mozilla browsers, the box to uncheck for Cookies is on the Applications tab, under Firefox/Mozilla.


Now open the program and click on Run Cleaner
( Do not use the Issues block to clean anything with this program. It is for experts only and it is risky).

You may opt out of cleaning cookies. If you clean them alls you will have to do is retype names and passwords for places you visit on the net 1 time.
If you use either the Firefox or Mozilla browsers, the box to uncheck for Cookies is on the Applications tab, under Firefox/Mozilla
I clean all my cookies out from time to time. It's not that big a deal if you remember passwords.


___________________________________
Please create a 'clean' System Restore Point:
The reason for doing this is in case you need system restore you don't put back all we just took out.
Right click My Computer
Then Propeties then system restore
Place a check mark by turn off system restore
Click APPLY
Windows will give you a warning click yes
REBOOT

Now go right back to the same place and unchecksystem restore
Click APPLYand OK





___________________________________
A few things to help with possible threats
SpywareBlaster

Install SpywareBlaster

SpywareBlaster will add a large list of programs and sites to your Internet Explorer settings that will protect you from accidentally running or downloading known malicious programs.
After the installation, click Download Latest Protection Updates. When it finishes, click Enable All Protection.


______________________________
SiteHound

http://www.firetrust.com/firetrustsitehound.html

This tool bar will help protect you from.

Over 4,000 fake bank and credit sites.
Tens of thousands of pornographic
and adult sites.
The never ending fake phishing sites.
Malicious sites, which can infect you
with spyware and adware if you visit
them.
Sites to download software which
may infect your computer with
spyware, a virus or adware


___________________________________
Download and keep these updated and run weekly if you don't already have them.

Adaware
Tutorial

spybot seach & destroy
Tutorial




___________________________________
Download and Install a HOSTS File
A Hosts file is a plain text file which prevents your computer from connecting to malware and spyware sites by redirecting the connection request to 127.0.0.1, which is your local address. If you use a proxy server, or if you are on AOL, be sure to read the special instructions.
You can download the MVPS Hosts File and see a HOSTS file tutorial here :
This website also contains useful tips, and links to other resources and utilities.


___________________________________
Make your Internet Explorer more secure
1. From within Internet Explorer click on the Tools menu and then click on Options.
2. Click on the Security tab
3. Click the Internet icon so it becomes highlighted.
4. Click on Default Level and click Ok
5. Click on the Custom Level button.

Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialise and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt

When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.

6. Next press the Apply button and then the OK to exit the Internet Properties page.



___________________________________
Keep windows updated here

___________________________________
You can read about alot safer surfing here


___________________________________
And it goes without saying do not open Email from someone you don't know.

___________________________________
This is how you may have become infected




Safe and Happy Surfing. :)
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6073
Joined: November 12th, 2005, 11:26 am
Location: Florida

Unread postby unbri » August 28th, 2006, 8:08 pm

thanks for all the help and i tried to make a system restore and do the hosts.mvp thing but my command prompt, regedit, system restore, and msconfig still are disabled...how do I enable them now that the trojans are off my computer?
unbri
Regular Member
 
Posts: 25
Joined: August 24th, 2006, 10:54 pm

Unread postby Bob4 » August 28th, 2006, 9:00 pm

Are you logged on as a system administrator ?
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6073
Joined: November 12th, 2005, 11:26 am
Location: Florida
Advertisement
Register to Remove

Next

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 501 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware