Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:41:18 PM, on 8/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20627)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\HPQ\IAM\bin\asghost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Jetico\BestCrypt\BC_VE\bcveserv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\PROGRA~1\Jetico\BESTCR~1\BCResident.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\RootkitRevealer.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\T.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://update.microsoft.com/microsoftupdate
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: XTTBPos00 - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Suggest - {5A263CF7-56A6-4D68-A8CF-345BE45BC911} - C:\Program Files\Yahoo!\Search\YSearchSuggest.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: HP Credential Manager for ProtectTools - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - C:\Program Files\HPQ\IAM\Bin\ItIeAddIN.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [BCWipeTM Startup] "C:\Program Files\Jetico\BCWipe\BCWipeTM.exe" startup
O4 - HKLM\..\Run: [BestCrypt Volume Encryption] "C:\Program Files\Jetico\BestCrypt Volume Encryption\bcfmgr.exe" MountAtLogon
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: ASAPHook hplun.dll
O20 - Winlogon Notify: OneCard - C:\Program Files\HPQ\IAM\Bin\AsWlnPkg.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: bcveServ - Unknown owner - C:\Program Files\Jetico\BestCrypt\BC_VE\bcveserv.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\Shared\hpqwmi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: T - Sysinternals - http://www.sysinternals.com - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\T.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
Also here is Rootkitreveal scan
HKU\S-1-5-21-854245398-515967899-682003330-500\Software\SecuROM\!CAUTION! NEVER DELETE OR CHANGE ANY KEY* 7/22/2007 10:36 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAC* 7/6/2007 9:32 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 7/6/2007 9:32 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SYSTEM\ControlSet001\Services\psched2k 8/19/2007 1:32 PM 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Services\riont 8/19/2007 1:31 PM 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg 7/24/2007 6:02 PM 0 bytes Access is denied.
HKLM\SYSTEM\ControlSet001\Services\srvex 8/19/2007 1:31 PM 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet002\Services\psched2k 8/19/2007 1:32 PM 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet002\Services\riont 8/19/2007 1:31 PM 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet002\Services\srvex 8/19/2007 1:31 PM 0 bytes Hidden from Windows API.
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\27bio29i.default\sessionstore.js.moztmp 8/19/2007 1:21 PM 24.42 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Administrator\Application Data\SmartFTP\Client 2.0\Cache 8/19/2007 1:40 PM 0 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Administrator\Cookies\administrator@CAU4JD50.txt 8/19/2007 1:38 PM 690 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Administrator\Cookies\administrator@yahoo[3].txt 8/19/2007 1:53 PM 690 bytes Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temp\~DF946F.tmp 8/19/2007 1:54 PM 16.00 KB Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\EBWO1IZ0\client_ad[5].htm 8/19/2007 1:53 PM 2.85 KB Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\LIPBYABC\client_ad[6].htm 8/19/2007 1:46 PM 1.88 KB Hidden from Windows API.
C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Guest\2qy5zxm0.slt\Cache4A99EE9d01 8/19/2007 1:50 PM 469 bytes Hidden from Windows API.
C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Guest\2qy5zxm0.slt\Cache\2DDB702Ed01 8/19/2007 1:50 PM 1.58 KB Hidden from Windows API.
C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Guest\2qy5zxm0.slt\Cache\2E3FB6D1d01 8/19/2007 1:50 PM 11.77 KB Hidden from Windows API.
C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Guest\2qy5zxm0.slt\Cache\456C4C2Dd01 8/19/2007 1:50 PM 2.98 KB Hidden from Windows API.
C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Guest\2qy5zxm0.slt\Cache\58C77768d01 8/19/2007 1:50 PM 472 bytes Hidden from Windows API.
C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Guest\2qy5zxm0.slt\Cache\5900ABBBd01 8/19/2007 1:50 PM 2.85 KB Hidden from Windows API.
C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Guest\2qy5zxm0.slt\Cache\5F24ABD2d01 8/19/2007 1:50 PM 1.50 KB Hidden from Windows API.
C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Guest\2qy5zxm0.slt\Cache\648C18DEd01 8/19/2007 1:49 PM 6.85 KB Hidden from Windows API.
C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Guest\2qy5zxm0.slt\Cache\6F0C84E1d01 8/19/2007 1:50 PM 2.95 KB Hidden from Windows API.
C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Guest\2qy5zxm0.slt\Cache\84B83CF8d01 8/19/2007 1:49 PM 3.55 KB Hidden from Windows API.
C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Guest\2qy5zxm0.slt\Cache\9E121296d01 8/19/2007 1:50 PM 2.95 KB Hidden from Windows API.
C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Guest\2qy5zxm0.slt\Cache\_CACHE_001_ 8/19/2007 1:53 PM 35.75 KB Hidden from Windows API.
C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Guest\2qy5zxm0.slt\Cache\_CACHE_002_ 8/19/2007 1:53 PM 4.00 KB Hidden from Windows API.
C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Guest\2qy5zxm0.slt\Cache\_CACHE_003_ 8/19/2007 1:53 PM 4.00 KB Hidden from Windows API.
C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Guest\2qy5zxm0.slt\Cache\_CACHE_MAP_ 8/19/2007 1:53 PM 4.00 KB Hidden from Windows API.
C:\Program Files\CompuServe 7.0\gecko\usr\Profiles\Guest\2qy5zxm0.slt\Cache\ECEFB6D8d01 8/19/2007 1:50 PM 11.77 KB Hidden from Windows API.
C:\Program Files\CompuServe 7.0\idb\main.ind 8/19/2007 11:19 AM 52.84 KB Visible in Windows API, but not in MFT or directory index.
C:\Program Files\CompuServe 7.0\idb\STYLE.ind 8/19/2007 11:19 AM 292 bytes Visible in Windows API, but not in MFT or directory index.
C:\Program Files\CompuServe 7.0\idb\sysne87.ind 8/19/2007 1:49 PM 292 bytes Hidden from Windows API.
C:\Program Files\CompuServe 7.0\idb\sysnews.ind 8/19/2007 11:19 AM 292 bytes Visible in Windows API, but not in MFT or directory index.
C:\Program Files\CompuServe 7.0\idb\Toolbar.ind 8/19/2007 11:19 AM 292 bytes Visible in Windows API, but not in MFT or directory index.
C:\Program Files\ESET\cache\FND0.NFI 8/19/2007 12:50 PM 277 bytes Visible in Windows API, MFT, but not in directory index.
C:\Program Files\Yahoo!\Messenger\ystats_B.dat 8/19/2007 1:53 PM 28 bytes Hidden from Windows API.
C:\WINDOWS\system32\CatRoot2\res1.log 7/6/2007 2:03 AM 128.00 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\system32\CatRoot2\res2.log 7/6/2007 2:03 AM 128.00 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\system32\drivers\psched2k.sys 8/9/2007 2:20 PM 451.25 KB Hidden from Windows API.
C:\WINDOWS\system32\drivers\riont.sys 8/9/2007 2:20 PM 16.50 KB Hidden from Windows API.
C:\WINDOWS\system32\drivers\srvex.sys 8/9/2007 2:20 PM 16.88 KB Hidden from Windows API.
C:\WINDOWS\system32\edlinsvr.exe 8/9/2007 2:20 PM 2.11 MB Hidden from Windows API.
C:\WINDOWS\system32\rasa32.dll 8/9/2007 2:20 PM 100.00 KB Hidden from Windows API.
C:\WINDOWS\system32\xencache.dll 8/19/2007 1:32 PM 246.85 MB Hidden from Windows API.