* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________
O^E says: "There were no files found
"
________________________________________________
1,133 items found: 1,133 files, 0 directories.
Total of file sizes: 203,815,519 bytes 194.37 M
Administrator Account = True
--------------------End log---------------------
Here's Rootkit
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesProcessed 12/3/2005 9:26 PM 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesSuccessful 12/3/2005 9:26 PM 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\ShudderLTD\PSGuard\PSGuard\License* 8/29/2005 4:44 PM 0 bytes Key name contains embedded nulls (*)
C:\Documents and Settings\Ryan Andrew Chang\ntuser.dat.LOG:KAVICHS 12/3/2005 9:31 PM 36 bytes Hidden from Windows API.
C:\System Volume Information\_restore{B5844A15-2EA5-4C27-BEA1-6D063C3DCB93}\RP358\A0141231.exe:KAVICHS 10/1/2005 6:05 PM 36 bytes Hidden from Windows API.
C:\System Volume Information\_restore{B5844A15-2EA5-4C27-BEA1-6D063C3DCB93}\RP358\A0141261.exe:KAVICHS 10/1/2005 6:05 PM 68 bytes Hidden from Windows API.
C:\System Volume Information\_restore{B5844A15-2EA5-4C27-BEA1-6D063C3DCB93}\RP367\A0144229.dll:KAVICHS 10/8/2005 7:26 PM 36 bytes Hidden from Windows API.
C:\System Volume Information\_restore{B5844A15-2EA5-4C27-BEA1-6D063C3DCB93}\RP367\A0144236.exe:KAVICHS 10/8/2005 7:33 PM 68 bytes Hidden from Windows API.
C:\System Volume Information\_restore{B5844A15-2EA5-4C27-BEA1-6D063C3DCB93}\RP368\A0144239.exe:KAVICHS 10/8/2005 7:37 PM 36 bytes Hidden from Windows API.
C:\System Volume Information\_restore{B5844A15-2EA5-4C27-BEA1-6D063C3DCB93}\RP368\A0144378.exe:KAVICHS 10/10/2005 1:40 PM 68 bytes Hidden from Windows API.
C:\System Volume Information\_restore{B5844A15-2EA5-4C27-BEA1-6D063C3DCB93}\RP368\A0144391.dll:KAVICHS 10/10/2005 2:19 PM 36 bytes Hidden from Windows API.
C:\System Volume Information\_restore{B5844A15-2EA5-4C27-BEA1-6D063C3DCB93}\RP368\A0144397.dll:KAVICHS 10/10/2005 2:19 PM 36 bytes Hidden from Windows API.
C:\System Volume Information\_restore{B5844A15-2EA5-4C27-BEA1-6D063C3DCB93}\RP368\A0144398.dll:KAVICHS 10/10/2005 2:19 PM 36 bytes Hidden from Windows API.
C:\System Volume Information\_restore{B5844A15-2EA5-4C27-BEA1-6D063C3DCB93}\RP368\A0144428.dll:KAVICHS 10/10/2005 2:19 PM 36 bytes Hidden from Windows API.
C:\System Volume Information\_restore{B5844A15-2EA5-4C27-BEA1-6D063C3DCB93}\RP368\A0144437.dll:KAVICHS 10/10/2005 2:19 PM 36 bytes Hidden from Windows API.
C:\System Volume Information\_restore{B5844A15-2EA5-4C27-BEA1-6D063C3DCB93}\RP368\A0144442.dll:KAVICHS 10/10/2005 2:19 PM 36 bytes Hidden from Windows API.
C:\System Volume Information\_restore{B5844A15-2EA5-4C27-BEA1-6D063C3DCB93}\RP370\A0144490.dll:KAVICHS 10/16/2005 3:43 PM 36 bytes Hidden from Windows API.
And now here's hijack
Logfile of HijackThis v1.99.1
Scan saved at 11:56:01 PM, on 12/3/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Hijack THis newest\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O8 - Extra context menu item: &Google Search -
res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word -
res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links -
res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page -
res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages -
res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English -
res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) -
http://www.kaspersky.com/downloads/kws/ ... nicode.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} -
http://a1540.g.akamai.net/7/1540/52/200 ... taller.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -
http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) -
http://ax.phobos.apple.com.edgesuite.ne ... tector.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe