Jump to content

explorer and ie6 running like slugs but firefox ok


Recommended Posts

Hi

My file explorer and IE6 are running extremely slow but firefox seems to be running OK. I did a quick scan and one trojan was found

:Malwarebytes' Anti-Malware 1.33

Database version: 1671

Windows 5.1.2600 Service Pack 2

20/01/2009 21:00:16

mbam-log-2009-01-20 (21-00-16).txt

Scan type: Quick Scan

Objects scanned: 73512

Time elapsed: 21 minute(s), 3 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detecte0

I ran fix then did a full scan and nothing was found:

Malwarebytes' Anti-Malware 1.33

Database version: 1671

Windows 5.1.2600 Service Pack 2

20/01/2009 19:25:03

mbam-log-2009-01-20 (19-25-03).txt

Scan type: Quick Scan

Objects scanned: 27938

Time elapsed: 10 minute(s), 38 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

I then ran hijack this and here's the log file for that:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 08:36:26, on 21/01/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Ahead\InCD\InCDsrv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\brsvc01a.exe

C:\WINDOWS\System32\brss01a.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\htpatch.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\Brmfrmps.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE

C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE

C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe

C:\WINDOWS\system32\crypserv.exe

C:\Program Files\FarStone\DriveClone Personal\EFB\efbfs.exe

C:\Program Files\FarStone\DriveClone Personal\CBP\DCSchdler.exe

C:\Program Files\FarStone\DriveClone Personal\EFB\EfbSchedule.exe

C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe

C:\Program Files\FarStone\DriveClone Personal\fsloader.exe

C:\Program Files\FarStone\DriveClone Personal\VerChk.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\RioMSC.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgemc.exe

C:\WINDOWS\system32\wscntfy.exe

C:\PROGRA~1\METAMA~1\Common\CmpgnSrv.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

D:\texteditor\PFE32.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hssoftware.co.uk/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.medion.com/

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.medion.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=213.105.103.134:8021;http=213.105.103.134:8080

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: Metamail IEPlugin - {C09C9904-FD44-11D6-A711-00105AC8F168} - C:\PROGRA~1\METAMA~1\METAMA~1\IE\IEPlugIn.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun

O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\\PSDrvCheck.exe

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\RunOnce: [DCHideDisk] "C:\Program Files\FarStone\DriveClone Personal\DCHDisk.exe" r

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O4 - Startup: PowerReg Scheduler.exe

O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm

O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe

O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.medion.com/

O16 - DPF: morfit3dWorld - http://www.3dstate.com/download/plugin3258/morfit3dWorld.CAB

O16 - DPF: {65A0276F-A5C2-4BA2-82DA-BC4AF3250F9E} (inDualityPluginCtl Object) - http://www.pelicancrossing.com/install/ind...alityplugin.cab

O16 - DPF: {C9BEF1E9-21F6-486F-80A2-32D61DE86E5E} - http://www.directxtras.com/speaksforitself...oad/ms_sapi.cab

O16 - DPF: {D4BC3B10-F024-4EF7-A62C-A298A11B51B5} - http://www.directxtras.com/speaksforitself.../mstts_mike.cab

O16 - DPF: {E123BED4-B8C7-42BB-958F-F13CA77EF95D} (Anark Client ActiveX Control) - http://install.anark.com/client/version2/w...en/AMClient.cab

O16 - DPF: {E4DFABBD-F5F6-11D3-8421-0080C6F79C42} (SpeechControl Class) - http://www.directxtras.com/speaksforitself...peechplugin.cab

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - AppInit_DLLs: avgrsstx.dll

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe

O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe

O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe

O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe

O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE

O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe

O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe

O23 - Service: DriveClone Scheduler - Unknown owner - C:\Program Files\FarStone\DriveClone Personal\CBP\DCSchdlerSRVC.exe

O23 - Service: Restore FarStone File Event Manager (efbfs) - FarStone Technology, Inc. - C:\Program Files\FarStone\DriveClone Personal\EFB\efbfs.exe

O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe

O23 - Service: FarStone RestoreIT Loader - Unknown owner - C:\Program Files\FarStone\DriveClone Personal\fsloader.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: License Management Service ESD - element5 - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\System32\RioMSC.exe

O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XIIc\Win32\RpcDataSrv.exe

O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XIIc\RpcSandraSrv.exe

O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

O23 - Service: wampapache - Apache Software Foundation - D:\wamp\apache2\bin\httpd.exe

O23 - Service: wampmysqld - Unknown owner - D:\wamp\mysql\bin\mysqld-nt.exe

--

End of file - 10781 bytes

File explorer is still running really slowly and IE6 but as I said Firefox is OK.

BTW I've done CHDISK defrag etc. and can't find anything there - one strange (I think after installing Spybot but BEFORE chdisk etc.) my C drive free space seemed to increase by about 4GB for no good reason

here's a breakdown of the partition size now if it's any help:

C NTFS capacity 37.09 gb free space 7.6GB

D NTFS capacity 33.53GB free space 1.26GB

E FAT32 capacity 3.9 GB free space 2.33 gb

Any help welcomed!

Link to post
Share on other sites

  • Root Admin

Did you set these proxies for IE ?

ProxyServer = ftp=213.105.103.134:8021;http=213.105.103.134:8080

    Download and install CCleaner
  • CCleaner
  • Double-click on the downloaded file "ccsetup215.exe" and install the application.
  • Keep the default installation folder "C:\Program Files\CCleaner"
  • Uncheck "Add CCleaner Yahoo! Toolbar and use CCleaner from your browser"
  • Click finish when done and close ALL PROGRAMS
  • Start the CCleaner program.
  • Click on Registry and Uncheck Registry Integrity so that it does not run
  • Click on Options - Advanced and Uncheck "Only delete files in Windows Temp folders older than 48 hours"
  • Click back to Cleaner and under SYSTEM uncheck the Memory Dumps and Windows Log Files
  • Click on Run Cleaner button on the bottom right side of the program.
  • Click OK to any prompts

Please go into the Control Panel, Add/Remove and for now remove ALL versions of JAVA

When we're done you can go back and install the latest version but for now please do not install any.

Then run this tool to help cleanup any left over Java

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please download JavaRa and unzip it to your desktop.

***Please close any instances of Internet Explorer (or other web browser) before continuing!***

  • Double-click on JavaRa.exe to start the program.
  • From the drop-down menu, choose English and click on Select.
  • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location and post it back when you reply

Then look for the following Java folders and if found delete them.

C:\Program Files\Java

C:\Program Files\Common Files\Java

C:\Documents and Settings\All Users\Application Data\Java

C:\Documents and Settings\All Users\Application Data\Sun\Java

C:\Documents and Settings\username\Application Data\Java

C:\Documents and Settings\username\Application Data\Sun\Java

Please visit this webpage for instructions for downloading ComboFix to your
DESKTOP
:
how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

NOTE!!:

You must save and run
ComboFix.exe
on your DESKTOP and not from any other folder.

Also,
DO NOT
click the mouse or launch any other applications while this is running or it may stall the program

Additional links to download the tool:

Note:

The
Windows Recovery Console
will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click
    Yes
    to allow ComboFix to continue scanning for malware.

  • When the tool is finished, it will produce a report for you.

  • Please post the
    C:\ComboFix.txt
    along with a
    new HijackThis log
    so we may continue cleaning the system.

Link to post
Share on other sites

Thanks Guys

>Did you set these proxies for IE ?

>ProxyServer = ftp=213.105.103.134:8021;http=213.105.103.134:8080

I don't think so but I can't be sure sorry - shold I unset them and from what IE tab please?

I've done all the steps above thanks and here are the new log files:

NB Explorer and IE Explorer seem to be running faster already

Combofix:

################################################################################

#

ComboFix 09-01-20.05 - <myname> 2009-01-21 19:00:39.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2047.1576 [GMT 0:00]

Running from: c:\documents and settings\<myname>\Desktop\ComboFix.exe

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)

FW: ZoneAlarm Firewall *enabled*

* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\program files\Altnet

c:\windows\Downloaded Program Files\setup.inf

c:\windows\system32\ftpupd.exe

c:\windows\system32\tar.exe

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_npf

((((((((((((((((((((((((( Files Created from 2008-12-21 to 2009-01-21 )))))))))))))))))))))))))))))))

.

2009-01-21 18:15 . 2009-01-21 18:15 <DIR> d-------- c:\program files\CCleaner

2009-01-20 19:57 . 2009-01-20 19:57 <DIR> d-------- c:\program files\Trend Micro

2009-01-20 19:06 . 2009-01-20 19:06 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-01-20 19:06 . 2009-01-20 19:06 <DIR> d-------- c:\documents and settings\Stuart Forbes\Application Data\Malwarebytes

2009-01-20 19:06 . 2009-01-20 19:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-01-20 19:06 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-01-20 19:06 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-01-20 18:57 . 2009-01-20 18:57 <DIR> d-------- C:\C_DILLA

2009-01-20 18:57 . 2001-09-10 19:04 63,344 --a------ c:\windows\CDILLA05.DLL

2009-01-20 18:57 . 2001-09-10 19:08 60,416 --a------ c:\windows\CDILLA64.EXE

2009-01-20 18:57 . 2001-09-10 19:04 23,856 --a------ c:\windows\CDILLA10.EXE

2009-01-20 18:56 . 2009-01-20 18:57 <DIR> d-------- c:\windows\BDE

2009-01-20 18:43 . 2009-01-20 18:43 0 --a------ c:\windows\nsreg.dat

2009-01-19 21:19 . 2009-01-19 21:19 <DIR> d-------- c:\program files\TeaTimer (Spybot - Search & Destroy)

2009-01-19 21:19 . 2009-01-19 21:19 <DIR> d-------- c:\program files\SDHelper (Spybot - Search & Destroy)

2009-01-19 21:19 . 2009-01-19 21:19 <DIR> d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy)

2009-01-19 21:19 . 2009-01-19 21:19 <DIR> d-------- c:\program files\File Scanner Library (Spybot - Search & Destroy)

2009-01-19 20:40 . 2009-01-19 20:49 <DIR> d-------- c:\program files\gile

2009-01-14 20:11 . 2009-01-14 20:12 <DIR> d-------- c:\documents and settings\Stuart Forbes\Application Data\fretsonfire

2009-01-13 19:35 . 2009-01-13 19:35 <DIR> d-------- c:\program files\AviSynth 2.5

2008-12-28 19:05 . 2009-01-21 19:12 8,347,680 --ahs---- c:\windows\system32\drivers\fidbox.dat

2008-12-28 19:05 . 2009-01-21 19:08 101,960 --ahs---- c:\windows\system32\drivers\fidbox.idx

2008-12-28 19:02 . 2008-12-28 19:02 <DIR> d-------- c:\documents and settings\All Users\Application Data\MailFrontier

2008-12-28 19:02 . 2008-07-09 09:05 75,248 --a------ c:\windows\zllsputility.exe

2008-12-28 19:02 . 2004-04-27 04:40 11,264 --a------ c:\windows\system32\SpOrder.dll

2008-12-28 19:01 . 2008-07-09 09:05 1,086,952 --a------ c:\windows\system32\zpeng24.dll

2008-12-27 10:56 . 2001-08-17 13:47 23,808 --a------ c:\windows\system32\drivers\Dot4usb.sys

2008-12-27 10:56 . 2001-08-17 13:47 23,808 --a--c--- c:\windows\system32\dllcache\dot4usb.sys

2008-12-21 21:46 . 2008-12-21 21:46 351,744 --a------ c:\windows\system32\avisynth.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-01-21 19:10 15,360 ---h--w C:\logicinf.bin

2009-01-21 18:27 --------- d-----w c:\program files\GetRight

2009-01-21 18:27 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-01-19 21:25 --------- d-----w c:\program files\Spybot - Search & Destroy

2009-01-19 20:37 --------- d-----w c:\documents and settings\Stuart Forbes\Application Data\FileZilla

2009-01-16 21:01 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP

2009-01-05 20:02 --------- d-----w c:\documents and settings\All Users\Application Data\Bluetooth

2009-01-03 16:01 --------- d-----w c:\documents and settings\Stuart Forbes\Application Data\AdobeUM

2008-12-27 21:27 229,376 ---ha-w C:\index.sys

2008-12-27 21:27 1,215,417 ----a-w C:\driverbmp.bin

2008-12-13 17:53 --------- d-----w c:\documents and settings\Stuart Forbes\Application Data\Any Video Converter

2008-11-30 09:45 --------- d-----w c:\program files\Pelican Crossing

2008-11-17 18:48 15,434,099 ----a-w c:\windows\Internet Logs\tvDebug.zip

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\WCESCOMM.EXE" [2004-02-03 401491]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"HTpatch"="c:\windows\htpatch.exe" [2002-10-30 28672]

"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2004-07-20 851968]

"PinnacleDriverCheck"="c:\windows\System32\\PSDrvCheck.exe" [2004-03-11 406016]

"SoundMan"="SOUNDMAN.EXE" [2003-01-20 c:\windows\SOUNDMAN.EXE]

"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-03 c:\windows\system32\bthprops.cpl]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"DCHideDisk"="c:\program files\FarStone\DriveClone Personal\DCHDisk.exe" [2008-01-22 92688]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-03 15360]

c:\documents and settings\Stuart Forbes\Start Menu\Programs\Startup\

PowerReg Scheduler.exe [2003-05-24 225280]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{B9E618A2-A4FE-11D4-83C2-005004636C96}"= "c:\program files\Metamail Inc\Metamail Reader\OE\OESHook.dll" [2003-05-09 36864]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"VIDC.PIM2"= RALCodec.dll

"vidc.DVSD"= pdvcodec.dll

"VIDC.VQS5"= P1100DEC.dll

"vidc.xvid"= xvid.dll

"MSACM.CEGSM"= mobilev.acm

"VIDC.MJPG"= Pvmjpg30.dll

"VIDC.PIM1"= pclepim1.dll

"msacm.dvacm"= c:\progra~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm

"msacm.MPEGacm"= c:\progra~1\COMMON~1\ULEADS~1\MPEG\MPEGacm.acm

"msacm.ulmp3acm"= c:\progra~1\COMMON~1\ULEADS~1\MPEG\ulmp3acm.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk

backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^EPSON Status Monitor 3 Environment Check 2.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\EPSON Status Monitor 3 Environment Check 2.lnk

backup=c:\windows\pss\EPSON Status Monitor 3 Environment Check 2.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Find Fast.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Find Fast.lnk

backup=c:\windows\pss\Microsoft Find Fast.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Motorola Desktop Suite mRouter Config.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Motorola Desktop Suite mRouter Config.lnk

backup=c:\windows\pss\Motorola Desktop Suite mRouter Config.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Motorola Desktop Suite.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Motorola Desktop Suite.lnk

backup=c:\windows\pss\Motorola Desktop Suite.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Office Startup.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Office Startup.lnk

backup=c:\windows\pss\Office Startup.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ABBYY Community Agent]

--a------ 2000-10-13 12:33 241664 d:\abbyy finereader 5.0 pro\CAGENT.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Agent]

--a------ 2002-05-21 11:52 94208 c:\program files\Medion\PowerVCR II\AGENT.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY]

--a------ 2008-05-29 19:18 1177368 c:\progra~1\AVG\AVG8\avgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]

--------- 2004-09-13 11:51 1450096 c:\program files\Ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]

--a------ 2004-04-14 14:04 40960 c:\program files\ScanSoft\PaperPort\IndexSearch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

--a------ 2007-12-11 12:10 267048 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMS]

--a------ 2002-12-10 17:54 127022 c:\program files\Common Files\Logitech\QCDriver3\LVComS.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

--a------ 2004-08-03 23:56 1667584 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

--a------ 2001-07-09 10:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]

--a------ 2005-12-10 03:06 7311360 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]

--a------ 2005-12-10 03:06 86016 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]

--a------ 2004-04-14 13:46 57393 c:\program files\ScanSoft\PaperPort\pptd40nt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

--a------ 2007-12-11 10:56 286720 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]

--a------ 2006-05-17 18:35 208941 c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Remote_Agent]

--a------ 2002-05-21 11:52 32768 c:\program files\Medion\PowerVCR II\RemoteAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetDefPrt]

--------- 2004-05-25 08:16 49152 c:\program files\Brother\Brmfl04a\BrStDvPt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]

-rahs---- 2008-08-18 18:41 1832272 c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]

-ra------ 2003-10-14 09:22 155648 c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UVS11 Preload]

--a------ 2007-03-03 14:12 341488 c:\program files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]

--a------ 2004-11-11 04:15 111816 c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZoneAlarm Client]

--a------ 2008-07-09 09:05 919016 c:\program files\Zone Labs\ZoneAlarm\zlclient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dit]

--a------ 2002-08-28 12:43 73728 c:\windows\Dit.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

--a------ 2005-12-10 03:06 1519616 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite XIIc\\Win32\\RpcDataSrv.exe"=

"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite XIIc\\RpcSandraSrv.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe"=

"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.000"=

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]

"AllowInboundEchoRequest"= 1 (0x1)

R0 dcsnap;dcsnap;c:\windows\system32\drivers\dcsnap.sys [2008-03-27 83680]

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-05-29 96520]

R1 DCDisk;DCDisk;c:\windows\system32\drivers\DCDisk.sys [2008-03-27 155648]

R1 lstone;Pinnacle Systems DV500 Overlay;c:\windows\system32\drivers\LStone2k.sys [2003-05-29 256113]

R1 MemAlloc;MemAlloc;c:\windows\system32\drivers\MemAlloc.sys [2003-05-29 5543]

R4 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-05-29 902424]

R4 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-05-29 282904]

R4 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-05-29 75272]

R4 efbfs;Restore FarStone File Event Manager;c:\program files\FarStone\DriveClone Personal\EFB\efbfs.exe [2008-03-27 28672]

R4 FarStone RestoreIT Loader;FarStone RestoreIT Loader;c:\program files\FarStone\DriveClone Personal\fsloader.exe [2008-01-22 90112]

R4 flbdisk;flbdisk;c:\windows\system32\drivers\flbdisk.sys [2008-03-27 17408]

R4 flbrc;flbrc;c:\windows\system32\drivers\flbrc.sys [2008-03-27 37632]

S1 efbDisk;efbDisk; [x]

S3 CCCP106;TRUST 120 SPACEC@M;c:\windows\system32\drivers\cccp106.sys [2003-12-27 227200]

S3 DFSTR2K;DATAFAB based USB Mass Storage Driver;c:\windows\system32\drivers\DfStor2K.sys [2003-06-21 37972]

S3 FXDRV;FXDRV;\??\f:\fxdrv.sys --> f:\Fxdrv.sys [?]

S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [2008-09-13 42112]

S3 USBSAMP;Link based USB Mass Storage Driver;c:\windows\system32\DRIVERS\onstor2k.sys --> c:\windows\system32\DRIVERS\onstor2k.sys [?]

S4 DriveClone Scheduler;DriveClone Scheduler;c:\program files\FarStone\DriveClone Personal\CBP\DCSchdlerSRVC.exe [2008-03-27 98304]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{543b0a90-fcc3-11dc-900b-000c760840ee}]

\Shell\AutoRun\command - I:\Launch.exe

.

Contents of the 'Scheduled Tasks' folder

2008-12-25 c:\windows\Tasks\{C5016A89-1CAB-463C-BE9A-75EEB1BCD73E}_SF_Stuart Forbes.job

- c:\windows\system32\mobsync.exe [2004-08-03 23:56]

2008-08-22 c:\windows\Tasks\{D788E402-85C7-473F-81DE-4704D74619B3}_SF_Stuart Forbes.job

- c:\windows\system32\mobsync.exe [2004-08-03 23:56]

2009-01-21 c:\windows\Tasks\{E01C8006-FB62-487B-BD3E-59FE1C7CD979}_SF_Stuart Forbes.job

- c:\windows\system32\mobsync.exe [2004-08-03 23:56]

.

- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-LogitechVideoRepair - c:\program files\Logitech\Video\ISStart.exe

MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre1.5.0_06\bin\jusched.exe

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.hssoftware.co.uk/

uInternet Connection Wizard,ShellNext = hxxp://www.medion.com/

uInternet Settings,ProxyServer = ftp=213.105.103.134:8021;http=213.105.103.134:8080

uInternet Settings,ProxyOverride = <local>

IE: Download with GetRight - c:\program files\GetRight\GRdownload.htm

IE: Open with GetRight Browser - c:\program files\GetRight\GRbrowse.htm

Name-Space Handler: ftp\GetRightIEClickCatcher - {73BA8F12-723E-11D1-A9E2-00403320FCF2} - c:\program files\GetRight\xx2gr.dll

Name-Space Handler: http\GetRightIEClickCatcher - {73BA8F12-723E-11D1-A9E2-00403320FCF2} - c:\program files\GetRight\xx2gr.dll

DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

DPF: morfit3dWorld - hxxp://www.3dstate.com/download/plugin3258/morfit3dWorld.CAB

DPF: {C9BEF1E9-21F6-486F-80A2-32D61DE86E5E} - hxxp://www.directxtras.com/speaksforitself/download/ms_sapi.cab

DPF: {D4BC3B10-F024-4EF7-A62C-A298A11B51B5} - hxxp://www.directxtras.com/speaksforitself/download/mstts_mike.cab

DPF: {E4DFABBD-F5F6-11D3-8421-0080C6F79C42} - hxxp://www.directxtras.com/speaksforitself/download/speechplugin.cab

FF - ProfilePath - c:\documents and settings\Stuart Forbes\Application Data\Mozilla\Firefox\Profiles\v7ceo1kj.default\

FF - plugin: c:\program files\OverTheEdge\Unity\WebPlayer\loader\npUnityWeb32.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-01-21 19:11:23

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

HTpatch = c:\windows\htpatch.exe?ows\CurrentVersion\Run???\??????Z????`??Z???Z`??Z???????????????Z???Z???Z???Z$??????Z???????????????Z???????????Z???w????(????3?w???w?????3?w ??w???Z:???????d???r??Z1??Z???Zd??????Z?-?Z????z??w8h?Z\2?Z?1?Zhtinst.INI?Z?u?Z????d????????F?

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\System32\\OLE32.DLL"

"cd042efbbd7f7af1647644e76e06692b"=hex:e2,63,26,f1,3f,c8,ff,68,44,de,ea,c7,29,

5c,c3,d5,e2,63,26,f1,3f,c8,ff,68,41,78,54,6b,cb,25,73,5e,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\System32\\OLE32.DLL"

"bca643cdc5c2726b20d2ecedcc62c59b"=hex:71,3b,04,66,8b,46,0d,96,41,ca,04,d1,e8,

10,15,da,6a,9c,d6,61,af,45,84,18,38,bb,d5,45,c2,68,70,5c,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\System32\\OLE32.DLL"

"2c81e34222e8052573023a60d06dd016"=hex:25,da,ec,7e,55,20,c9,26,40,29,76,8b,14,

af,64,a9,ff,7c,85,e0,43,d4,0e,fe,e7,38,ef,42,95,63,97,c3,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\System32\\OLE32.DLL"

"2582ae41fb52324423be06337561aa48"=hex:6b,65,49,6a,7e,99,74,f7,71,29,50,d5,2e,

fa,db,d8,86,8c,21,01,be,91,eb,e7,ba,33,a5,03,1a,41,48,16,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\System32\\OLE32.DLL"

"caaeda5fd7a9ed7697d9686d4b818472"=hex:cd,44,cd,b9,a6,33,6c,cd,20,59,82,33,d8,

ed,c5,2a,f5,1d,4d,73,a8,13,5c,05,1d,83,69,e8,ac,fb,66,38,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\System32\\OLE32.DLL"

"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:df,20,58,62,78,6b,cf,c8,80,3a,f6,c7,15,

96,b1,25,df,20,58,62,78,6b,cf,c8,4e,9e,52,48,ec,c0,a7,1c,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\System32\\OLE32.DLL"

"4d370831d2c43cd13623e232fed27b7b"=hex:fb,a7,78,e6,12,2f,9a,ea,14,1b,99,4f,a2,

a6,90,11,fb,a7,78,e6,12,2f,9a,ea,e2,c6,0d,83,3a,45,f8,77,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\System32\\OLE32.DLL"

"1d68fe701cdea33e477eb204b76f993d"=hex:83,6c,56,8b,a0,85,96,ab,dc,4c,ae,a5,64,

5f,f7,a6,01,3a,48,fc,e8,04,4a,f1,82,29,83,2f,7d,40,7b,d2,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\System32\\OLE32.DLL"

"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:f6,0f,4e,58,98,5b,89,c9,6b,46,07,a3,b1,

cd,7b,03,f6,0f,4e,58,98,5b,89,c9,25,df,65,00,2e,63,32,b1,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\System32\\OLE32.DLL"

"f5f62a6129303efb32fbe080bb27835b"=hex:b1,cd,45,5a,a8,c4,f8,b9,09,89,b0,9a,8f,

a2,6a,3d,3d,ce,ea,26,2d,45,aa,78,37,32,9f,41,5c,1f,78,77,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\System32\\OLE32.DLL"

"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:e3,0e,66,d5,eb,bc,2f,6b,75,0e,ad,7d,36,

c5,ed,d0,2a,b7,cc,b5,b9,7f,41,e7,8b,2c,6d,d9,31,77,a6,50,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\System32\\OLE32.DLL"

"8a8aec57dd6508a385616fbc86791ec2"=hex:6c,43,2d,1e,aa,22,2f,9c,65,66,0b,c2,fe,

cd,b9,93,6c,43,2d,1e,aa,22,2f,9c,92,e1,1e,0f,d6,06,73,36,6c,43,2d,1e,aa,22,\

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Ahead\InCD\incdsrv.exe

c:\windows\system32\brss01a.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\IVT Corporation\BlueSoleil\BTNtService.exe

c:\windows\system32\Brmfrmps.exe

c:\windows\system32\drivers\CDANTSRV.EXE

c:\program files\Common Files\InterVideo\DeviceService\DevSvc.exe

c:\windows\system32\Crypserv.exe

c:\program files\FarStone\DriveClone Personal\CBP\DCSchdler.exe

c:\program files\Common Files\EPSON\EBAPI\SAgent2.exe

c:\program files\FarStone\DriveClone Personal\EFB\EfbSchedule.exe

c:\windows\system32\nvsvc32.exe

c:\windows\system32\RioMSC.exe

c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

c:\windows\system32\wdfmgr.exe

c:\windows\system32\ZoneLabs\vsmon.exe

c:\windows\system32\rundll32.exe

c:\program files\AVG\AVG8\avgrsx.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2009-01-21 19:26:30 - machine was rebooted [stuart Forbes]

ComboFix-quarantined-files.txt 2009-01-21 19:25:51

Pre-Run: 8,667,545,600 bytes free

Post-Run: 8,532,316,160 bytes free

343

########################################################

and Hijackthis

##########################################################

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 19:37:09, on 21/01/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Ahead\InCD\InCDsrv.exe

C:\WINDOWS\System32\brss01a.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe

C:\WINDOWS\system32\Brmfrmps.exe

C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE

C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe

C:\WINDOWS\system32\crypserv.exe

C:\Program Files\FarStone\DriveClone Personal\CBP\DCSchdler.exe

C:\Program Files\FarStone\DriveClone Personal\EFB\efbfs.exe

C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe

C:\Program Files\FarStone\DriveClone Personal\EFB\EfbSchedule.exe

C:\Program Files\FarStone\DriveClone Personal\fsloader.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\RioMSC.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\htpatch.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgemc.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hssoftware.co.uk/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.medion.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=213.105.103.134:8021;http=213.105.103.134:8080

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: Metamail IEPlugin - {C09C9904-FD44-11D6-A711-00105AC8F168} - C:\PROGRA~1\METAMA~1\METAMA~1\IE\IEPlugIn.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun

O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\\PSDrvCheck.exe

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\RunOnce: [DCHideDisk] "C:\Program Files\FarStone\DriveClone Personal\DCHDisk.exe" r

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O4 - Startup: PowerReg Scheduler.exe

O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm

O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe

O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.medion.com/

O16 - DPF: morfit3dWorld - http://www.3dstate.com/download/plugin3258/morfit3dWorld.CAB

O16 - DPF: {65A0276F-A5C2-4BA2-82DA-BC4AF3250F9E} (inDualityPluginCtl Object) - http://www.pelicancrossing.com/install/ind...alityplugin.cab

O16 - DPF: {C9BEF1E9-21F6-486F-80A2-32D61DE86E5E} - http://www.directxtras.com/speaksforitself...oad/ms_sapi.cab

O16 - DPF: {D4BC3B10-F024-4EF7-A62C-A298A11B51B5} - http://www.directxtras.com/speaksforitself.../mstts_mike.cab

O16 - DPF: {E123BED4-B8C7-42BB-958F-F13CA77EF95D} (Anark Client ActiveX Control) - http://install.anark.com/client/version2/w...en/AMClient.cab

O16 - DPF: {E4DFABBD-F5F6-11D3-8421-0080C6F79C42} (SpeechControl Class) - http://www.directxtras.com/speaksforitself...peechplugin.cab

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe

O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe

O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe

O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe

O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE

O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe

O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe

O23 - Service: DriveClone Scheduler - Unknown owner - C:\Program Files\FarStone\DriveClone Personal\CBP\DCSchdlerSRVC.exe

O23 - Service: Restore FarStone File Event Manager (efbfs) - FarStone Technology, Inc. - C:\Program Files\FarStone\DriveClone Personal\EFB\efbfs.exe

O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe

O23 - Service: FarStone RestoreIT Loader - Unknown owner - C:\Program Files\FarStone\DriveClone Personal\fsloader.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: License Management Service ESD - element5 - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\System32\RioMSC.exe

O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XIIc\Win32\RpcDataSrv.exe

O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XIIc\RpcSandraSrv.exe

O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

O23 - Service: wampapache - Apache Software Foundation - D:\wamp\apache2\bin\httpd.exe

O23 - Service: wampmysqld - Unknown owner - D:\wamp\mysql\bin\mysqld-nt.exe

--

End of file - 10277 bytes

Link to post
Share on other sites

  • Root Admin

The logs seem to indicate that MSCONFIG may be enabled. Please click on START - RUN and type in MSCONFIG and ensure that it is set to NORMAL and restart if needed to set it back to NORMAL

Start HJT and run Do a system scan only and place a check mark on the following items.

  • R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=213.105.103.134:8021;http=213.105.103.134:8080
    Then Quit All Browsers including the one you're reading this in now.
    Then click on Fix checked and then quit HJT

Then you can update your Java

Download and Update Java Runtime

The most current version of Sun Java is: Java Runtime Environment (JRE) 6 Update 11.

  • Go to http://java.sun.com/javase/downloads/index.jsp
  • Go to Java Runtime Environment (JRE) 6 Update 11 about half way down the page and click on the Download button.
  • In Platform box choose Windows.
  • Check the box to Accept License Agreement and click Continue.
  • Click on Windows Offline Installation, click on the link under it which says jre-6u11-windows-i586-p.exe and save the downloaded file to your desktop.
  • Install the new version by running the newly-downloaded file with the java icon which will be on your desktop, and follow the on-screen instructions.
  • Uncheck the Toolbar button (unless you want the toolbar)
  • Reboot your computer

Then Please run an online scan with Kaspersky

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner.

Click Accept, when prompted to download and install the program files and database of malware definitions.

  • Click Run at the Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save Report As... button.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

This animation will guide you through the process:

KAS.gif

**Note**

To optimize scanning time and produce a more sensible report for review:

Close any open programs

Turn off the real time scanner of any existing antivirus program while performing the online scan. You may disconnect from the internet once you begin the scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Link to post
Share on other sites

Thanks Guys

Java reinstalled + scan now done and here's the Kaspersky log:

--------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER 7 REPORT

Friday, January 23, 2009

Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)

Kaspersky Online Scanner 7 version: 7.0.25.0

Program database last update: Thursday, January 22, 2009 17:28:07

Records in database: 1668742

--------------------------------------------------------------------------------

Scan settings:

Scan using the following database: extended

Scan archives: yes

Scan mail databases: yes

Scan area - My Computer:

A:\

C:\

D:\

E:\

F:\

G:\

H:\

Y:\

Scan statistics:

Files scanned: 569059

Threat name: 26

Infected objects: 90

Suspicious objects: 16

Duration of the scan: 08:52:39

File name / Threat name / Threats count

C:\Documents and Settings\My Name\Local Settings\Application Data\Identities\{32DF17BD-8EDE-4E22-ABC3-865E3FD76D67}\Microsoft\Outlook Express\Inbox.dbx Infected: Email-Worm.Win32.Gibe.a 4

C:\Documents and Settings\My Name\Local Settings\Application Data\Identities\{32DF17BD-8EDE-4E22-ABC3-865E3FD76D67}\Microsoft\Outlook Express\Inbox.dbx Infected: Email-Worm.Win32.Sobig.e 1

C:\Documents and Settings\My Name\Local Settings\Application Data\Identities\{32DF17BD-8EDE-4E22-ABC3-865E3FD76D67}\Microsoft\Outlook Express\Inbox.dbx Infected: Trojan.Win32.Munga 1

C:\Documents and Settings\My Name\Local Settings\Application Data\Identities\{32DF17BD-8EDE-4E22-ABC3-865E3FD76D67}\Microsoft\Outlook Express\Inbox.dbx Suspicious: Trojan-Spy.HTML.Fraud.gen 10

C:\Documents and Settings\My Name\Local Settings\Application Data\Identities\{32DF17BD-8EDE-4E22-ABC3-865E3FD76D67}\Microsoft\Outlook Express\Inbox.dbx Infected: Email-Worm.Win32.NetSky.q 4

C:\Documents and Settings\My Name\Local Settings\Application Data\Identities\{32DF17BD-8EDE-4E22-ABC3-865E3FD76D67}\Microsoft\Outlook Express\Inbox.dbx Infected: Trojan-Spy.HTML.Bankfraud.hs 1

C:\Documents and Settings\My Name\Local Settings\Application Data\Identities\{32DF17BD-8EDE-4E22-ABC3-865E3FD76D67}\Microsoft\Outlook Express\Inbox.dbx Infected: Trojan-Spy.HTML.Citifraud.ay 1

C:\Documents and Settings\My Name\Local Settings\Application Data\Identities\{32DF17BD-8EDE-4E22-ABC3-865E3FD76D67}\Microsoft\Outlook Express\Inbox.dbx Suspicious: Exploit.HTML.Iframe.FileDownload 1

C:\Documents and Settings\My Name\Local Settings\Application Data\Identities\{32DF17BD-8EDE-4E22-ABC3-865E3FD76D67}\Microsoft\Outlook Express\Inbox.dbx Infected: Email-Worm.Win32.NetSky.t 1

C:\Documents and Settings\My Name\Local Settings\Application Data\Identities\{32DF17BD-8EDE-4E22-ABC3-865E3FD76D67}\Microsoft\Outlook Express\Inbox.dbx Infected: Trojan-Clicker.HTML.IFrame.xr 1

C:\Documents and Settings\My Name\Local Settings\Application Data\Identities\{32DF17BD-8EDE-4E22-ABC3-865E3FD76D67}\Microsoft\Outlook Express\Inbox.dbx Infected: Trojan-Spy.HTML.Paylap.r 2

C:\Documents and Settings\My Name\Local Settings\Application Data\Identities\{32DF17BD-8EDE-4E22-ABC3-865E3FD76D67}\Microsoft\Outlook Express\Inbox.dbx Infected: Trojan-Spy.HTML.Bayfraud.ev 1

C:\Documents and Settings\My Name\Local Settings\Application Data\Identities\{32DF17BD-8EDE-4E22-ABC3-865E3FD76D67}\Microsoft\Outlook Express\Inbox.dbx Infected: Trojan-Downloader.Win32.Delf.iu 1

C:\Documents and Settings\My Name\Local Settings\Application Data\Identities\{32DF17BD-8EDE-4E22-ABC3-865E3FD76D67}\Microsoft\Outlook Express\Inbox.dbx Infected: Trojan-Spy.HTML.Bayfraud.gm 1

C:\Documents and Settings\My Name\Local Settings\Application Data\Identities\{32DF17BD-8EDE-4E22-ABC3-865E3FD76D67}\Microsoft\Outlook Express\Inbox.dbx Infected: Trojan-Spy.HTML.Paylap.u 1

C:\Documents and Settings\My Name\Local Settings\Application Data\Identities\{32DF17BD-8EDE-4E22-ABC3-865E3FD76D67}\Microsoft\Outlook Express\Inbox.dbx Infected: Trojan-Spy.HTML.Bayfraud.hc 1

C:\Documents and Settings\My Name\Local Settings\Application Data\Identities\{32DF17BD-8EDE-4E22-ABC3-865E3FD76D67}\Microsoft\Outlook Express\Inbox.dbx Infected: Trojan-Downloader.Win32.Small.arf 4

C:\Documents and Settings\My Name\Local Settings\Application Data\Identities\{32DF17BD-8EDE-4E22-ABC3-865E3FD76D67}\Microsoft\Outlook Express\Inbox.dbx Infected: Trojan-Downloader.Win32.Small.cjm 1

C:\Documents and Settings\My Name\Local Settings\Application Data\Identities\{32DF17BD-8EDE-4E22-ABC3-865E3FD76D67}\Microsoft\Outlook Express\Sent Items (1).dbx Infected: Trojan-Downloader.Win32.Small.arf 1

C:\Documents and Settings\My Name\Local Settings\Application Data\Identities\{32DF17BD-8EDE-4E22-ABC3-865E3FD76D67}\Microsoft\Outlook Express\Sent Items (1).dbx Suspicious: Trojan-Spy.HTML.Fraud.gen 1

C:\Documents and Settings\My Name\Local Settings\Application Data\Identities\{32DF17BD-8EDE-4E22-ABC3-865E3FD76D67}\Microsoft\Outlook Express\Sent Items.dbx Infected: Hoax.Win32.BadJoke.Stupen.c 2

C:\WINDOWS\system32\cmd.ftp Infected: Trojan-Downloader.BAT.Ftp.u 1

C:\WINDOWS\system32\o Infected: Trojan-Downloader.BAT.Ftp.c 1

D:\dloadnew\email\bomber.zip Infected: Email-Flooder.Win32.MailBomber.89 1

D:\dloadnew\php\flash\FlashChat_sVlZdAUulA.zip Infected: Trojan-Clicker.Win32.Agent.adh 1

D:\dloadnew\php\flashchat.zip Infected: Trojan-Clicker.Win32.Agent.adh 1

D:\Program Files\Spybot - Search & Destroy 1.1\Recovery\SearchEx13.zip Infected: not-a-virus:AdWare.Win32.Dispy 1

D:\Program Files\Spybot - Search & Destroy 1.1\Recovery\SearchEx6.zip Infected: not-a-virus:AdWare.Win32.Dispy 1

D:\wamp\www\bikerwales.com\smf\chat\inc\patServer\winsrvHide.exe Infected: Trojan-Clicker.Win32.Agent.adh 1

D:\wamp\www\bikerwales.com2.tar Infected: Trojan-Clicker.Win32.Agent.adh 1

D:\wamp\www\smf.tar Infected: Trojan-Clicker.Win32.Agent.adh 1

H:\AppServ\www\public\bikerwales.com\bupa.tar.gz Infected: Trojan-Clicker.Win32.Agent.adh 1

H:\AppServ\www\public\bikerwales.com\smf\chat\inc\patServer\winsrvHide.exe Infected: Trojan-Clicker.Win32.Agent.adh 1

H:\bikerwales\backup\home.tar.gz Infected: Trojan-Spy.HTML.Fraud.l 3

H:\bikerwales\backup\home.tar.gz Suspicious: Trojan-Spy.HTML.Fraud.gen 1

H:\bikerwales\domains\bikerwales.com\public_html\bupa.tar.gz Infected: Trojan-Clicker.Win32.Agent.adh 1

H:\bikerwales\domains\bikerwales.com\public_html\smf\chat\inc\patServer\winsrvHide.exe Infected: Trojan-Clicker.Win32.Agent.adh 1

H:\My Documents\bikerwales\bikerwales_sitedevelopment\backup-Oct-2-2005-1.tar.gz Infected: Trojan-Clicker.Win32.Agent.adh 1

H:\My Documents\bikerwales\bikerwales_sitedevelopment\backup-Oct-22-2005-1.tar.gz Infected: Trojan-Clicker.Win32.Agent.adh 1

H:\My Documents\Rumor.exe Infected: Hoax.Win32.BadJoke.Stupen.c 1

H:\phpdev\www\public\bikerwalescom\smf\chat\inc\patServer\winsrvHide.exe Infected: Trojan-Clicker.Win32.Agent.adh 1

H:\phpdev\www\public\domains\bikerwales.com\public_html\bupa.tar.gz Infected: Trojan-Clicker.Win32.Agent.adh 1

H:\phpdev\www\public\domains\bikerwales.com\public_html\smf\chat\inc\patServer\winsrvHide.exe Infected: Trojan-Clicker.Win32.Agent.adh 1

H:\temp\chat\FlashChat_v431\chat\inc\patServer\winsrvHide.exe Infected: Trojan-Clicker.Win32.Agent.adh 1

H:\webbups\backup-Apr-10-2007-1.tar.gz Infected: Trojan-Clicker.Win32.Agent.adh 1

H:\webbups\backup-bikerwales.com-9-26-2008.tar.gz Infected: Trojan-Downloader.HTML.Agent.km 1

H:\webbups\backup-bikerwales.com-9-26-2008.tar.gz Infected: Trojan-Clicker.Win32.Agent.adh 1

H:\webbups\backup-Feb-25-2006-1.tar.gz Infected: Trojan-Clicker.Win32.Agent.adh 1

H:\webbups\biker\backup-Aug-28-2006-1.tar.gz Infected: Trojan-Spy.HTML.Fraud.l 3

H:\webbups\biker\backup-Aug-28-2006-1.tar.gz Infected: Trojan-Clicker.Win32.Agent.adh 2

H:\webbups\biker\backup-Aug-9-2006-1.tar.gz Infected: Trojan-Spy.HTML.Fraud.l 3

H:\webbups\biker\backup-Aug-9-2006-1.tar.gz Infected: Trojan-Clicker.Win32.Agent.adh 2

H:\webbups\biker\backup-Dec-14-2006-1.tar.gz Infected: Trojan-Spy.HTML.Fraud.l 3

H:\webbups\biker\backup-Dec-14-2006-1.tar.gz Suspicious: Trojan-Spy.HTML.Fraud.gen 1

H:\webbups\biker\backup-Dec-14-2006-1.tar.gz Infected: Trojan-Clicker.Win32.Agent.adh 1

H:\webbups\biker\backup-Feb-9-2007-1.tar.gz Infected: Trojan-Clicker.Win32.Agent.adh 2

H:\webbups\biker\backup-Jan-19-2007-1.tar.gz Infected: Trojan-Spy.HTML.Fraud.l 3

H:\webbups\biker\backup-Jan-19-2007-1.tar.gz Suspicious: Trojan-Spy.HTML.Fraud.gen 1

H:\webbups\biker\backup-Jan-19-2007-1.tar.gz Infected: Trojan-Clicker.Win32.Agent.adh 1

H:\webbups\biker\backup-Jan-31-2007-1.tar.gz Infected: Trojan-Spy.HTML.Fraud.l 3

H:\webbups\biker\backup-Jan-31-2007-1.tar.gz Suspicious: Trojan-Spy.HTML.Fraud.gen 1

H:\webbups\biker\backup-Jan-31-2007-1.tar.gz Infected: Trojan-Clicker.Win32.Agent.adh 1

H:\webbups\biker\backup-Jun-17-2006-1.tar.gz Infected: Trojan-Clicker.Win32.Agent.adh 1

H:\webbups\biker\backup-Jun-21-2006-1.tar.gz Infected: Trojan-Clicker.Win32.Agent.adh 2

H:\webbups\biker\backup-May-12-2007-1.tar.gz Infected: Trojan-Clicker.Win32.Agent.adh 1

H:\webbups\biker\bwalessite.tar.gz Infected: Trojan-Clicker.Win32.Agent.adh 1

H:\webbups\bwales-Nov-19-2005-1.tar.gz Infected: Trojan-Clicker.Win32.Agent.adh 1

H:\webbups\fasthost\domains\bikerwales.com\public_html\bup.zip Infected: Trojan-Clicker.Win32.Agent.adh 1

H:\webbups\fasthost\domains\bikerwales.com\public_html\smf\chat\inc\patServer\winsrvHide.exe Infected: Trojan-Clicker.Win32.Agent.adh 1

H:\webbups\hssoftware-Nov-19-2005-1.tar.gz Infected: Trojan-Clicker.Win32.Agent.adh 1

The selected area was scanned.

Link to post
Share on other sites

  • Root Admin

These need to be cleaned by an Anti-Virus product. I could delete them for you but an Anti-Virus might be able to cure them.

Please update you AVG Anti-Virus to the latest version and then do a FULL SCAN with it. It should find the same items and or more items and correct the problem.

Let me know how that goes please and then we'll continue from there.

Link to post
Share on other sites

Hi

I've tried scanning the filesidetntified by Kaspersky with:

- AVG FREE (just Updated)

- SpyBot

- Malware Bytes

and none of them identified a problem.

I've deleted the 2 system folder files without any apparent ill effects, and I've run hijack.this again with the following results:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 18:43:09, on 23/01/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Ahead\InCD\InCDsrv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\brsvc01a.exe

C:\WINDOWS\System32\brss01a.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\htpatch.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe

C:\WINDOWS\system32\Brmfrmps.exe

C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE

C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe

C:\WINDOWS\system32\crypserv.exe

C:\Program Files\FarStone\DriveClone Personal\CBP\DCSchdler.exe

C:\Program Files\FarStone\DriveClone Personal\EFB\efbfs.exe

C:\Program Files\FarStone\DriveClone Personal\EFB\EfbSchedule.exe

C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe

C:\Program Files\FarStone\DriveClone Personal\fsloader.exe

C:\Program Files\FarStone\DriveClone Personal\VerChk.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\RioMSC.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgemc.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hssoftware.co.uk/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.medion.com/

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.medion.com/

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: Metamail IEPlugin - {C09C9904-FD44-11D6-A711-00105AC8F168} - C:\PROGRA~1\METAMA~1\METAMA~1\IE\IEPlugIn.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\\PSDrvCheck.exe

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\RunOnce: [DCHideDisk] "C:\Program Files\FarStone\DriveClone Personal\DCHDisk.exe" r

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm

O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe

O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.medion.com/

O16 - DPF: morfit3dWorld - http://www.3dstate.com/download/plugin3258/morfit3dWorld.CAB

O16 - DPF: {65A0276F-A5C2-4BA2-82DA-BC4AF3250F9E} (inDualityPluginCtl Object) - http://www.pelicancrossing.com/install/ind...alityplugin.cab

O16 - DPF: {C9BEF1E9-21F6-486F-80A2-32D61DE86E5E} - http://www.directxtras.com/speaksforitself...oad/ms_sapi.cab

O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -

O16 - DPF: {D4BC3B10-F024-4EF7-A62C-A298A11B51B5} - http://www.directxtras.com/speaksforitself.../mstts_mike.cab

O16 - DPF: {E123BED4-B8C7-42BB-958F-F13CA77EF95D} (Anark Client ActiveX Control) - http://install.anark.com/client/version2/w...en/AMClient.cab

O16 - DPF: {E4DFABBD-F5F6-11D3-8421-0080C6F79C42} (SpeechControl Class) - http://www.directxtras.com/speaksforitself...peechplugin.cab

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe

O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe

O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe

O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe

O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE

O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe

O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe

O23 - Service: DriveClone Scheduler - Unknown owner - C:\Program Files\FarStone\DriveClone Personal\CBP\DCSchdlerSRVC.exe

O23 - Service: Restore FarStone File Event Manager (efbfs) - FarStone Technology, Inc. - C:\Program Files\FarStone\DriveClone Personal\EFB\efbfs.exe

O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe

O23 - Service: FarStone RestoreIT Loader - Unknown owner - C:\Program Files\FarStone\DriveClone Personal\fsloader.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: License Management Service ESD - element5 - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\System32\RioMSC.exe

O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XIIc\Win32\RpcDataSrv.exe

O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XIIc\RpcSandraSrv.exe

O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

O23 - Service: wampapache - Apache Software Foundation - D:\wamp\apache2\bin\httpd.exe

O23 - Service: wampmysqld - Unknown owner - D:\wamp\mysql\bin\mysqld-nt.exe

--

End of file - 10794 bytes

Link to post
Share on other sites

  • Root Admin

Well SpyBot, and MalwareBytes are not Anti-Virus products. AVG just may not know about it yet.

Please give this a try if you can.

Requires access to a working computer with a CD/DVD burner to create a bootable CD.

    Avira AntiVir Rescue System
    Avira AntiVir Rescue System is a Linux-based application that allows accessing computers that cannot be booted anymore. Thus it is possible to:


  • repair a damaged system,
  • rescue data,

  • scan the system for virus infections.


    Just double-click on the rescue system package to burn it to a CD/DVD. You can then use this CD/DVD to boot your computer.
    The Avira AntiVir Rescue System is updated several times a day so that the most recent security updates are always available.

Link to post
Share on other sites

Hi I've downloaded and created a CD for Antivira but I've also fixed the files manually that kaspersky flagged.

Most of these were actually a single file that comes with flaschat which actually seems to be legit.

All seems to be runing fine now

Can't thanks you guys enough for all your help which is very much appreciated - my machine is now running faster than it has in months if not years.

I've put up a link here from our website hope that's OK

Cheers and thanks again!

Link to post
Share on other sites

  • Root Admin

Okay well please run one more round of updates and scan and I'll take look for you to see if anything still shown.

Update and Scan with Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then RESTART the computer

AFTER the reboot run HJT Do a system scan and save a logfile

The post back NEW MBAM and HJT logs in that order please.

Link to post
Share on other sites

OK Guys -= all done and here are the logs:

mbam:

############

Malwarebytes' Anti-Malware 1.33

Database version: 1699

Windows 5.1.2600 Service Pack 2

27/01/2009 18:53:04

mbam-log-2009-01-27 (18-53-04).txt

Scan type: Quick Scan

Objects scanned: 62786

Time elapsed: 6 minute(s), 54 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

HJT LOG:

#########################

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 18:59:56, on 27/01/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Ahead\InCD\InCDsrv.exe

C:\WINDOWS\System32\brsvc01a.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\brss01a.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\htpatch.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe

C:\WINDOWS\system32\Brmfrmps.exe

C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE

C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe

C:\WINDOWS\system32\crypserv.exe

C:\Program Files\FarStone\DriveClone Personal\CBP\DCSchdler.exe

C:\Program Files\FarStone\DriveClone Personal\EFB\efbfs.exe

C:\Program Files\FarStone\DriveClone Personal\EFB\EfbSchedule.exe

C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe

C:\Program Files\FarStone\DriveClone Personal\fsloader.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\FarStone\DriveClone Personal\VerChk.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\RioMSC.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgemc.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hssoftware.co.uk/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.medion.com/

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.medion.com/

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: Metamail IEPlugin - {C09C9904-FD44-11D6-A711-00105AC8F168} - C:\PROGRA~1\METAMA~1\METAMA~1\IE\IEPlugIn.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\\PSDrvCheck.exe

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\RunOnce: [DCHideDisk] "C:\Program Files\FarStone\DriveClone Personal\DCHDisk.exe" r

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm

O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe

O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.medion.com/

O16 - DPF: morfit3dWorld - http://www.3dstate.com/download/plugin3258/morfit3dWorld.CAB

O16 - DPF: {65A0276F-A5C2-4BA2-82DA-BC4AF3250F9E} (inDualityPluginCtl Object) - http://www.pelicancrossing.com/install/ind...alityplugin.cab

O16 - DPF: {C9BEF1E9-21F6-486F-80A2-32D61DE86E5E} - http://www.directxtras.com/speaksforitself...oad/ms_sapi.cab

O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -

O16 - DPF: {D4BC3B10-F024-4EF7-A62C-A298A11B51B5} - http://www.directxtras.com/speaksforitself.../mstts_mike.cab

O16 - DPF: {E123BED4-B8C7-42BB-958F-F13CA77EF95D} (Anark Client ActiveX Control) - http://install.anark.com/client/version2/w...en/AMClient.cab

O16 - DPF: {E4DFABBD-F5F6-11D3-8421-0080C6F79C42} (SpeechControl Class) - http://www.directxtras.com/speaksforitself...peechplugin.cab

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe

O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe

O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe

O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe

O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE

O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe

O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe

O23 - Service: DriveClone Scheduler - Unknown owner - C:\Program Files\FarStone\DriveClone Personal\CBP\DCSchdlerSRVC.exe

O23 - Service: Restore FarStone File Event Manager (efbfs) - FarStone Technology, Inc. - C:\Program Files\FarStone\DriveClone Personal\EFB\efbfs.exe

O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe

O23 - Service: FarStone RestoreIT Loader - Unknown owner - C:\Program Files\FarStone\DriveClone Personal\fsloader.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: License Management Service ESD - element5 - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\System32\RioMSC.exe

O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XIIc\Win32\RpcDataSrv.exe

O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XIIc\RpcSandraSrv.exe

O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

O23 - Service: wampapache - Apache Software Foundation - D:\wamp\apache2\bin\httpd.exe

O23 - Service: wampmysqld - Unknown owner - D:\wamp\mysql\bin\mysqld-nt.exe

--

End of file - 10827 bytes

Link to post
Share on other sites

  • Root Admin

You still show signs of some OLD Java on the machine that should be removed.

This file is listed as a key logger. You should upload it and check it with an online scanner.

O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll

Upload a File to Jotti

Please visit http://virusscan.jotti.org/

Copy/paste this file and path into the white box at the top:

C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll

Press Submit - this will submit the file for testing.

Please wait for all the scanners to finish then copy and paste the results in your next response.

Link to post
Share on other sites

OK - here's the good news I hope :)

Service load: 0% 100%

File: nppdf32.dll

Status: OK

MD5: a2ea5c73896ac06d2811a2ac157350bf

Packers detected: -

Scanner results

Scan taken on 28 Jan 2009 20:09:01 (GMT)

A-Squared Found nothing

AntiVir Found nothing

ArcaVir Found nothing

Avast Found nothing

AVG Antivirus Found nothing

BitDefender Found nothing

ClamAV Found nothing

CPsecure Found nothing

Dr.Web Found nothing

F-Prot Antivirus Found nothing

F-Secure Anti-Virus Found nothing

G DATA Found nothing

Ikarus Found nothing

Kaspersky Anti-Virus Found nothing

NOD32 Found nothing

Norman Virus Control Found nothing

Panda Antivirus Found nothing

Sophos Antivirus Found nothing

VirusBuster Found nothing

VBA32 Found nothing

Link to post
Share on other sites

  • Root Admin

Okay that's good news that no one detected it as Virus or Malware.

How is the computer running now?

Are there still any signs of an infection?

Please run this one more time.

Update and Scan with Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then RESTART the computer

AFTER the reboot run HJT Do a system scan and save a logfile

The post back NEW MBAM and HJT logs in that order please.

Link to post
Share on other sites

Hi

Eeverything seems to be running fine now thanks:

here are the logs:

Malwarebytes' Anti-Malware 1.33

Database version: 1699

Windows 5.1.2600 Service Pack 2

29/01/2009 19:04:27

mbam-log-2009-01-29 (19-04-27).txt

Scan type: Quick Scan

Objects scanned: 64928

Time elapsed: 7 minute(s), 43 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

and now HJT

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 19:15:44, on 29/01/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Ahead\InCD\InCDsrv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\brsvc01a.exe

C:\WINDOWS\System32\brss01a.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\htpatch.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe

C:\WINDOWS\system32\Brmfrmps.exe

C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE

C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe

C:\WINDOWS\system32\crypserv.exe

C:\Program Files\FarStone\DriveClone Personal\CBP\DCSchdler.exe

C:\Program Files\FarStone\DriveClone Personal\EFB\efbfs.exe

C:\Program Files\FarStone\DriveClone Personal\EFB\EfbSchedule.exe

C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe

C:\Program Files\FarStone\DriveClone Personal\fsloader.exe

C:\Program Files\FarStone\DriveClone Personal\VerChk.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\RioMSC.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgemc.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hssoftware.co.uk/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.medion.com/

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.medion.com/

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: Metamail IEPlugin - {C09C9904-FD44-11D6-A711-00105AC8F168} - C:\PROGRA~1\METAMA~1\METAMA~1\IE\IEPlugIn.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\\PSDrvCheck.exe

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\RunOnce: [DCHideDisk] "C:\Program Files\FarStone\DriveClone Personal\DCHDisk.exe" r

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm

O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe

O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.medion.com/

O16 - DPF: morfit3dWorld - http://www.3dstate.com/download/plugin3258/morfit3dWorld.CAB

O16 - DPF: {65A0276F-A5C2-4BA2-82DA-BC4AF3250F9E} (inDualityPluginCtl Object) - http://www.pelicancrossing.com/install/ind...alityplugin.cab

O16 - DPF: {C9BEF1E9-21F6-486F-80A2-32D61DE86E5E} - http://www.directxtras.com/speaksforitself...oad/ms_sapi.cab

O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -

O16 - DPF: {D4BC3B10-F024-4EF7-A62C-A298A11B51B5} - http://www.directxtras.com/speaksforitself.../mstts_mike.cab

O16 - DPF: {E123BED4-B8C7-42BB-958F-F13CA77EF95D} (Anark Client ActiveX Control) - http://install.anark.com/client/version2/w...en/AMClient.cab

O16 - DPF: {E4DFABBD-F5F6-11D3-8421-0080C6F79C42} (SpeechControl Class) - http://www.directxtras.com/speaksforitself...peechplugin.cab

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe

O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe

O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe

O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe

O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE

O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe

O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe

O23 - Service: DriveClone Scheduler - Unknown owner - C:\Program Files\FarStone\DriveClone Personal\CBP\DCSchdlerSRVC.exe

O23 - Service: Restore FarStone File Event Manager (efbfs) - FarStone Technology, Inc. - C:\Program Files\FarStone\DriveClone Personal\EFB\efbfs.exe

O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe

O23 - Service: FarStone RestoreIT Loader - Unknown owner - C:\Program Files\FarStone\DriveClone Personal\fsloader.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: License Management Service ESD - element5 - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\System32\RioMSC.exe

O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XIIc\Win32\RpcDataSrv.exe

O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XIIc\RpcSandraSrv.exe

O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

O23 - Service: wampapache - Apache Software Foundation - D:\wamp\apache2\bin\httpd.exe

O23 - Service: wampmysqld - Unknown owner - D:\wamp\mysql\bin\mysqld-nt.exe

--

End of file - 10827 bytes

Link to post
Share on other sites

  • Root Admin

Looks good. I would highly suggest upgrading IE to 7 from 6. It is more secure. Also upgrade the OS to SP3

Great, all looks good now.

I'll close your post soon so that other don't post into it and leave you with this information and suggestions.

So how did I get infected in the first place?

At this time your system appears to be clean. Nothing else in the logs indicates that you are still infected.

Now that you appear to be clean, please follow these simple steps in order to keep your computer clean and secure:

Disable and Enable System Restore-WINDOWS XP

This is a good time to clear your existing system restore points and establish a new clean restore point:

Turn off System Restore

  • On the Desktop, right-click My Computer.
  • Click Properties.

  • Click the System Restore tab.

  • Check Turn off System Restore.

  • Click Apply, and then click OK.

  • Reboot.

Turn ON System Restore

  • On the Desktop, right-click My Computer.
  • Click Properties.

  • Click the System Restore tab.

  • UN-Check *Turn off System Restore*.

  • Click Apply, and then click OK.

This will remove all restore points except the new one you just created.

Here are some free programs I recommend that could help you improve your computer's security.

Install SpyWare Blaster

Download it from
here

Find here the tutorial on how to use Spyware Blaster
here

Install WinPatrol

Download it from
here

Here you can find information about how WinPatrol works
here

Install FireTrust SiteHound

You can find information and download it from
here

Install hpHosts

Download it from
here

hpHosts is a community managed and maintained hosts file that allows an additional layer of protection against access to ad,

tracking and malicious websites. This prevents your computer from connecting to these untrusted sites

by redirecting them to 127.0.0.1 which is your own local computer.

Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.

You can use one of these sites to check if any updates are needed for your pc.

Visit Microsoft often to get the latest updates for your computer.

Note 1:

If you are running Windows XP
SP2
, you should upgrade to
SP3
.

Note 2:

Users of Norton Internet Security 2008 should uninstall the software before they install Service Pack 3.

The security suite can then be reinstalled afterwards.

The windows firewall is not sufficient to protect your system. It doesn't monitor outgoing traffic and this is a must.

I recommend
Online Armor Free

A little outdated but good reading on

how to prevent Malware

Keep safe online and happy surfing.

Since this issue is resolved I will close the thread to prevent others from posting into it. If you need assistance please start your own topic and someone will be happy to assist you.

The fixes and advice in this thread are for this machine only. Do not apply to your machine unless you
Fully Understand

how these programs work and what you're doing. Please start a thread of your own and someone will be happy to help you, just follow the Pre-Hijackthis instructions found here before posting
Pre- HJT Post Instructions

Also don't forget that we offer
FREE
assistance with General PC questions and repair here
PC Help

If you're pleased with the product
Malwarebytes
and the service provided you, please let your friends, family, and co-workers know.
http://www.malwarebytes.org

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.