Have been blessed with Win32:Beagle-AAW [RESOLVED]

Welcome Guest ( Log In | Join )

If you don't enter, you can't win! Enter here

Discover the best free computer help!
Learn more about Geeks to Go by taking the tour. Spyware, virus, trojan, fake security or privacy alerts? Read the malware cleaning guide. Want to reply to a topic, start a new one, or remove the advertising? Join today (always free).

> Geeks to Go! » Security » Malware Removal - HijackThis� Logs Go Here

Have been blessed with Win32:Beagle-AAW [RESOLVED], Infection in srosa.sys, hldrrr.exe, mdelk.exe

Options

Krib View Member Profile	Aug 15 2008, 09:49 PM Post #1
Member Posts: 16 OS: XP	Hello. Avast free version caught this in the following directories and files: C:\windows\system32\drivers\downld C:\Documents and Settings\Krib\Local Settings\Temp C:\WINDOWS\system32\drivers\srosa.sys C:\WINDOWS\system32\drivers\hldrrr.exe C:\WINDOWS\system32\drivers\mdelk.exe Show hidden files / folders was removed from Explorer menu and had to be re-added with registry patch. Wow. Safe mode was disabled, and Gmer rootkit tool was not working. After research, I tried killing the process hldrrr.exe and deleting all files above. When I got to the temp files, deleting them triggered round 2. Many Avast warnings, and internet stopped working. I then panicked, did a system restore, and all symptoms disappeared. But it can't be that easy. Can it? I still see suspicious temp files in Local Settings\Temp. Hijack This log: ============================================================= Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:46:36 PM, on 8/15/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Avast4\aswUpdSv.exe C:\Program Files\Avast4\ashServ.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Google\Update\GoogleUpdate.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\LM Gestion\LM Remote KeyMap\LM Remote KeyMap Blaster.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\oodag.exe C:\WINDOWS\system32\cryptainersrv.exe C:\Program Files\Alcohol 120\StarWind\StarWindServiceAE.exe C:\Program Files\Avast4\ashMaiSv.exe C:\Program Files\Avast4\ashWebSv.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\WINDOWS\CTHELPER.EXE C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe C:\PROGRA~1\Avast4\ashDisp.exe C:\Program Files\LClock\lclock.exe C:\Program Files\Task Killer\TaskKiller.exe C:\Program Files\Microsoft ActiveSync\Wcescomm.exe C:\Program Files\FreeMeter\FreeMeter.exe C:\PROGRA~1\MICROS~2\rapimgr.exe C:\Program Files\LM Gestion\LM Remote KeyMap\LM Remote KeyMap.exe C:\Program Files\Belkin\Nostromo\nost_LM.exe C:\Program Files\Logitech\SetPoint\SetPoint.exe C:\Program Files\SpeedFan\speedfan.exe C:\Program Files\Stardock\ObjectDock\ObjectDock.exe C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\System32\svchost.exe C:\PROGRA~1\COMMON~1\SNAPST~1\Common\x10nets.exe C:\Program Files\Mozilla Firefox 3.0\firefox.exe C:\WINDOWS\system32\taskmgr.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\Avast4\ashLogV.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O1 - Hosts: 127.255.255.255 serial.alcohol-soft.com O2 - BHO: Google Update Helper - {25D596E9-BD03-4D4A-8310-5DF3B31E8D26} - C:\Program Files\Google\Update\1.2.121.17\GoopdateBho.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [OODefragTray] C:\WINDOWS\system32\oodtray.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast4\ashDisp.exe O4 - HKCU\..\Run: [LClock] C:\Program Files\LClock\lclock.exe O4 - HKCU\..\Run: [Task Killer] C:\Program Files\Task Killer\TaskKiller.exe O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: FreeMeter.lnk = C:\Program Files\FreeMeter\FreeMeter.exe O4 - Global Startup: LM Remote KeyMap.lnk = ? O4 - Global Startup: Loadout Manager.lnk = C:\Program Files\Belkin\Nostromo\nost_LM.exe O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe O4 - Global Startup: Speedfan.lnk = C:\Program Files\SpeedFan\speedfan.exe O4 - Global Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1204955729015 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Avast4\ashWebSv.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: Google Update Service (gupdate1c8e62667dffd5c) (gupdate1c8e62667dffd5c) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe O23 - Service: LM Remote KeyMap Blaster (LM Remote KeyMap Blaster Service) - LM Gestion - C:\Program Files\LM Gestion\LM Remote KeyMap\LM Remote KeyMap Blaster.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe O23 - Service: Cryptainer service (ssoftservice) - Cypherix Software (India) Pvt. Ltd. - C:\WINDOWS\SYSTEM32\cryptainersrv.exe O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol 120\StarWind\StarWindServiceAE.exe O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\SNAPST~1\Common\x10nets.exe -- End of file - 8728 bytes Thanks in advance. Kicking myself for getting this.

Mike View Member Profile	Aug 16 2008, 06:39 AM Post #2
Malware Monger Posts: 2,722 OS: XP Professional SP3	Hi there Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop. Link 1 Link 2 Link 3 -------------------------------------------------------------------- Double click on Combo-Fix.exe & follow the prompts. When finished, it will produce a report for you. Please post the C:\ComboFix.txt along with a HijackThis log so we can continue cleaning the system.

Krib View Member Profile	Aug 16 2008, 12:46 PM Post #3
Member Posts: 16 OS: XP	Howdy Mike. I also did a Panda scan last night, so I'll post its findings for the sake of completeness. It claimed to clean all the low and medium threats that the free engine cleans. Panda Activescan 2.0: ;***************************************************************************** ***************************************************************************** *************** ANALYSIS: 2008-08-16 02:27:16 PROTECTIONS: 1 MALWARE: 18 SUSPECTS: 3 ;*************************************************************************** ***************************************************************************** *************** PROTECTIONS Description Version Active Updated ;=============================================================================== ================================================================================= =================== avast! antivirus 4.8.1201 [VPS 080815-0] 4.8.1201 Yes Yes ;=============================================================================== ================================================================================= =================== MALWARE Id Description Type Active Severity Disinfectable Disinfected Location ;=============================================================================== ================================================================================= =================== 00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Krib\Desktop\USB\Files\FirefoxPortable (old)\Data\profile\cookies.txt[.doubleclick.net/] 00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Krib\Desktop\USB\Files\FirefoxPortable (old)\Data\profile\cookies.txt[.com.com/] 00167647 Cookie/Yadro TrackingCookie No 0 Yes No C:\Documents and Settings\Krib\Desktop\USB\Files\FirefoxPortable (old)\Data\profile\cookies.txt[.yadro.ru/] 00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Krib\Desktop\USB\Files\FirefoxPortable (old)\Data\profile\cookies.txt[.statcounter.com/] 00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Krib\Desktop\USB\Files\FirefoxPortable (old)\Data\profile\cookies.txt[.statcounter.com/] 00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Krib\Desktop\USB\Files\FirefoxPortable (old)\Data\profile\cookies.txt[.statcounter.com/] 00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Krib\Desktop\USB\Files\FirefoxPortable (old)\Data\profile\cookies.txt[.statcounter.com/] 00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Krib\Desktop\USB\Files\FirefoxPortable (old)\Data\profile\cookies.txt[.statcounter.com/] 00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Krib\Application Data\Mozilla\Firefox\Profiles\hbpums4d.default\cookies.txt[.statcounter.com/] 00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Krib\Desktop\USB\Files\FirefoxPortable (old)\Data\profile\cookies.txt[.statcounter.com/] 00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Krib\Desktop\USB\Files\FirefoxPortable (old)\Data\profile\cookies.txt[.statcounter.com/] 00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Krib\Desktop\USB\Files\FirefoxPortable (old)\Data\profile\cookies.txt[.statcounter.com/] 00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Krib\Desktop\USB\Files\FirefoxPortable (old)\Data\profile\cookies.txt[.statcounter.com/] 00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Krib\Desktop\USB\Files\FirefoxPortable (old)\Data\profile\cookies.txt[.statcounter.com/] 00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Krib\Desktop\USB\Files\FirefoxPortable (old)\Data\profile\cookies.txt[.statcounter.com/] 00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Krib\Desktop\USB\Files\FirefoxPortable (old)\Data\profile\cookies.txt[.statcounter.com/] 00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Krib\Desktop\USB\Files\FirefoxPortable (old)\Data\profile\cookies.txt[.statcounter.com/] 00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Krib\Desktop\USB\Files\FirefoxPortable (old)\Data\profile\cookies.txt[.statcounter.com/] 00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Krib\Desktop\USB\Files\FirefoxPortable (old)\Data\profile\cookies.txt[.statcounter.com/] 00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Krib\Desktop\USB\Files\FirefoxPortable (old)\Data\profile\cookies.txt[.statcounter.com/] 00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Krib\Desktop\USB\Files\FirefoxPortable (old)\Data\profile\cookies.txt[.statcounter.com/] 00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Krib\Desktop\USB\Files\FirefoxPortable (old)\Data\profile\cookies.txt[.statcounter.com/] 00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Krib\Desktop\USB\Files\FirefoxPortable (old)\Data\profile\cookies.txt[.statcounter.com/] 00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Krib\Desktop\USB\Files\FirefoxPortable (old)\Data\profile\cookies.txt[.statcounter.com/] 00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Krib\Desktop\USB\Files\FirefoxPortable (old)\Data\profile\cookies.txt[.statcounter.com/] 00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Krib\Desktop\USB\Files\FirefoxPortable (old)\Data\profile\cookies.txt[.statcounter.com/] 00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Krib\Desktop\USB\Files\FirefoxPortable (old)\Data\profile\cookies.txt[.statcounter.com/] 00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Krib\Desktop\USB\Files\FirefoxPortable (old)\Data\profile\cookies.txt[.statcounter.com/] 00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Krib\Desktop\USB\Files\FirefoxPortable (old)\Data\profile\cookies.txt[.statcounter.com/] 00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Krib\Desktop\USB\Files\FirefoxPortable (old)\Data\profile\cookies.txt[.statcounter.com/] 00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Krib\Desktop\USB\Files\FirefoxPortable (old)\Data\profile\cookies.txt[.statcounter.com/] 00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Krib\Desktop\USB\Files\FirefoxPortable (old)\Data\profile\cookies.txt[.statcounter.com/] 00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Krib\Desktop\USB\Files\FirefoxPortable (old)\Data\profile\cookies.txt[.statcounter.com/] 00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Krib\Desktop\USB\Files\FirefoxPortable (old)\Data\profile\cookies.txt[.statcounter.com/] 00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Krib\Desktop\USB\Files\FirefoxPortable (old)\Data\profile\cookies.txt[.statcounter.com/] 00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Krib\Desktop\USB\Files\FirefoxPortable (old)\Data\profile\cookies.txt[.statcounter.com/] 00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Krib\Desktop\USB\Files\FirefoxPortable (old)\Data\profile\cookies.txt[.statcounter.com/] 00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Krib\Desktop\USB\Files\FirefoxPortable (old)\Data\profile\cookies.txt[.statcounter.com/] 00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Krib\Desktop\USB\Files\FirefoxPortable (old)\Data\profile\cookies.txt[.statcounter.com/] 00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Krib\Desktop\USB\Files\FirefoxPortable (old)\Data\profile\cookies.txt[.statcounter.com/] 00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Krib\Desktop\USB\Files\FirefoxPortable (old)\Data\profile\cookies.txt[.statcounter.com/] 00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Krib\Desktop\USB\Files\FirefoxPortable (old)\Data\profile\cookies.txt[.statcounter.com/] 00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Krib\Desktop\USB\Files\FirefoxPortable (old)\Data\profile\cookies.txt[.statcounter.com/] 00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Krib\Desktop\USB\Files\FirefoxPortable (old)\Data\profile\cookies.txt[.statcounter.com/] 00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Krib\Desktop\USB\Files\FirefoxPortable (old)\Data\profile\cookies.txt[.statcounter.com/] 00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Krib\Desktop\USB\Files\FirefoxPortable (old)\Data\profile\cookies.txt[.statcounter.com/] 00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Krib\Desktop\USB\Files\FirefoxPortable (old)\Data\profile\cookies.txt[.serving-sys.com/] 00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Krib\Desktop\USB\Files\FirefoxPortable (old)\Data\profile\cookies.txt[.serving-sys.com/] 00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Krib\Desktop\USB\Files\FirefoxPortable (old)\Data\profile\cookies.txt[.serving-sys.com/] 00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Krib\Desktop\USB\Files\FirefoxPortable (old)\Data\profile\cookies.txt[.serving-sys.com/] 00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Krib\Desktop\USB\Files\FirefoxPortable (old)\Data\profile\cookies.txt[.serving-sys.com/] 00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Krib\Desktop\USB\Files\FirefoxPortable (old)\Data\profile\cookies.txt[.serving-sys.com/] 00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Krib\Desktop\USB\Files\FirefoxPortable (old)\Data\profile\cookies.txt[.bs.serving-sys.com/] 00170304 Cookie/WebtrendsLive TrackingCookie No 0 Yes No C:\Documents and Settings\Krib\Desktop\USB\Files\FirefoxPortable (old)\Data\profile\cookies.txt[statse.webtrendslive.com/] 00191644 Cookie/adultfriendfinder TrackingCookie No 0 Yes No C:\Documents and Settings\Krib\Desktop\USB\Files\FirefoxPortable (old)\Data\profile\cookies.txt[.adultfriendfinder.com/] 00191644 Cookie/adultfriendfinder TrackingCookie No 0 Yes No C:\Documents and Settings\Krib\Desktop\USB\Files\FirefoxPortable (old)\Data\profile\cookies.txt[.adultfriendfinder.com/] 00191644 Cookie/adultfriendfinder TrackingCookie No 0 Yes No C:\Documents and Settings\Krib\Desktop\USB\Files\FirefoxPortable (old)\Data\profile\cookies.txt[.adultfriendfinder.com/] 00191644 Cookie/adultfriendfinder TrackingCookie No 0 Yes No C:\Documents and Settings\Krib\Desktop\USB\Files\FirefoxPortable (old)\Data\profile\cookies.txt[.adultfriendfinder.com/] 00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Krib\Desktop\USB\Files\FirefoxPortable (old)\Data\profile\cookies.txt[.go.com/] 00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Krib\Desktop\USB\Files\FirefoxPortable (old)\Data\profile\cookies.txt[.go.com/] 00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Krib\Desktop\USB\Files\FirefoxPortable (old)\Data\profile\cookies.txt[.go.com/] 00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Krib\Desktop\USB\Files\FirefoxPortable (old)\Data\profile\cookies.txt[.go.com/] 00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Krib\Desktop\USB\Files\FirefoxPortable (old)\Data\profile\cookies.txt[.go.com/] 00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Krib\Desktop\USB\Files\FirefoxPortable (old)\Data\profile\cookies.txt[.go.com/] 00199984 Cookie/Searchportal TrackingCookie No 0 Yes No C:\Documents and Settings\Krib\Desktop\USB\Files\FirefoxPortable (old)\Data\profile\cookies.txt[searchportal.information.com/] 00509861 Hacktool/AngryScan HackTools No 1 Yes No C:\System Volume Information\_restore{8E807F4E-DFCF-4EF4-B776-3B516BAF25EF}\RP218\A0059562.exe 01048918 Generic Malware Virus/Trojan No 0 Yes No C:\Program Files\TagRename\Patch.exe 02898934 W32/Bagle.RP.worm Virus/Worm No 0 Yes No C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\Content.IE5\JY31LTZW\b64_3[1].jpg 02898935 W32/Bagle.RP.worm Virus/Worm No 0 Yes No C:\System Volume Information\_restore{8E807F4E-DFCF-4EF4-B776-3B516BAF25EF}\RP218\A0057297.sys 02898935 W32/Bagle.RP.worm Virus/Worm No 0 Yes No C:\System Volume Information\_restore{8E807F4E-DFCF-4EF4-B776-3B516BAF25EF}\RP217\A0057215.sys 02925267 Generic Trojan Virus/Trojan No 0 Yes No C:\Program Files\DAEMON Tools Pro\daemon.tools.pro.patch.exe 02931463 Trj/Lineage.BZE Virus/Trojan No 1 Yes No C:\Program Files\Alcohol 120\keymaker.exe 03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\Program Files\Universal Document Converter\UDC4.2-Patch.exe 03378666 Trj/KillAV.FJ Virus/Trojan No 0 Yes No C:\Program Files\ESET\ESET NOD32 Antivirus\nodlogin.exe ;=============================================================================== ================================================================================= =================== SUSPECTS Sent Location ;=============================================================================== ================================================================================= =================== No C:\Games\LEGO Star Wars\LegoStarwars.exe No C:\Program Files\CHM To PDF Converter\CHM To PDF Converter PRO.exe No D:\Downloads\Lockngo_Professional_2.52_Cracked.zip[Lockngo_Professional_2.52_Cracked.exe ] ;=============================================================================== ================================================================================= =================== VULNERABILITIES Id Severity Description ;=============================================================================== ================================================================================= =================== ;=============================================================================== ================================================================================= =================== Combofix:** ComboFix 08-08-15.04 - Krib 2008-08-16 14:28:23.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1188 [GMT -4:00] Running from: C:\Documents and Settings\Krib\Desktop\Combo-Fix.exe * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-1003549418 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-1005671911 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-1034989463 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-1076352620 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-1112889888 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-11668077 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-1218151936 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-1292210205 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-1344895213 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-1345793937 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-1356057678 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-1383418504 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-139203104 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-1412750122 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-1417029177 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-1433651067 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-1434407411 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-1456836775 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-1480882577 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-149910907 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-1567141565 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-1591987348 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-163439786 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-1647877408 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-1700689919 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-1706058005 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-1711178159 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-1723198076 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-1726555306 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-1745171174 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-1842233808 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-1849671469 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-187410430 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-1886558361 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-1955965617 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-1993608786 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-1997749107 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-2000730730 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-2005144373 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-2008651715 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-2048212774 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-2063447508 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-2097156814 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-2134337746 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-2217465746 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-2253827208 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-2350286940 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-2382775695 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-2385408815 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-2389780719 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-2398643425 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-2415067085 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-2465111077 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-2483575429 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-2489628042 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-2545584189 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-2580659608 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-2621780611 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-2629851183 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-2630459018 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-2646875382 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-266289696 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-2679348119 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-2722016331 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-2763616264 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-2779773296 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-2857292896 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-2865105471 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-293360000 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-2959057692 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-2982314246 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-2984924840 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-2995967613 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-2999062577 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-3068264490 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-3081117742 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-3098413213 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-3103676656 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-3135271403 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-3159919386 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-3161242558 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-3168541727 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-3178377787 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-3242403056 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-3282200744 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-3299563907 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-3316324526 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-3341679340 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-3371776839 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-3410938040 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-3415683424 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-3437048071 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-3437140304 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-3445486255 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-3478230872 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-3519524815 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-3530978474 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-3556616717 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-357077844 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-3663159576 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-3675179774 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-3726826515 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-3747527746 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-3783212805 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-3789403901 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-3792667552 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-3799448507 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-3814368683 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-3843598844 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-3859558621 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-3860078420 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-386728365 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-3867832101 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-3878875405 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-3991119130 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-4082000302 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-409685561 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-4201227420 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-426485771 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-4288513361 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-431126316 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-481900750 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-491674561 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-517337752 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-520781565 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-525835439 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-567161769 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-609121030 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-629029636 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-656908345 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-687064496 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-689840474 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-700353286 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-705495393 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-721156854 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-764722285 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-770083002 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-773912834 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-776873446 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-797516018 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-85847068 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-871163531 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-900211332 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-929571615 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-958814968 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-96682841 C:\Documents and Settings\Krib\Local Settings\Temporary Internet Files\mpcache-988907698 C:\WINDOWS\temp\perflib_perfdata_1cc.dat . ((((((((((((((((((((((((( Files Created from 2008-07-16 to 2008-08-16 ))))))))))))))))))))))))))))))) . 2008-08-16 02:57 . 2008-08-16 02:57 <DIR> d-------- C:\Documents and Settings\Krib\Application Data\Launchy 2008-08-16 01:22 . 2008-08-16 01:23 <DIR> d-------- C:\Documents and Settings\Krib\Application Data\PenProtect 2008-08-16 00:28 . 2008-08-16 00:28 <DIR> d--h----- C:\WINDOWS\PIF 2008-08-15 23:53 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys 2008-08-15 23:52 . 2008-08-15 23:52 <DIR> d-------- C:\Program Files\Panda Security 2008-08-15 23:16 . 2008-08-15 23:16 <DIR> d-------- C:\Program Files\LClock 2008-08-15 22:32 . 2008-08-15 22:32 81,984 --a------ C:\WINDOWS\system32\bdod.bin 2008-08-15 22:27 . 2008-08-15 22:27 <DIR> d-------- C:\Documents and Settings\Krib\Application Data\BitDefender 2008-08-15 22:25 . 2008-08-15 22:25 <DIR> d-------- C:\Program Files\BitDefender 2008-08-15 22:25 . 2008-08-15 22:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BitDefender 2008-08-15 22:23 . 2008-08-15 23:16 <DIR> d-------- C:\Program Files\Common Files\BitDefender 2008-08-06 20:18 . 2008-08-06 20:18 754 --a------ C:\WINDOWS\WORDPAD.INI 2008-08-06 19:11 . 2008-08-06 19:11 <DIR> d-------- C:\Documents and Settings\Krib\Application Data\Helios 2008-08-06 19:10 . 2008-08-06 19:10 <DIR> d-------- C:\Program Files\TextPad 5 2008-07-30 17:28 . 2008-07-30 17:28 <DIR> d-------- C:\WINDOWS\system32\scripting 2008-07-30 17:28 . 2008-07-30 17:28 <DIR> d-------- C:\WINDOWS\system32\en 2008-07-30 17:28 . 2008-07-30 17:28 <DIR> d-------- C:\WINDOWS\system32\bits 2008-07-30 17:28 . 2008-07-30 17:28 <DIR> d-------- C:\WINDOWS\l2schemas 2008-07-30 17:27 . 2008-07-30 17:28 <DIR> d-------- C:\WINDOWS\ServicePackFiles 2008-07-30 16:13 . 2008-04-13 20:11 136,192 --------- C:\WINDOWS\system32\aaclient.dll 2008-07-21 20:42 . 2008-07-21 20:42 42,320 --a------ C:\WINDOWS\system32\xfcodec.dll 2008-07-20 23:35 . 2008-07-27 01:45 <DIR> d-------- C:\Program Files\EVEMon 2008-07-20 23:35 . 2008-07-27 01:45 <DIR> d-------- C:\Documents and Settings\Krib\Application Data\EVEMon 2008-07-20 18:00 . 2008-07-20 18:00 <DIR> d-------- C:\Documents and Settings\Preferences\EVE 2008-07-20 18:00 . 2008-07-20 18:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CCP 2008-07-20 05:21 . 2008-07-20 05:22 <DIR> d-------- C:\Program Files\SystemRequirementsLab 2008-07-20 05:21 . 2008-07-20 05:21 <DIR> d-------- C:\Documents and Settings\Krib\Application Data\SystemRequirementsLab 2008-07-19 13:55 . 2008-07-19 13:55 <DIR> d-------- C:\Program Files\Opera 2008-07-16 20:55 . 2008-07-16 20:55 <DIR> d-------- C:\Documents and Settings\Preferences\SnagIt 2008-07-16 20:54 . 2008-08-10 19:47 <DIR> d-------- C:\Program Files\SnagIt 9 2008-07-16 20:54 . 2008-07-16 20:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TechSmith 2008-07-16 20:40 . 2008-07-16 20:47 <DIR> d-------- C:\Program Files\TrayColor95 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-08-16 06:38 --------- d-----w C:\Program Files\Cryptainer 2008-08-16 06:29 --------- d-----w C:\Program Files\Universal Document Converter 2008-08-16 06:29 --------- d-----w C:\Program Files\TagRename 2008-08-16 06:29 --------- d-----w C:\Program Files\DAEMON Tools Pro 2008-08-16 06:29 --------- d-----w C:\Program Files\Alcohol 120 2008-08-16 04:54 --------- d-----w C:\Program Files\Mozilla Firefox 3.0 2008-08-16 04:52 --------- d-----w C:\Program Files\SpeedFan 2008-08-16 04:23 --------- d-----w C:\Program Files\eMule 2008-08-16 03:18 --------- d-----w C:\Program Files\7-Zip 2008-08-16 03:16 --------- d-----w C:\Documents and Settings\Krib\Application Data\uTorrent 2008-08-15 04:35 --------- d-----w C:\Program Files\MediaPortal 2008-08-11 23:56 --------- d-----w C:\Program Files\Microsoft ActiveSync 2008-08-11 23:56 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2008-08-10 22:04 --------- d-----w C:\Program Files\IconWorkshop 2008-08-08 03:46 --------- d-----w C:\Documents and Settings\Krib\Application Data\Xfire 2008-08-07 22:34 --------- d-----w C:\Program Files\Xfire 2008-08-01 22:57 --------- d-----w C:\Program Files\Google 2008-07-11 00:24 --------- d-----w C:\Documents and Settings\Krib\Application Data\Windows Live Writer 2008-07-11 00:19 --------- d-----w C:\Program Files\Windows Live Writer 2008-07-05 21:07 --------- d-----w C:\Program Files\Galactopedia 2008-07-05 20:33 --------- dc-h--w C:\Documents and Settings\All Users\Application Data\{1EB63B4B-5639-4477-8E24-05C31B5F8019} 2008-07-05 20:33 --------- d-----w C:\Documents and Settings\Krib\Application Data\Stardock 2008-07-05 20:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Stardock 2008-07-05 20:32 --------- d-----w C:\Program Files\Stardock 2008-07-04 01:57 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-06-29 07:30 --------- d-----w C:\Program Files\Avast4 2008-03-08 20:17 161,862 --sha-r C:\Program Files\desktop1.ico 2008-03-08 20:17 123 --sha-r C:\Program Files\desktop.ini . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "LClock"="C:\Program Files\LClock\lclock.exe" [2004-09-19 14:27 65536] "Task Killer"="C:\Program Files\Task Killer\TaskKiller.exe" [2007-11-04 08:51 221696] "H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 14:39 1289000] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 20:12 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 02:41 8523776] "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 02:41 81920] "NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 17:40 155648] "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-02-01 00:13 385024] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 14:10 267048] "OODefragTray"="C:\WINDOWS\system32\oodtray.exe" [2007-05-11 03:08 2512392] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784] "avast!"="C:\PROGRA~1\Avast4\ashDisp.exe" [2008-05-15 19:19 79224] "nwiz"="nwiz.exe" [2007-12-05 02:41 1626112 C:\WINDOWS\system32\nwiz.exe] "CTHelper"="CTHELPER.EXE" [2006-08-11 14:56 17920 C:\WINDOWS\CTHELPER.EXE] "CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 14:56 18944 C:\WINDOWS\system32\CTXFIHLP.EXE] "Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-11-29 03:17 55824 C:\WINDOWS\KHALMNPR.Exe] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ FreeMeter.lnk - C:\Program Files\FreeMeter\FreeMeter.exe [2008-03-08 15:20:22 614400] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoSMHelp"= 01000000 "NoSMMyDocs"= 01000000 "NoSMMyPictures"= 01000000 "NoUserNameInStartMenu"= 01000000 [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn] 2008-01-09 13:30 72208 c:\Program Files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv] 2008-03-08 04:45 210168 C:\Program Files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=wbsys.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "VIDC.XFR1"= xfcodec.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup] @="" [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\uTorrent\\uTorrent.exe"= "C:\\Program Files\\Bonjour\\mDNSResponder.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"= "C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager "C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application "C:\\Games\\Crysis\\Bin32\\Crysis.exe"= "C:\\Games\\Crysis\\Bin32\\CrysisDedicatedServer.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24] R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-15 19:20] R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-15 19:16] R2 LM Remote KeyMap Blaster Service;LM Remote KeyMap Blaster;C:\Program Files\LM Gestion\LM Remote KeyMap\LM Remote KeyMap Blaster.exe [2008-02-23 18:00] R2 ssoftnt4;ssoftnt4;C:\WINDOWS\system32\Drivers\ssoftnt4.sys [2007-01-24 12:16] R3 ctgame;Game Port;C:\WINDOWS\system32\DRIVERS\ctgame.sys [2002-12-30 10:53] S2 gupdate1c8e62667dffd5c;Google Update Service (gupdate1c8e62667dffd5c);C:\Program Files\Google\Update\GoogleUpdate.exe [2008-07-14 22:56] S3 bcgame;Nostromo HID Device Minidriver;C:\WINDOWS\system32\drivers\bcgame.sys [2003-07-24 02:16] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9ae9b7d7-f38d-11dc-90d2-123456789abc}] \Shell\AutoRun\command - G:\cryptainermobile.exe Newly Created Service - CATCHME Newly Created Service - PAVBOOT Newly Created Service - PROCEXP90 Newly Created Service - SSOFTSERVICE . Contents of the 'Scheduled Tasks' folder 2008-08-07 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 15:57] 2008-08-16 C:\WINDOWS\Tasks\GoogleUpdateTask.job - C:\Program Files\Google\Update\GoogleUpdate.exe [2008-07-14 22:56] . - - - - ORPHANS REMOVED - - - - HKCU-Run-Start WingMan Profiler - (no file) . ------- Supplementary Scan ------- . FireFox -: Profile - C:\Documents and Settings\Krib\Application Data\Mozilla\Firefox\Profiles\qo09gos1.Kribensis\ FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q= FireFox -: prefs.js - STARTUP.HOMEPAGE - www.nytimes.com FF -: plugin - C:\Documents and Settings\Krib\Application Data\Mozilla\Firefox\Profiles\qo09gos1.Kribensis\extensions\iaplayer@instantaction.com\plugins\npiaplayer.dll FF -: plugin - C:\Documents and Settings\Krib\Application Data\Mozilla\Firefox\Profiles\qo09gos1.Kribensis\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07051001.dll FF -: plugin - C:\Program Files\Google\Lively\nplively.dll FF -: plugin - C:\Program Files\Google\Update\1.2.121.17\npGoogleOneClick.dll FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll FF -: plugin - C:\Program Files\Mozilla Firefox 3.0\plugins\npnul32.dll ************************************************************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-08-16 14:32:21 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . Completion time: 2008-08-16 14:37:37 ComboFix-quarantined-files.txt 2008-08-16 18:37:02 Pre-Run: 40,060,850,176 bytes free Post-Run: 40,384,323,584 bytes free 328 --- E O F --- 2008-06-29 07:42:25 HijackThis:** Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 2:40:28 PM, on 8/16/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Avast4\aswUpdSv.exe C:\Program Files\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe C:\PROGRA~1\Avast4\ashDisp.exe C:\Program Files\LClock\lclock.exe C:\Program Files\Task Killer\TaskKiller.exe C:\Program Files\Microsoft ActiveSync\Wcescomm.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\LM Gestion\LM Remote KeyMap\LM Remote KeyMap.exe C:\Program Files\Belkin\Nostromo\nost_LM.exe C:\PROGRA~1\MICROS~2\rapimgr.exe C:\Program Files\Logitech\SetPoint\SetPoint.exe C:\Program Files\SpeedFan\speedfan.exe C:\Program Files\Google\Update\GoogleUpdate.exe C:\Program Files\Stardock\ObjectDock\ObjectDock.exe C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\LM Gestion\LM Remote KeyMap\LM Remote KeyMap Blaster.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\oodag.exe C:\Program Files\Alcohol 120\StarWind\StarWindServiceAE.exe C:\Program Files\Avast4\ashMaiSv.exe C:\Program Files\Avast4\ashWebSv.exe C:\Program Files\iPod\bin\iPodService.exe C:\PROGRA~1\COMMON~1\SNAPST~1\Common\x10nets.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Mozilla Firefox 3.0\firefox.exe C:\WINDOWS\system32\cryptainersrv.exe G:\CryptainerMobileFiles\cryptainer.exe C:\WINDOWS\system32\notepad.exe C:\WINDOWS\explorer.exe C:\Program Files\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O1 - Hosts: 127.255.255.255 serial.alcohol-soft.com O2 - BHO: Google Update Helper - {25D596E9-BD03-4D4A-8310-5DF3B31E8D26} - C:\Program Files\Google\Update\1.2.121.17\GoopdateBho.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [OODefragTray] C:\WINDOWS\system32\

Mike View Member Profile	Aug 16 2008, 02:11 PM Post #4
Malware Monger Posts: 2,722 OS: XP Professional SP3	Hi there, Stay away from cracks. Uninstall these programs: Alcohol 120 CHM To PDF Converter DAEMON Tools Pro ESET TagRename Universal Document Converter Did you set these policies? QUOTE "NoSMHelp" "NoSMMyDocs" "NoSMMyPictures" "NoUserNameInStartMenu" Please click Start then Run, in the window appears type in Notepad.exe. Highlight the entire content of the codebox below. Copy (Control + C) and Paste (Control + V) the content into the notepad window: CODE File:: C:\Program Files\Google\Update\GoogleUpdate.exe C:\Games\LEGO Star Wars\LegoStarwars.exe D:\Downloads\Lockngo_Professional_2.52_Cracked.zip[Lockngo_Professional_2.52_Cracked.exe Folder:: C:\Program Files\Alcohol 120 C:\Program Files\CHM To PDF Converter C:\Program Files\DAEMON Tools Pro C:\Program Files\ESET C:\Program Files\TagRename C:\Program Files\Universal Document Converter Driver:: gupdate1c8e62667dffd5c DirLook:: D:\downloads Now in Notepad, go to File and in the menu that drops down click on Save As... Save the file as CFScript.txt Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again. After that please reboot your computer if it asks you to and post ComboFix.txt (the report the ComboFix will generate) in your next reply. And, Please download ATF Cleaner by Atribune. Double-click ATF-Cleaner.exe to run the program. Under Main choose: Select All Click the Empty Selected button. If you use Firefox browser Click Firefox at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. If you use Opera browser Click Opera at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. Click Exit on the Main menu to close the program. For Technical Support, double-click the e-mail address located at the bottom of each menu. Lets run an F-Secure online scan for Viruses, Spyware and RootKits: Go to http://support.f-secure.com/enu/home/ols.shtml Scroll to the bottom of the page and click the Start scanning button. A window will pop up. Allow the Active X control to be installed on your computer, then click the Accept button Click Full System Scan and allow the components to download and the scan to complete. If malware is found, check Submit samples to F-Secure then select Automatic cleaning When cleaning has finitished, click Show report (this will open an Internet Explorer window containing the report) Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post If Automatic cleaning with Submit samples hangs, click Cancel, then New Scan When the cleaning option is presented, Uncheck Submit samples to F-Secure Click Automatic cleaning When cleaning has finitished, click Show report (this will open an Internet Explorer window containing the report) Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post *Notes:* This scan will only work with Internet Explorer You must have administrator rights to run this scan This scan can take several hours, so please be patient Post back with the logs and a new Hijack This log - if they are to long you have to spread the logs across multiple posts. This post has been edited by Mike: Aug 16 2008, 02:15 PM

Krib