Pipas.A infection persistence

Hi spra and Welcome to GeekstoGo!


Please make sure Ewido is updated with the latest definitions.


Please download FixWareout from one of these sites:
http://downloads.sub.../Fixwareout.exe
http://www.bleepingc.../Fixwareout.exe

• Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
• The fix will begin; follow the prompts.
• You will be asked to reboot your computer,Reboot into SAFE MODE(Tap F8 when restarting)
  <a href="http://service1.syma...rc=sec_doc_nam" target="_blank">http://service1.syma...sec_doc_nam</a>
• Your system may take longer than usual to load; this is normal.
• Once the desktop loads-> Open HijackThis-> Click "Do a System Scan Only" and put a check by these but DO NOT hit the Fix Checked button yet
  
  O1 - Hosts: localhost 127.0.0.1
  
  O17 - HKLM\System\CCS\Services\Tcpip\..\{0DCB9C35-3073-46DE-88B5-781B6623223C}: NameServer = 85.255.116.52,85.255.112.106
  
  O17 - HKLM\System\CCS\Services\Tcpip\..\{1A2A6ADB-AD3B-4EB8-8A7F-4E041363767E}: NameServer = 85.255.116.52,85.255.112.106
  
  O17 - HKLM\System\CCS\Services\Tcpip\..\{B8487492-FDF5-466D-92EA-2C54D4B8CDB7}: NameServer = 85.255.116.52,85.255.112.106
  
  O17 - HKLM\System\CCS\Services\Tcpip\..\{B9927C7D-A2AD-41A6-B88D-DC4F657DEE9A}: NameServer = 85.255.116.52,85.255.112.106
  
  O17 - HKLM\System\CS1\Services\Tcpip\..\{0DCB9C35-3073-46DE-88B5-781B6623223C}: NameServer = 85.255.116.52,85.255.112.106
  
  O17 - HKLM\System\CS2\Services\Tcpip\..\{0DCB9C35-3073-46DE-88B5-781B6623223C}: NameServer = 85.255.116.52,85.255.112.106
  Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button

Once in safe mode Open Ewido Security Suite and do the following:

• Click on scanner
• Click on Complete System Scan and the scan will begin.
• You will be prompted to clean the first infection.
• Select "Perform action on all infections", then proceed.
• Once the scan has completed, there will be a button located on the bottom of the screen named Save report
• Click Save report.
• Save the report .txt file to your desktop or a location where you can find it easily.

Close ewido security suite.


Click Start, and then click Search.
Click All files and folders.
In the "All or part of the file name" box, type:

rasphone.pbk

Verify that "Look in" is set to "Local Hard Drives" or to (C:).
Click "More advanced options."
Check "Search system folders."
Check "Search subfolders."
Click Search.
Click Find Now or Search Now.

If you find rasphone.pbk file, right-click the file, and then click "Open With."
Deselect the "Always use this program to open this program" check box.
Scroll through the list of programs and double-click Notepad.
When the file opens, delete the entries below:

IpDnsAddress = 85.255.116.52
IpDns2Address = 85.255.112.106
IpNameAssign = 2


Now open the Control Panel-> In the windows control panel. If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections. Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Click the Networking tab. Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically

Press OK twice to get out of the properties screen and reboot if it asks.
That option might not be avaiable one some systems.


Restart Normal and Go start run type cmd and hit OK
type
ipconfig /flushdns
then hit enter, type exit hit enter
(that space between g and / is needed)


Have the PC Scanned here:
Panda Active Scan

You will need to be using Internet Explorer for the Scan to work

Save the Report it generates

Post back with a fresh HijackThis log and the reports from Ewido--> Panda and report.txt from Fix WareOut.

Edited by Cretemonster, 10 June 2006 - 06:34 AM.

Cretemonster thanks for your help.

The first time I rebooted, by mistake, I did so in normal mode.
After that I repeated the fixwareout run and rebooted in safe mode.
Here are the logs.
---------------------------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 10:49:46 PM, on 6/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\sstray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\MACROE~1\MACEXP.EXE
C:\Program Files\TechSmith\SnagIt 7\SnagIt32.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\TechSmith\SnagIt 7\TSCHelp.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Documents and Settings\Spyros\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.gr/
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Watch for Browser Events - {516E2306-7ADF-47EC-AEA8-ACB6B51899F1} - C:\PROGRA~1\MACROE~1\iCapture.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Macro Express 3.lnk = ?
O4 - Global Startup: SnagIt 7.lnk = C:\Program Files\TechSmith\SnagIt 7\SnagIt32.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {7CEEAB76-D59E-11D3-8394-00C04F7BDF10} (Application Class) - https://www.tradesta...ugIn/tsTemp.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

-----------------------------------------------------------------------------------


Fixwareout ver 1.003
Last edited 04/26/2006
Post this report in the forums please

Reg Entries that were deleted
...

Microsoft ® Windows Script Host Version 5.6
Random Runs removed from HKLM
...

PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Example ipsec6.exe is lagitamate

»»»»» Search by size and names...
C:\WINDOWS\SYSTEM32\IPSEC6.EXE
* csr.exe C:\WINDOWS\System32\CSIZJ.EXE

»»»»» Misc files

»»»»» Checking for older varients covered by the Rem3 tool

»»»»»
Search five digit cs, dm and jb files
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINDOWS\SYSTEM32\CSIZJ.EXE 51,292 2006-06-06
C:\WINDOWS\SYSTEM32\DMCEZ.EXE 44,078 2004-08-04
----------------------------------------------------------------------------------------------

Active Scan:


Incident Status Location

Adware:adware/cws Not disinfected c:\documents and settings\all users\favorites\Download Free Spyware Remover.url
Spyware:spyware/cws.olehelp Not disinfected Windows Registry
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Spyros\Cookies\[email protected][2].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Spyros\Cookies\spyros@azjmp[2].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Spyros\Cookies\[email protected][2].txt
Spyware:Cookie/Advnt Not disinfected C:\Documents and Settings\Spyros\Cookies\[email protected][1].txt
Adware:Adware/Trebuh Not disinfected C:\WINDOWS\system32\csizj.exe

-----------------------------------------------------------------------------------------------------------------


---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 6:11:50 PM, 6/10/2006
+ Report-Checksum: F6C1D0FE

+ Scan result:

C:\RECYCLER\S-1-5-21-1004336348-764733703-725345543-1003\Dc1.exe -> Hijacker.Small.kg : Cleaned with backup
C:\RECYCLER\S-1-5-21-1004336348-764733703-725345543-1003\Dc2.exe -> Trojan.Hoster : Cleaned with backup
C:\RECYCLER\S-1-5-21-1004336348-764733703-725345543-1003\Dc3.exe -> Adware.Msnagent : Cleaned with backup
C:\RECYCLER\S-1-5-21-1004336348-764733703-725345543-1003\Dc4.exe -> Adware.FindSpy : Cleaned with backup
C:\WINDOWS\system32\dmcez.exe -> Trojan.Small.fb : Cleaned with backup


::Report End

-----------------------------------------------------------------------------------------

Download WinPFind to your C Drive.
http://www.bleepingc...es/winpfind.php

Right Click the Zip Folder and Select "Extract All"

Don't use it yet


Restart in Safe Mode and be sure Windows is Showing Hidden Files
http://www.bleepingc...al62.html#winxp


Search for and delete if found

C:\WINDOWS\system32\dmcez.exe<-- File

C:\WINDOWS\system32\csizj.exe<-- File

c:\documents and settings\all users\favorites\Download Free Spyware Remover.url<-- File


From the WinPFind folder-> Doubleclick WinPFind.exe and Click "Start Scan"

It will scan the entire System, so please be patient

Once you see "Scan Complete"-> a log (WinPFind.txt) will be automatically generated in the WinPFind folder


Restart the Machine and Please run the F-Secure Online Scanner

• Follow the directions in the F-Secure page for proper Installation.
• Accept the License Agreement.
• Once the ActiveX installs,Click Custom Scan and be sure the following are checked.
  • Scan whole System
  • Scan all files
  • Scan whole system for rootkits
  • Scan whole system for spyware
  • Scan inside archives
  • Use advanced heuristics
• Once the download completes,the scan will begin automatically.
• The scan will take some time to finish,so please be patient.
• When the scan completes, click the I want to decide item by item button.
• For each item found,Select Disinfect and Click Next
• Click the Show Report button and Copy&Paste the entire report in your next reply along with the WinPFind log.

F-Secure did not give me the chance to customise the scan the way you described. Instead, once downloaded I started scanning and it finished without any messages.

I did the rest as instructed. Here is the WinPFind text.

------------------------------------------------------------------------

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
PEC2 8/4/2004 4:07:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
aspack 8/4/2004 4:07:00 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 8/4/2004 4:07:00 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 8/4/2004 4:07:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
6/11/2006 12:39:10 AM S 2048 C:\WINDOWS\bootstat.dat
5/1/2006 6:33:20 PM RH 749 C:\WINDOWS\WindowsShell.Manifest
6/10/2006 5:11:58 PM S 64 C:\WINDOWS\CSC\00000001
6/10/2006 5:10:20 PM S 64 C:\WINDOWS\CSC\00000002
5/1/2006 6:33:26 PM H 65 C:\WINDOWS\Downloaded Program Files\desktop.ini
5/1/2006 6:34:08 PM HS 67 C:\WINDOWS\Fonts\desktop.ini
6/10/2006 9:12:46 PM H 0 C:\WINDOWS\LastGood\INF\oem11.inf
6/10/2006 9:12:46 PM H 0 C:\WINDOWS\LastGood\INF\oem11.PNF
5/1/2006 6:33:26 PM H 65 C:\WINDOWS\Offline Web Pages\desktop.ini
5/1/2006 6:33:48 PM RHS 727 C:\WINDOWS\pchealth\helpctr\PackageStore\package_1.cab
5/1/2006 6:33:48 PM RHS 19854 C:\WINDOWS\pchealth\helpctr\PackageStore\package_2.cab
5/1/2006 6:33:48 PM RHS 244933 C:\WINDOWS\pchealth\helpctr\PackageStore\package_3.cab
5/1/2006 6:34:50 PM H 225280 C:\WINDOWS\repair\ntuser.dat
5/1/2006 6:33:20 PM RH 749 C:\WINDOWS\system32\cdplayer.exe.manifest
5/1/2006 6:33:26 PM RH 488 C:\WINDOWS\system32\logonui.exe.manifest
5/1/2006 6:33:20 PM RH 749 C:\WINDOWS\system32\ncpa.cpl.manifest
5/1/2006 6:33:20 PM RH 749 C:\WINDOWS\system32\nwc.cpl.manifest
5/1/2006 6:33:20 PM RH 749 C:\WINDOWS\system32\sapi.cpl.manifest
5/1/2006 6:33:26 PM RH 488 C:\WINDOWS\system32\WindowsLogon.manifest
5/1/2006 6:33:20 PM RH 749 C:\WINDOWS\system32\wuaucpl.cpl.manifest
6/11/2006 12:39:02 AM H 8192 C:\WINDOWS\system32\config\default.LOG
6/11/2006 12:39:24 AM H 1024 C:\WINDOWS\system32\config\SAM.LOG
6/11/2006 12:39:12 AM H 12288 C:\WINDOWS\system32\config\SECURITY.LOG
6/11/2006 12:43:02 AM H 81920 C:\WINDOWS\system32\config\software.LOG
6/11/2006 12:39:18 AM H 974848 C:\WINDOWS\system32\config\system.LOG
5/1/2006 9:16:56 PM H 1024 C:\WINDOWS\system32\config\TempKey.LOG
5/1/2006 9:16:56 PM H 1024 C:\WINDOWS\system32\config\userdiff.LOG
5/1/2006 9:18:32 PM HS 62 C:\WINDOWS\system32\config\systemprofile\Application Data\desktop.ini
5/13/2006 1:27:54 PM S 688 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\60E31627FDA0A46932B0E5948949F2A5
5/1/2006 6:49:38 PM S 558 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\E6024EAC88E6B6165D49FE3C95ADD735
6/2/2006 12:33:50 PM S 70226 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\F482C95F83F1B59228F1B1E720F2EDF1
5/13/2006 1:27:54 PM S 94 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\60E31627FDA0A46932B0E5948949F2A5
5/1/2006 6:49:38 PM S 144 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\E6024EAC88E6B6165D49FE3C95ADD735
6/2/2006 12:33:50 PM S 128 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\F482C95F83F1B59228F1B1E720F2EDF1
5/1/2006 9:18:32 PM HS 62 C:\WINDOWS\system32\config\systemprofile\Local Settings\desktop.ini
5/1/2006 6:38:38 PM HS 113 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\desktop.ini
5/1/2006 6:38:38 PM HS 113 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\desktop.ini
5/1/2006 6:38:38 PM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\desktop.ini
5/1/2006 6:38:38 PM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini
5/1/2006 6:38:38 PM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0XUNO5YZ\desktop.ini
5/1/2006 6:38:38 PM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\KLMVO1E7\desktop.ini
5/1/2006 6:38:38 PM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\W56745AZ\desktop.ini
5/1/2006 6:38:38 PM HS 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\WTEZ0DER\desktop.ini
5/1/2006 6:33:28 PM HS 181 C:\WINDOWS\system32\config\systemprofile\SendTo\desktop.ini
5/1/2006 9:18:32 PM HS 62 C:\WINDOWS\system32\config\systemprofile\Start Menu\desktop.ini
5/1/2006 6:34:48 PM HS 148 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\desktop.ini
5/1/2006 6:34:48 PM HS 482 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\desktop.ini
5/1/2006 6:34:48 PM HS 348 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\Accessibility\desktop.ini
5/1/2006 6:34:48 PM HS 84 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\Entertainment\desktop.ini
5/1/2006 6:34:48 PM HS 84 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini
5/1/2006 6:38:44 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\84bd2090-1ace-494c-a64a-ff44d930e68d
5/1/2006 6:38:44 PM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
6/11/2006 12:38:12 AM H 6 C:\WINDOWS\Tasks\SA.DAT
5/3/2006 12:53:38 PM HS 65024 C:\WINDOWS\Web\Wallpaper\Thumbs.db

Checking for CPL files...
Microsoft Corporation 8/4/2004 4:07:00 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 8/4/2004 4:07:00 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/4/2004 4:07:00 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 8/4/2004 4:07:00 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/4/2004 4:07:00 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 8/4/2004 4:07:00 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/4/2004 4:07:00 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/4/2004 4:07:00 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/4/2004 4:07:00 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 8/4/2004 4:07:00 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Microsoft Corporation 8/4/2004 4:07:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/4/2004 4:07:00 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/4/2004 4:07:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/4/2004 4:07:00 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/4/2004 4:07:00 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/4/2004 4:07:00 AM 36864 C:\WINDOWS\SYSTEM32\nwc.cpl
Microsoft Corporation 8/4/2004 4:07:00 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/4/2004 4:07:00 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
NVIDIA Corporation 6/17/2003 12:17:38 PM R 73728 C:\WINDOWS\SYSTEM32\sscpl.cpl
Microsoft Corporation 8/4/2004 4:07:00 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/4/2004 4:07:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/4/2004 4:07:00 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 8/4/2004 4:07:00 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 8/4/2004 4:07:00 AM 162304 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/4/2004 4:07:00 AM 68608 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 8/4/2004 4:07:00 AM 549888 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 8/4/2004 4:07:00 AM 135168 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 8/4/2004 4:07:00 AM 80384 C:\WINDOWS\SYSTEM32\dllcache\firewall.cpl
Microsoft Corporation 8/4/2004 4:07:00 AM 155136 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 8/4/2004 4:07:00 AM 358400 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 8/4/2004 4:07:00 AM 129536 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 8/4/2004 4:07:00 AM 68608 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 8/4/2004 4:07:00 AM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 8/4/2004 4:07:00 AM 618496 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 8/4/2004 4:07:00 AM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 8/4/2004 4:07:00 AM 25600 C:\WINDOWS\SYSTEM32\dllcache\netsetup.cpl
Microsoft Corporation 8/4/2004 4:07:00 AM 257024 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 8/4/2004 4:07:00 AM 36864 C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 8/4/2004 4:07:00 AM 32768 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 8/4/2004 4:07:00 AM 114688 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 8/4/2004 4:07:00 AM 155648 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 8/4/2004 4:07:00 AM 298496 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation 8/4/2004 4:07:00 AM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 8/4/2004 4:07:00 AM 94208 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl
Microsoft Corporation 8/4/2004 4:07:00 AM 148480 C:\WINDOWS\SYSTEM32\dllcache\wscui.cpl
Microsoft Corporation 8/4/2004 4:07:00 AM 162304 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
5/3/2006 3:10:04 PM 1757 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
5/1/2006 6:34:48 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
5/3/2006 1:25:54 PM 457 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Macro Express 3.lnk
5/3/2006 1:12:04 PM 810 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SnagIt 7.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
5/1/2006 9:18:32 PM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini

Checking files in %USERPROFILE%\Startup folder...
5/21/2006 11:28:44 PM 988 C:\Documents and Settings\Spyros\Start Menu\Programs\Startup\Adobe Gamma.lnk
5/1/2006 6:34:48 PM HS 84 C:\Documents and Settings\Spyros\Start Menu\Programs\Startup\desktop.ini
5/1/2006 10:04:26 PM 650 C:\Documents and Settings\Spyros\Start Menu\Programs\Startup\SpywareGuard.lnk

Checking files in %USERPROFILE%\Application Data folder...
5/3/2006 3:02:32 PM 871 C:\Documents and Settings\Spyros\Application Data\AdobeDLM.log
5/1/2006 9:18:32 PM HS 62 C:\Documents and Settings\Spyros\Application Data\desktop.ini
5/3/2006 3:02:32 PM 0 C:\Documents and Settings\Spyros\Application Data\dm.ini
4/27/2006 5:02:46 PM 5 C:\Documents and Settings\Spyros\Application Data\kc.tmp

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
{81559C35-8464-49F7-BB0E-07A383BEF910} = C:\Program Files\SpywareGuard\spywareguard.dll

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\TrojanHunter
{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = C:\PROGRA~1\TROJAN~1.2\contmenu.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\TrojanHunter
{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = C:\PROGRA~1\TROJAN~1.2\contmenu.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\TrojanHunter
{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = C:\PROGRA~1\TROJAN~1.2\contmenu.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00C6482D-C502-44C8-8409-FCE54AD9C208}
HelperObject Class = C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4A368E80-174F-4872-96B5-0B27DDD11DB2}
SpywareGuardDLBLOCK.CBrowserHelper = C:\Program Files\SpywareGuard\dlprotect.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{516E2306-7ADF-47EC-AEA8-ACB6B51899F1}
Watch for Browser Events = C:\PROGRA~1\MACROE~1\iCapture.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= C:\PROGRA~1\SPYBOT~1\SDHelper.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\system32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} = SnagIt : C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{92780B25-18CC-41C8-B9BE-3C9C571A8263}
ButtonText = Research :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\system32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\system32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} = :

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
SpeedTouch USB Diagnostics "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
ATIPTA C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
nForce Tray Options sstray.exe /r
SmcService C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
THGuard "C:\Program Files\TrojanHunter 4.2\THGuard.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
CTFMON.EXE C:\WINDOWS\system32\ctfmon.exe
SpybotSD TeaTimer C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\system32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\system32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent
= Ati2evxx.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 6/11/2006 12:52:41 AM

One more Online Scan,please.


Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
  
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  Extended (if available otherwise Standard)
  
  • Scan Options:
  Scan Archives
  Scan Mail Bases
• Click OK
• Now under select a target to scan:Select My Computer
• This will program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
• Save the file to your desktop.
• Copy and paste that information in your next post along with a fresh HijackThis log.

Here are the new reports:

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Sunday, June 11, 2006 2:18:01 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 11/06/2006
Kaspersky Anti-Virus database records: 199824
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 82696
Number of viruses found: 7
Number of infected objects: 14
Number of suspicious objects: 0
Duration of the scan process: 00:34:41

Infected Object Name / Virus Name / Last Action
C:\System Volume Information\_restore{7E20C5A5-C6CA-413C-8E9D-52B255EE3810}\RP46\A0003419.exe Infected: Trojan.Win32.Small.fb skipped
C:\System Volume Information\_restore{7E20C5A5-C6CA-413C-8E9D-52B255EE3810}\RP46\A0003449.exe Infected: Trojan.Win32.Small.fb skipped
C:\System Volume Information\_restore{7E20C5A5-C6CA-413C-8E9D-52B255EE3810}\RP47\A0003464.exe Infected: Trojan.Win32.Small.fb skipped
C:\System Volume Information\_restore{7E20C5A5-C6CA-413C-8E9D-52B255EE3810}\RP47\A0003527.exe Infected: Trojan-Clicker.Win32.Small.kg skipped
C:\System Volume Information\_restore{7E20C5A5-C6CA-413C-8E9D-52B255EE3810}\RP47\A0003528.exe Infected: Trojan.Win32.Small.gq skipped
C:\System Volume Information\_restore{7E20C5A5-C6CA-413C-8E9D-52B255EE3810}\RP47\A0003529.exe Infected: not-a-virus:AdWare.Win32.Msnagent.b skipped
C:\System Volume Information\_restore{7E20C5A5-C6CA-413C-8E9D-52B255EE3810}\RP47\A0003530.exe Infected: not-a-virus:AdWare.Win32.FindSpy.a skipped
C:\System Volume Information\_restore{7E20C5A5-C6CA-413C-8E9D-52B255EE3810}\RP47\A0003531.exe Infected: Trojan.Win32.Small.fb skipped
D:\System Volume Information\_restore{CA254DD6-E748-4C51-9A1D-68D64A69D943}\RP25\A0012775.exe/data0013 Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped
D:\System Volume Information\_restore{CA254DD6-E748-4C51-9A1D-68D64A69D943}\RP25\A0012775.exe NSIS: infected - 1 skipped
D:\System Volume Information\_restore{ECC2F1DF-B467-46C1-B75C-57F338DF83A6}\RP71\A0009640.exe/data0007 Infected: not-a-virus:Monitor.Win32.UserLogger.29 skipped
D:\System Volume Information\_restore{ECC2F1DF-B467-46C1-B75C-57F338DF83A6}\RP71\A0009640.exe Inno: infected - 1 skipped
D:\System Volume Information\_restore{ECC2F1DF-B467-46C1-B75C-57F338DF83A6}\RP71\A0009762.exe/data0013 Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped
D:\System Volume Information\_restore{ECC2F1DF-B467-46C1-B75C-57F338DF83A6}\RP71\A0009762.exe NSIS: infected - 1 skipped

Scan process completed.
----------------------------------------------------------------------------


Logfile of HijackThis v1.99.1
Scan saved at 2:20:17 PM, on 6/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\sstray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\MACROE~1\MACEXP.EXE
C:\Program Files\TechSmith\SnagIt 7\SnagIt32.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\TechSmith\SnagIt 7\TSCHelp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Spyros\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.gr/
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Watch for Browser Events - {516E2306-7ADF-47EC-AEA8-ACB6B51899F1} - C:\PROGRA~1\MACROE~1\iCapture.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Macro Express 3.lnk = ?
O4 - Global Startup: SnagIt 7.lnk = C:\Program Files\TechSmith\SnagIt 7\SnagIt32.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {7CEEAB76-D59E-11D3-8394-00C04F7BDF10} (Application Class) - https://www.tradesta...ugIn/tsTemp.cab
O16 - DPF: {94EB57FE-2720-496C-B33F-D9353C6E23F7} (F-Secure Online Scanner 2.1) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

Looking Good!

Please Install these 2 to add to the Security of the PC!

SpywareBlaster:
http://www.javacools.../downloads.html
Update Immediatly!

WinHelp2002 Hosts File
http://www.mvps.org/...2002/hosts2.htm

Disable System Restore
http://service1.syma...src=sec_doc_nam

Go ahead and Reconfigure Msconfig the way you like the PC to Startup

Go ahead and remove any of the tools downloaded that are of no use anymore

Post back and let me know how things are?


Please install,update and scan the entire system with one of the following free Antivirus Software Programs

AntiVir® PersonalEdition Classic

AVG Free for Windows

BitDefender 8 Free Edition

avast! 4 Home Edition

I ran Spybot and it did not find Pipas.A.
I also ran ewido and it found just one tracking cookie.
So it seems ok.

I have 4 questions though:

1. Shouldn't I turn System Restore back on?
2. Should I keep the Show Hidden Files and Folders option on?
3. Which of the programs to remove?
4. Do you need another Hijackthis report or is it ok?

Thank you

Edited by spra, 12 June 2006 - 11:59 AM.

No need for another HjiackThis log,all appears in order now.

You can delete FixWareOut and WinPFind.

Re Hide the files.


Go ahead and Renable System Restore and restart the PC,this will clear out all old nasty restore points and create a nice new fresh clean one for you to fall back on should you ever need it.


Updating Java and Clearing Cache

• Go to Start > Control Panel double-click on the Java Icon (coffee cup) in the Control Panel.
• It will say "Java Plug-in" under the icon.
  Please find the update button or tab in the Java Control Panel. Update your Java then reboot.
• If you are unable to update you can manually update by going here:
  • http://www.java.com/en/download/manual.jsp
• After the reboot, go back into the Control Panel and double-click the Java Icon.
• Under Temporary Internet Files, click the Delete Files button.
• There are three options in the window to clear the cache - Leave ALL 3 CheckedDownloaded Applets
  Downloaded Applications
  Other Files
• Click OK on Delete Temporary Files Window
  Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
• Click OK to leave the Java Control Panel.

It is suggested that you go and change all your passwords since some of these may have been compromised during the infection.


Read through those 3 little black links in my signature to get some extra ideas about how to avoid this in the future.


Please remember to check your AntiVirus and any Spyware Apps for updates atleast twice a week


Make sure you keep your Windows Operating System up to date by visiting Windows Updates regularly to download and install any critical updates and service packs.


If you ever need us again,you know how to find us!

Cretemonster,

I don't have any java Plug-in in my computer.
Must I get one?

Thank you

http://www.microsoft.com/mscorp/java/]

That link should give you all the info you need.

Everything is ok now.

Thank you again!