[Infectedlie^.^]

Basically I was planning on running one of my IRC bots when I got the 'php' is not recognized as a executable file... which basically means PHP got deleted/removed from ym system... I check program files and it's still there, and it's still working... my Apache server is also still working...soo anyways heres a DSS log - oh yes this happened after something odd happened and WGA had to be reupdated-tried system restoring to the day prior to this and it wouldn't let me restore... to any day for that matter.

Deckard's System Scanner v20070708.52
Run by Joe Vautour on 2008-01-05 at 21:43:55
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Joe Vautour.exe) -----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:43:57 PM, on 1/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Joe Vautour\Desktop\Tools\Cascade's Stuff\EndlessOnline Player Bar.exe
C:\Program Files\Hamachi\hamachi.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Xfire\xfire.exe
C:\Program Files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\Joe Vautour\Desktop\Virus Scanners\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\JOEVAU~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://iceradio.us.to/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe
O4 - HKCU\..\Run: [eobar] C:\Documents and Settings\Joe Vautour\Desktop\Tools\Cascade's Stuff\EndlessOnline Player Bar.exe
O4 - Startup: hamachi.lnk = C:\Program Files\Hamachi\hamachi.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload....Plugin11USA.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Apache2.2 - Apache Software Foundation - C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 6702 bytes

-- Files created between 2007-12-05 and 2008-01-05 -----------------------------

2008-01-06 01:56:29 5505024 --a------ C:\Documents and Settings\Joe Vautour\ntuser.dat
2008-01-05 19:07:29 0 d-------- C:\Program Files\IceBot
2008-01-05 17:04:25 0 d-------- C:\WINDOWS\CSC
2008-01-05 16:41:09 0 d-------- C:\WINDOWS\vzones
2008-01-05 16:41:09 0 d-------- C:\Program Files\Accessories
2008-01-04 21:57:03 0 d-------- C:\Program Files\Bulk Rename Utility
2008-01-04 21:57:02 0 d-------- C:\Documents and Settings\All Users\Application Data\Tarma Installer
2007-12-29 19:15:15 57344 --a------ C:\WINDOWS\system32\msql.dll
2007-12-29 19:14:54 385024 --a------ C:\WINDOWS\system32\libswish-e.dll
2007-12-29 19:14:54 2035712 --a------ C:\WINDOWS\system32\libmysql.dll
2007-12-29 19:14:54 165643 --a------ C:\WINDOWS\system32\libmhash.dll
2007-12-29 19:14:54 166912 --a------ C:\WINDOWS\system32\libmcrypt.dll
2007-12-29 19:14:31 346624 --a------ C:\WINDOWS\system32\gds32.dll <Not Verified; Inprise Corporation; InterBase Server>
2007-12-29 19:14:21 90112 --a------ C:\WINDOWS\system32\fribidi.dll <Not Verified; http://fribidi.sourceforge.net; FriBidi -- OpenSource implementation of Unicode bi-directional algorithm>
2007-12-29 19:14:21 417792 --a------ C:\WINDOWS\system32\fdftk.dll <Not Verified; Adobe Systems Incorporated; FdfTk>
2007-12-29 19:03:07 0 d-------- C:\Program Files\PHP
2007-12-29 06:25:23 0 d-------- C:\Program Files\Apache Software Foundation
2007-12-28 22:55:40 1970176 --a------ C:\WINDOWS\system32\d3dx9.dll
2007-12-28 22:55:39 679936 --a------ C:\WINDOWS\system32\D3DX81ab.dll <Not Verified; Generated by JEDI; D3DX81>
2007-12-28 22:55:36 0 d-------- C:\Program Files\Cheat Engine
2007-12-13 12:06:48 0 d-------- C:\Documents and Settings\Joe Vautour\Application Data\Ventrilo
2007-12-13 12:06:18 0 d-------- C:\Program Files\Ventrilo
2007-12-11 21:56:30 0 d-------- C:\Program Files\Google
2007-12-11 11:46:02 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-12-11 11:44:28 196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2007-12-11 11:44:28 81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2007-12-11 11:44:18 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2007-12-11 11:44:18 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2007-12-11 11:44:18 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2007-12-11 11:44:18 682496 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2007-12-11 11:43:44 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll


-- Find3M Report ---------------------------------------------------------------

2008-01-05 19:35:25 0 d-------- C:\Program Files\Trainer Maker Kit
2008-01-05 18:55:56 0 d-------- C:\Documents and Settings\Joe Vautour\Application Data\Hamachi
2008-01-05 18:52:55 0 d-------- C:\Documents and Settings\Joe Vautour\Application Data\Xfire
2008-01-04 23:01:16 0 d-------- C:\Documents and Settings\Joe Vautour\Application Data\LimeWire
2008-01-03 21:19:37 0 d-------- C:\Documents and Settings\Joe Vautour\Application Data\IceChat
2008-01-01 22:38:26 0 d-------- C:\Program Files\FlashGet
2008-01-01 22:08:31 0 d-------- C:\Program Files\DivX
2008-01-01 21:18:09 0 d-------- C:\Program Files\LimeWire
2008-01-01 06:50:57 0 d-------- C:\Documents and Settings\Joe Vautour\Application Data\Adobe
2007-12-30 23:25:38 0 d-------- C:\Program Files\Endless-Online Remake
2007-12-24 01:05:00 0 d-------- C:\Program Files\IceChat7
2007-12-13 12:05:54 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-11 21:58:50 0 d-------- C:\Program Files\Common Files\Adobe
2007-12-11 16:57:08 0 d-------- C:\Program Files\EndlessOnline27
2007-12-07 21:56:35 0 d-------- C:\Program Files\AIM6
2007-12-07 21:56:16 0 d-------- C:\Program Files\Viewpoint
2007-12-06 00:06:13 0 d-------- C:\Documents and Settings\Joe Vautour\Application Data\uTorrent
2007-12-05 03:24:46 34 --a------ C:\WINDOWS\system32\BD2040.DAT
2007-12-03 23:59:32 2560 --a------ C:\WINDOWS\_MSRSTRT.EXE
2007-12-03 23:43:30 0 d-------- C:\Program Files\!xSpeedPro
2007-12-02 15:31:47 0 d-------- C:\Program Files\Windows Live Toolbar
2007-12-02 15:31:37 0 d-------- C:\Program Files\Windows Live Favorites
2007-11-27 07:26:11 0 d---s---- C:\Program Files\Xfire
2007-11-26 20:19:03 0 d-------- C:\Program Files\MSN Messenger
2007-11-21 13:46:47 0 d-------- C:\Program Files\EndlessOnline[Auto]
2007-11-21 12:19:46 0 d-------- C:\Program Files\EndlessOnline
2007-11-20 22:17:01 0 d-------- C:\Program Files\SwiftSwitch
2007-11-20 00:35:12 0 d-------- C:\Program Files\SCAR 3.13
2007-11-13 01:02:40 3106816 --a------ C:\WINDOWS\system32\logonuiX.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-11-13 00:38:02 0 d-------- C:\Program Files\Common Files\Stardock
2007-11-13 00:38:01 0 d-------- C:\Program Files\Stardock
2007-11-13 00:28:16 0 d-------- C:\Program Files\DuoPixart
2007-11-13 00:28:15 7518952 --a------ C:\WINDOWS\system32\LK.scr <Not Verified; Axialis Software; Axialis Screen Saver Producer>
2007-11-13 00:19:20 0 d-------- C:\Program Files\CursorXP
2007-11-13 00:18:42 0 d-------- C:\Program Files\WinCustomize
2007-11-08 16:03:50 3284 --a------ C:\WINDOWS\system32\ANIWZCS{B59C541A-73AA-4611-B82B-70340C8F8417}
2007-10-12 22:30:40 15044 --ah----- C:\WINDOWS\system32\mlfcache.dat


-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{2F364306-AA45-47B5-9F9D-39A8B94E7EF7} C:\Program Files\FlashGet\jccatch.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
{9030D464-4C02-4ABF-8ECC-5164760863C6} C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} C:\Program Files\Windows Live Toolbar\msntb.dll
{F156768E-81EF-470C-9057-481BA8380DBA} C:\Program Files\FlashGet\getflash.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"D-Link AirPlus G"="C:\\Program Files\\D-Link\\AirPlus G\\AirGCFG.exe"
"ANIWZCS2Service"="C:\\Program Files\\ANI\\ANIWZCS2 Service\\WZCSLDR2.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_03\\bin\\jusched.exe\""
"nod32kui"="\"C:\\Program Files\\Eset\\nod32kui.exe\" /WAITSERVICE"
"AlcxMonitor"="ALCXMNTR.EXE"
"LogonStudio"="\"C:\\Program Files\\WinCustomize\\LogonStudio\\logonstudio.exe\" /RANDOM"
"Adobe Reader Speed Launcher"="\"C:\\Program Files\\Adobe\\Reader 8.0\\Reader\\Reader_sl.exe\""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"SUPERAntiSpyware"="C:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"Aim6"=""
"CursorXP"="C:\\Program Files\\CursorXP\\CursorXP.exe"
"eobar"="C:\\Documents and Settings\\Joe Vautour\\Desktop\\Tools\\Cascade's Stuff\\EndlessOnline Player Bar.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"appinit_dlls"="wbsys.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0



-- End of Deckard's System Scanner: finished at 2008-01-05 at 21:44:26 ---------

Edited by Infectedlie^.^, 05 January 2008 - 09:56 PM.