My Highjack This log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:37:57 PM, on 2/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\EMBARQ Online Security\Anti-Virus\fsgk32st.exe
C:\Program Files\EMBARQ Online Security\Anti-Virus\FSGK32.EXE
C:\Program Files\EMBARQ Online Security\Common\FSMA32.EXE
C:\Program Files\EMBARQ Online Security\Common\FSM32.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\EMBARQ Online Security\Common\FSMB32.EXE
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\BigFix\bigfix.exe
C:\Program Files\EMBARQ Online Security\Common\FCH32.EXE
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\Program Files\EMBARQ Online Security\Anti-Virus\fsqh.exe
C:\Program Files\EMBARQ Online Security\Common\FAMEH32.EXE
C:\Program Files\EMBARQ Online Security\FSPC\fspc.exe
C:\Program Files\EMBARQ Online Security\FSGUI\fsguidll.exe
C:\Program Files\EMBARQ Online Security\FSAUA\program\fsaua.exe
C:\Program Files\EMBARQ Online Security\FWES\Program\fsdfwd.exe
C:\Program Files\EMBARQ Online Security\Anti-Virus\fssm32.exe
C:\Program Files\EMBARQ Online Security\FSAUA\program\fsus.exe
C:\Program Files\EMBARQ Online Security\Anti-Virus\fsav32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myembarq.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SunKistEM] "C:\Program Files\Digital Media Reader\shwiconem.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [REGSHAVE] "C:\Program Files\REGSHAVE\REGSHAVE.EXE" /AUTORUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOLDialer] "C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [hpfsched] C:\WINDOWS\hpfsched.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\EMBARQ Online Security\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\EMBARQ Online Security\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [QuickenScheduledUpdates] C:\Program Files\Quicken\billmind.exe
O4 - Startup: Event Reminder.lnk = C:\pmw\PMREMIND.EXE
O4 - Startup: wkcalrem.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.0xe
O4 - Global Startup: Microsoft Office Fast Start.lnk = C:\Program Files\Common Files\Microsoft Shared\MSInfo\MSINF16H.EXE
O4 - Global Startup: Microsoft Office Find Fast Indexer.lnk = C:\Program Files\Common Files\Microsoft Shared\MSInfo\MSINF16H.EXE
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Common Files\Microsoft Shared\MSInfo\MSINF16H.EXE
O8 - Extra context menu item: &Block this popup - C:\Program Files\EMBARQ Online Security\Anti-Spyware\blockpopups.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Parental... - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\EMBARQ Online Security\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\EMBARQ Online Security\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: Parental... - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\EMBARQ Online Security\FSPC\fspcmsie.dll
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\EMBARQ Online Security\Anti-Spyware\ieshield.dll (file missing)
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\EMBARQ Online Security\Anti-Spyware\ieshield.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1005.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...01/mcinsctl.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: EMBARQ Online Security (BackWeb Plug-in - 7211241) - Unknown owner - C:\PROGRA~1\EMBARQ~1\backweb\7211241\Program\SERVIC~1.EXE (file missing)
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\EMBARQ Online Security\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\EMBARQ Online Security\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\EMBARQ Online Security\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\EMBARQ Online Security\Common\FSMA32.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
--
End of file - 8895 bytes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
My anti-virus software log:
Scanning Report
09 February 2008 10:59:03 - 12:43:04
Computer name: JOHNSON5
Scanning type: Perform full computer check
Target: C:\ D:\ + system + rootkits
--------------------------------------------------------------------------------
Result: 11 malware found
Trojan.Win32.KillAV.oh (virus)
C:\WINDOWS\hpfsched.0xe Action: FAILED
C:\Program Files\REGSHAVE\REGSHAVE.0XE Action: FAILED
C:\Program Files\QuickTime\qttask.0xe Action: FAILED
C:\Program Files\Quicken\billmind.0xe Action: FAILED
C:\Program Files\Java\jre1.6.0_03\bin\jusched.0xe Action: FAILED
C:\Program Files\iTunes\iTunesHelper.0xe Action: FAILED
C:\Program Files\Digital Media Reader\shwiconem.0xe Action: FAILED
C:\Program Files\CyberLink\PowerDVD\PDVDServ.0xe Action: FAILED
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.0xe Action: FAILED
Trojan-Downloader.SWF.Gida.a (virus)
C:\Documents and Settings\Lamby\Local Settings\Temporary Internet Files\Content.IE5\NTHMRT5N\gnida[1].0wf Action: FAILED
C:\Documents and Settings\Lamby\Local Settings\Temporary Internet Files\Content.IE5\4DYN4LYZ\gnida[1].0wf Action: FAILED
--------------------------------------------------------------------------------
Riskware found
RemoteAdmin.Win32.WinVNC-based.b (riskware)
C:\Documents and Settings\Owner\Local Settings\Temp\EMBARQ\software\EMBARQSoftware.exe
C:\Documents and Settings\Owner\Local Settings\Temp\EMBARQ\software\VirtualAssistant.exe
--------------------------------------------------------------------------------
Statistics
Scanned:
Files: 311959
Not scanned: 47
Result:
Viruses: 11
Spyware: 0
Suspicious items: 0
Riskware: 2
Actions:
Disinfected: 0
Renamed: 0
Deleted: 0
Quarantined: 0
Failed: 11
Boot Sectors:
Scanned: 1
Infected: 0
Suspicious items: 0
Disinfected: 0
Files not scanned:
Cannot open file (click here for more info) C:\HIBERFIL.SYS
Cannot open file (click here for more info) C:\PAGEFILE.SYS
Cannot open file (click here for more info) C:\WINDOWS\TEMP\PERFLIB_PERFDATA_868.DAT
Cannot open a file in archive C:\WINDOWS\SYSTEM32\BIOS1.ROM
Cannot open file (click here for more info) C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
Cannot open file (click here for more info) C:\WINDOWS\SYSTEM32\CONFIG\SAM
Cannot open file (click here for more info) C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
Cannot open file (click here for more info) C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
Cannot open file (click here for more info) C:\WINDOWS\SYSTEM32\CATROOT2\EDB.LOG
Cannot open file (click here for more info) C:\WINDOWS\SYSTEM32\CATROOT2\TMP.EDB
Cannot open a file in archive bios1.rom
Cannot open a file in archive C:\WINDOWS\.JAGEX_CACHE_32\RUNESCAPE\MAIN_FILE_CACHE.DAT2
Cannot open a file in archive C:\PROGRAM FILES\RAGE\INCOMING\ASC\PADS\PAD2.CTL
Cannot open a file in archive C:\PROGRAM FILES\LIMEWIRE\DOWNLOADS\PINK - STUPID GIRLS.MP3
Cannot open a file in archive C:\PROGRAM FILES\FINEPIXVIEWER\RESOURCE\IIPARAM\SETUP\DSC\SETUP12_10.DAT
Cannot open a file in archive C:\PROGRAM FILES\FINEPIXVIEWER\EXTENSIONS\HELPERS\MVFILTERS\PARAM\SETUP\SRGB\SETUP12_10.DAT
Cannot open a file in archive C:\PROGRAM FILES\FINEPIXVIEWER\EXTENSIONS\HELPERS\MVFILTERS\PARAM\SETUP\DSC\SETUP12_10.DAT
Cannot open file (click here for more info) C:\PROGRAM FILES\EMBARQ ONLINE SECURITY\COMMON\POLICY.IPF
Cannot open a file in archive C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\GRPHFLT\MS.PCT
Cannot open a file in archive C:\DOCUMENTS AND SETTINGS\ALL USERS.LOG
Cannot open a file in archive C:\DOCUMENTS AND SETTINGS\DEFAULT USER.LOG
Cannot open file (click here for more info) C:\DOCUMENTS AND SETTINGS\OWNER\NTUSER.DAT
Cannot open a file in archive C:\DOCUMENTS AND SETTINGS\OWNER\MY DOCUMENTS\MY PICTURES\IPOD PHOTO CACHE\F33\T845.ITHMB
Cannot open a file in archive C:\DOCUMENTS AND SETTINGS\OWNER\MY DOCUMENTS\MY PICTURES\IPOD PHOTO CACHE\F32\T844.ITHMB
Cannot open a file in archive C:\DOCUMENTS AND SETTINGS\OWNER\MY DOCUMENTS\MY PICTURES\IPOD PHOTO CACHE\F29\T637.ITHMB
Cannot open a file in archive C:\DOCUMENTS AND SETTINGS\OWNER\MY DOCUMENTS\MY PICTURES\IPOD PHOTO CACHE\F28\T636.ITHMB
Cannot open a file in archive C:\DOCUMENTS AND SETTINGS\OWNER\MY DOCUMENTS\MY PICTURES\IPOD PHOTO CACHE\F27\T635.ITHMB
Cannot open a file in archive C:\DOCUMENTS AND SETTINGS\OWNER\MY DOCUMENTS\MY PICTURES\IPOD PHOTO CACHE\F26\T634.ITHMB
Cannot open a file in archive C:\DOCUMENTS AND SETTINGS\OWNER\MY DOCUMENTS\MY PICTURES\IPOD PHOTO CACHE\F25\T276.ITHMB
Cannot open a file in archive C:\DOCUMENTS AND SETTINGS\OWNER\MY DOCUMENTS\MY PICTURES\IPOD PHOTO CACHE\F25\T633.ITHMB
Cannot open a file in archive C:\DOCUMENTS AND SETTINGS\OWNER\MY DOCUMENTS\MY PICTURES\IPOD PHOTO CACHE\F24\T275.ITHMB
Cannot open a file in archive C:\DOCUMENTS AND SETTINGS\OWNER\MY DOCUMENTS\MY PICTURES\IPOD PHOTO CACHE\F24\T632.ITHMB
Cannot open file (click here for more info) C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\USRCLASS.DAT
Cannot open file (click here for more info) C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\NTUSER.DAT
Cannot open file (click here for more info) C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\USRCLASS.DAT
Cannot open file (click here for more info) C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\NTUSER.DAT
Cannot open file (click here for more info) C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\USRCLASS.DAT
File D:\i386\Apps\App30921\vs\agentins.ui\agentins.ini is encrypted
File D:\i386\Apps\App30921\vs\vsoins.ui\common_utils.js is encrypted
File D:\i386\Apps\App30921\vs\shared\agentcfg.cab\screm.ui\agntcons.vbs is encrypted
File D:\i386\Apps\App30921\msk\agentins.ui\agentins.ini is encrypted
File D:\i386\Apps\App30921\msk\mskins.ui\appcons.vbs is encrypted
File D:\i386\Apps\App30921\msk\shared\agentcfg.cab\screm.ui\agntcons.vbs is encrypted
File D:\i386\Apps\App30921\mpf\agentins.ui\agentins.ini is encrypted
File D:\i386\Apps\App30921\mpf\mpfins.ui\appcons.vbs is encrypted
File D:\i386\Apps\App30921\mpf\shared\agentcfg.cab\screm.ui\agntcons.vbs is encrypted
File D:\i386\Apps\App30921\mpf\mpfplus\en-us\us\mpfcfg.cab\mpfrem.ui\appconst.vbs is encrypted
--------------------------------------------------------------------------------
Options
Definitions version:
Viruses: 2008-02-09_01
Spyware: 2008-02-09_01
Scanning Engines:
F-Secure AVP: 7.00.171, 2008-02-09
F-Secure Libra: 2.04.01, 2008-02-07
F-Secure Orion: 1.02.37, 2008-02-09
F-Secure Draco: 1.00.35, 2008-02-04
F-Secure BlackLight: 1.00.54
Scanning options:
Scan all files
Scan inside archives
Actions:
Viruses: Ask after scan
Spyware: Ask after scan
Show suspicious items after a full computer check
--------------------------------------------------------------------------------
Error information
"Cannot open file" error occurred:
The "Cannot open file" error message means that the scanner was unable to open a file and that this file was not scanned. You can normally ignore this error message as there are many reasons for this message that do not imply a security threat, including:
The file was a system file. System files are protected by the operation system by design. You can ignore this message in this case.
You do not have permission to read the file. To scan the file, log in with a user account with sufficient permissions (for example the computer's administrator account) and rescan.
The file was in use by an application when the scan was performed. To scan this file, close all applications and rescan.
--------------------------------------------------------------------------------
Copyright © 1998-2007 Product support | Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name. This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~