Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Agent.IGL rootkit infection I think [RESOLVED]

Started by Fuertisimo , Mar 28 2008 03:13 AM

  • This topic is locked This topic is locked

#1
Fuertisimo
Posted 28 March 2008 - 03:13 AM

Fuertisimo

    Member

  • Member
  • PipPip
  • 26 posts
I seem to have become infected with what most sources I have checked out to be a trojan of the warspy family. My desktop background was changed to a blue and yellow box that says I have been infected and should consider getting an spyware remover. My browser would also redirect to various websites unwillingly. I've managed to eliminate these symptoms myself but the trojan itself won't die despite my best attempts to kill it (which included the smitfraud fix recommended for another trojan that sounded like mine in the self help section).

Update: looks like it might be a rootkit infection and not just a warspy trojan.

Here is my Pandascan Activescan log:


Incident Status Location

Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Stephen\Cookies\[email protected][2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Stephen\Cookies\stephen@doubleclick[1].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Stephen\Desktop\SmitfraudFix\Process.exe
Virus:Trj/Rebooter.J Disinfected C:\Documents and Settings\Stephen\Desktop\SmitfraudFix\Reboot.exe
Potentially unwanted tool:Application/SuperFast Not disinfected C:\Documents and Settings\Stephen\Desktop\SmitfraudFix\restart.exe
Hacktool:Rootkit/Agent.IGL Not disinfected C:\WINDOWS\system32\drivers\Cii46.sys
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe
Here is my uninstall list:

Ad-Aware 2007
Adobe Flash Player ActiveX
Apple Mobile Device Support
Apple Software Update
ATI - Software Uninstall Utility
ATI AVIVO Codecs
ATI Catalyst Control Center
ATI Display Driver
ATI HYDRAVISION
ATI Parental Control & Encoder
ATI Problem Report Wizard
AVG 7.5
AVG Anti-Spyware 7.5
eMule
Free Games Offer, Desktop Shortcut
Half-Life 2
Half-Life 2: Deathmatch
Half-Life 2: Episode One
Half-Life 2: Episode Two
Half-Life 2: Lost Coast
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
HP Customer Participation Program 7.0
HP Imaging Device Functions 7.0
HP Officejet Pro All-In-One Series
HP Photosmart Essential
HP Software Update
HP Solution Center 7.0
iTunes
Microsoft .NET Framework 2.0
Microsoft Visual C++ 2005 Redistributable
MPM
Nero OEM
NVIDIA Drivers
OCR Software by I.R.I.S 7.0
Panda ActiveScan
QuickTime
SoundMAX
Source SDK Base
Steam
Team Fortress 2
Ventrilo Client
Windows Driver Package - Advanced Micro Devices (AmdK8) Processor (05/27/2006 1.3.2.0)
Windows Installer 3.1 (KB893803)
World of Warcraft
Xvid 1.1.3 final uninstall



I will post my HJT log in the next post.

Edited by Fuertisimo, 30 March 2008 - 07:32 PM.

  • 0

Advertisements

#2
Fuertisimo
Posted 28 March 2008 - 03:14 AM

Fuertisimo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
Here is my HJT logfile:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:36:59 AM, on 3/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [autoload] C:\Documents and Settings\Stephen\Local Settings\Application Data\spool.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [Jnskdfmf9eldfd] C:\DOCUME~1\Stephen\LOCALS~1\Temp\csrssc.exe
O4 - HKCU\..\Run: [autoload] C:\Documents and Settings\Stephen\Local Settings\Application Data\spool.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Jnskdfmf9eldfd] C:\WINDOWS\TEMP\csrssc.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Jnskdfmf9eldfd] C:\WINDOWS\TEMP\csrssc.exe (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{56EA1225-4A09-4583-87B9-6B28F8CFBC59}: NameServer = 85.255.115.74,85.255.112.8
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.74 85.255.112.8
O17 - HKLM\System\CS1\Services\Tcpip\..\{56EA1225-4A09-4583-87B9-6B28F8CFBC59}: NameServer = 85.255.115.74,85.255.112.8
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.74 85.255.112.8
O17 - HKLM\System\CS2\Services\Tcpip\..\{56EA1225-4A09-4583-87B9-6B28F8CFBC59}: NameServer = 85.255.115.74,85.255.112.8
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.74 85.255.112.8
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\ctfmon.exe (file missing)

--
End of file - 5608 bytes



Much love in advance :) .
  • 0

#3
kahdah
Posted 02 April 2008 - 11:41 AM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hello Fuertisimo

Welcome to G2Go. :)
=====================
Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

  • 0

#4
Fuertisimo
Posted 02 April 2008 - 02:49 PM

Fuertisimo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
This is the log of main.txt:

Deckard's System Scanner v20071014.68
Run by Stephen on 2008-04-02 15:44:20
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 1 Restore Point(s) --
1: 2008-04-02 20:44:21 UTC - RP75 - Deckard's System Scanner Restore Point


Backed up registry hives.
Performed disk cleanup.

System Drive C: has 3.72 GiB (less than 15%) free.


-- HijackThis (run as Stephen.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:44:42 PM, on 4/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Stephen\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Stephen.exe

O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [autoload] C:\Documents and Settings\Stephen\Local Settings\Application Data\spool.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [Jnskdfmf9eldfd] C:\DOCUME~1\Stephen\LOCALS~1\Temp\csrssc.exe
O4 - HKCU\..\Run: [autoload] C:\Documents and Settings\Stephen\Local Settings\Application Data\spool.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Jnskdfmf9eldfd] C:\WINDOWS\TEMP\csrssc.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Jnskdfmf9eldfd] C:\WINDOWS\TEMP\csrssc.exe (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{56EA1225-4A09-4583-87B9-6B28F8CFBC59}: NameServer = 85.255.115.74,85.255.112.8
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.74 85.255.112.8
O17 - HKLM\System\CS1\Services\Tcpip\..\{56EA1225-4A09-4583-87B9-6B28F8CFBC59}: NameServer = 85.255.115.74,85.255.112.8
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.74 85.255.112.8
O17 - HKLM\System\CS2\Services\Tcpip\..\{56EA1225-4A09-4583-87B9-6B28F8CFBC59}: NameServer = 85.255.115.74,85.255.112.8
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.74 85.255.112.8
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\ctfmon.exe (file missing)

--
End of file - 5611 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

S0 cercsr6 - c:\windows\system32\drivers\cercsr6.sys <Not Verified; Adaptec, Inc.; Dell RAID Controller>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>

S2 Schedule (Task Scheduler) - c:\windows\system32\drivers\ctfmon.exe (file missing)


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-03-17 08:06:03 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-03-02 and 2008-04-02 -----------------------------

2008-04-01 00:05:07 0 d-------- C:\Program Files\ASF-AVI-RM-WMV Repair
2008-03-28 03:36:46 0 d-------- C:\Program Files\Trend Micro
2008-03-28 03:01:04 0 d-------- C:\WINDOWS\system32\ActiveScan
2008-03-28 02:53:08 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-03-28 02:53:08 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-03-28 02:53:08 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-03-28 02:53:08 0 d--h----- C:\Documents and Settings\Administrator\Recent
2008-03-28 02:53:08 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-03-28 02:53:08 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-03-28 02:53:08 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-03-28 02:53:08 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-03-28 02:53:08 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-03-28 02:53:08 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-03-28 02:53:08 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2008-03-28 02:53:08 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-03-28 02:53:08 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-03-28 02:53:07 524288 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-03-28 02:48:04 1766 --a------ C:\WINDOWS\system32\tmp.reg
2008-03-28 02:47:52 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-03-28 02:47:52 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-03-28 02:47:52 86528 --a------ C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-03-28 02:47:52 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-03-28 02:47:52 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-03-28 02:47:52 82432 --a------ C:\WINDOWS\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-03-28 02:47:52 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-03-28 02:07:56 0 d-------- C:\Documents and Settings\Stephen\Application Data\Grisoft
2008-03-27 22:57:46 0 d-------- C:\Program Files\Lavasoft
2008-03-19 08:55:53 0 dr-h----- C:\$VAULT$.AVG
2008-03-19 08:53:53 0 d-------- C:\Documents and Settings\Stephen\Application Data\AVG7
2008-03-19 08:53:44 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-03-19 08:53:18 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-19 08:53:18 0 d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-03-19 08:16:17 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-19 08:03:46 0 d-------- C:\Documents and Settings\LocalService\Application Data\HP
2008-03-19 08:03:40 8192 --a------ C:\WINDOWS\system32\regapi32.dll
2008-03-19 08:03:36 8192 --a------ C:\WINDOWS\system32\cbrowse.dll
2008-03-19 08:03:35 3072 --a------ C:\WINDOWS\system32\pxcrt.dll
2008-03-19 08:03:34 0 d-------- C:\Documents and Settings\LocalService\Application Data\ATI
2008-03-19 08:03:28 4608 --a------ C:\WINDOWS\system32\credigui.dll
2008-03-19 08:03:28 0 d--h----- C:\Documents and Settings\LocalService\SendTo
2008-03-19 08:03:27 8704 --a------ C:\WINDOWS\system32\rcdll.dll
2008-03-19 08:03:26 6144 --a------ C:\WINDOWS\system32\netd.dll
2008-03-19 08:03:25 0 d-------- C:\Documents and Settings\LocalService\Application Data\Identities
2008-03-19 08:02:55 7168 --a------ C:\WINDOWS\system32\protect.dll
2008-03-19 08:02:50 4096 --a------ C:\WINDOWS\system32\mscert.dll
2008-03-19 08:02:46 0 d-------- C:\Documents and Settings\LocalService\Start Menu
2008-03-19 08:02:46 0 dr-h----- C:\Documents and Settings\LocalService\Recent
2008-03-19 08:02:46 0 d--h----- C:\Documents and Settings\LocalService\NetHood
2008-03-19 08:02:46 0 dr------- C:\Documents and Settings\LocalService\My Documents
2008-03-19 08:02:46 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-03-19 08:02:46 0 d-------- C:\Documents and Settings\LocalService\Desktop
2008-03-19 08:02:44 2 --a------ C:\-462321886
2008-03-19 08:02:43 11264 --a------ C:\WINDOWS\system32\winload.dll
2008-03-19 08:02:42 92 --a------ C:\WINDOWS\system32\delself.bat
2008-03-18 23:55:19 0 d-------- C:\Documents and Settings\Stephen\Application Data\Anti-Virus-Pro.com
2008-03-18 23:55:17 0 d-------- C:\Program Files\AntiVirusPro
2008-03-10 08:17:18 0 d-------- C:\Program Files\iPod
2008-03-10 08:17:15 0 d-------- C:\Program Files\iTunes


-- Find3M Report ---------------------------------------------------------------

2008-04-02 15:42:39 0 d-------- C:\Program Files\Steam
2008-04-02 04:18:06 0 d-------- C:\Program Files\Warcraft III
2008-04-02 01:48:06 0 d-------- C:\Program Files\eMule
2008-03-27 22:57:19 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-12 23:27:40 0 d-------- C:\Program Files\QuickTime
2008-02-11 23:57:10 0 d-------- C:\Documents and Settings\Stephen\Application Data\Bioshock
2008-02-08 00:48:36 76375 --a------ C:\WINDOWS\War3Unin.dat
2008-01-05 21:59:30 2829 --a------ C:\WINDOWS\War3Unin.pif
2008-01-05 21:59:30 139264 --a------ C:\WINDOWS\War3Unin.exe <Not Verified; Blizzard Entertainment; Warcraft III Uninstaller>
2008-01-05 15:08:41 142093 --a------ C:\WINDOWS\hpwins05.dat
2008-01-03 05:23:53 0 -rahs---- C:\MSDOS.SYS
2008-01-03 05:23:53 0 -rahs---- C:\IO.SYS
2008-01-03 05:23:53 0 --a------ C:\CONFIG.SYS
2008-01-03 05:23:53 0 --a------ C:\AUTOEXEC.BAT
2008-01-03 05:22:12 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-01-03 00:18:51 62 --ahs---- C:\Documents and Settings\Stephen\Application Data\desktop.ini


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [12/18/2006 08:34 AM]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [07/13/2006 07:12 AM]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [11/10/2006 12:35 PM]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [02/19/2006 02:41 AM]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 11:50 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [01/31/2008 11:13 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [02/19/2008 01:10 PM]
"autoload"="C:\Documents and Settings\Stephen\Local Settings\Application Data\spool.exe" []
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [03/19/2008 08:53 AM]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [06/11/2007 04:25 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [08/04/2004 01:06 AM]
"Steam"="C:\Program Files\Steam\Steam.exe" [03/27/2008 09:25 PM]
"Jnskdfmf9eldfd"="C:\DOCUME~1\Stephen\LOCALS~1\Temp\csrssc.exe" []
"autoload"="C:\Documents and Settings\Stephen\Local Settings\Application Data\spool.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Jnskdfmf9eldfd"=C:\WINDOWS\TEMP\csrssc.exe
"autoload"=C:\Documents and Settings\LocalService\Local Settings\Application Data\spool.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2/19/2006 4:21:22 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoFolderOptions"=1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoFolderOptions"=1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 Pml Driver HPZ12 Net Driver HPZ12


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{280790d1-bbc2-11dc-9d6c-001d60c33424}]
AutoRun\command- G:\LaunchU3.exe -a




-- Hosts -----------------------------------------------------------------------

192.168.1.104 HP0017A4263B36


-- End of Deckard's System Scanner: finished at 2008-04-02 15:45:19 ------------

And this is the log of extra.txt:

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Athlon™ 64 X2 Dual Core Processor 4800+
CPU 1: AMD Athlon™ 64 X2 Dual Core Processor 4800+
Percentage of Memory in Use: 38%
Physical Memory (total/avail): 1022.42 MiB / 629.52 MiB
Pagefile Memory (total/avail): 2460.91 MiB / 2016.86 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1934.72 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 149.04 GiB total, 3.72 GiB free.
D: is CDROM (No Media)
E: is CDROM (No Media)
Z: is Network (Unformatted)

\\.\PHYSICALDRIVE0 - ST3160815AS - 149.05 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 149.04 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is set to notify before install.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.
AntiVirusDisableNotify is set.
FirewallDisableNotify is set.
UpdatesDisableNotify is set.

AV: AVG 7.5.519 v7.5.519 (Grisoft)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Stephen\\Desktop\\MudMaster.exe"="C:\\Documents and Settings\\Stephen\\Desktop\\MudMaster.exe:*:Enabled:Mud Master 2000"
"C:\\Documents and Settings\\Stephen\\Desktop\\MudMaster2000_v390-EXE\\MudMaster.exe"="C:\\Documents and Settings\\Stephen\\Desktop\\MudMaster2000_v390-EXE\\MudMaster.exe:*:Enabled:Mud Master 2000"
"C:\\Program Files\\eMule\\emule.exe"="C:\\Program Files\\eMule\\emule.exe:*:Enabled:eMule"
"C:\\Documents and Settings\\Stephen\\My Documents\\Mud Master\\MudMaster.exe"="C:\\Documents and Settings\\Stephen\\My Documents\\Mud Master\\MudMaster.exe:*:Enabled:Mud Master 2000"
"C:\\Program Files\\Kevin Cook\\Mud Master 2000\\MudMaster.exe"="C:\\Program Files\\Kevin Cook\\Mud Master 2000\\MudMaster.exe:*:Enabled:Mud Master 2000"
"E:\\setup\\HPZNET01.EXE"="E:\\setup\\HPZNET01.EXE:*:Enabled:hpznet01.exe"
"E:\\setup\\HPONICIFS01.EXE"="E:\\setup\\HPONICIFS01.EXE:*:Enabled:hponicifs01.exe"
"C:\\WINDOWS\\system32\\spoolsv.exe"="C:\\WINDOWS\\system32\\spoolsv.exe:*:Enabled:Spooler SubSystem App"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe:*:Enabled:hpqtra08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe:*:Enabled:hpqste08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe:*:Enabled:hpofxm08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe:*:Enabled:hposfx08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe:*:Enabled:hposid01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe:*:Enabled:hpqscnvw.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe:*:Enabled:hpzwiz01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe:*:Enabled:hpqphunl.exe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe:*:Enabled:hpqdia.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe:*:Enabled:hpqnrs08.exe"
"C:\\Program Files\\Warcraft III\\Warcraft III.exe"="C:\\Program Files\\Warcraft III\\Warcraft III.exe:*:Enabled:Warcraft III"
"C:\\Program Files\\Steam\\steamapps\\fuertisimo\\half-life 2 deathmatch\\hl2.exe"="C:\\Program Files\\Steam\\steamapps\\fuertisimo\\half-life 2 deathmatch\\hl2.exe:*:Enabled:hl2"
"C:\\Program Files\\Steam\\steamapps\\masspsycho\\source sdk base\\hl2.exe"="C:\\Program Files\\Steam\\steamapps\\masspsycho\\source sdk base\\hl2.exe:*:Enabled:hl2"
"C:\\Program Files\\Steam\\steamapps\\masspsycho\\team fortress 2\\hl2.exe"="C:\\Program Files\\Steam\\steamapps\\masspsycho\\team fortress 2\\hl2.exe:*:Enabled:hl2"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe:*:Enabled:avgemc.exe"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Stephen\Application Data
CLASSPATH=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=DONTBREAK
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Stephen
LOGONSERVER=\\DONTBREAK
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\ATI Technologies\ATI.ACE\Core-Static;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 107 Stepping 1, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=6b01
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\QuickTime\QTSystem\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Stephen\LOCALS~1\Temp
TMP=C:\DOCUME~1\Stephen\LOCALS~1\Temp
USERDOMAIN=DONTBREAK
USERNAME=Stephen
USERPROFILE=C:\Documents and Settings\Stephen
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Stephen (admin)
Administrator (new local, admin)


-- Add/Remove Programs ---------------------------------------------------------

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Apple Mobile Device Support --> MsiExec.exe /I{44734179-8A79-4DEE-BB08-73037F065543}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
ASF-AVI-RM-WMV Repair 1.82 --> "C:\Program Files\ASF-AVI-RM-WMV Repair\unins000.exe"
ATI - Software Uninstall Utility --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI AVIVO Codecs --> MsiExec.exe /I{89DE67AD-08B8-4699-A55D-CA5C0AF82BF3}
ATI Catalyst Control Center --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{055EE59D-217B-43A7-ABFF-507B966405D8}\setup.exe" -l0x0
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
ATI HYDRAVISION --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3EA9D975-BFDC-4E8E-B88B-0446FBC8CA66}\setup.exe"
ATI Parental Control & Encoder --> MsiExec.exe /I{36CDA33B-909B-4719-97D1-C4B99309BDC7}
ATI Problem Report Wizard --> MsiExec.exe /X{5DA6F06A-B389-407B-BF8C-1548767914D8}
AVG 7.5 --> C:\Program Files\Grisoft\AVG7\setup.exe /UNINSTALL
AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
eMule --> "C:\Program Files\eMule\Uninstall.exe"
Free Games Offer, Desktop Shortcut --> MsiExec.exe /X{31DABA20-10A1-4746-9D9F-57955B8DFF66}
Half-Life 2 --> "C:\Program Files\Steam\steam.exe" steam://uninstall/220
Half-Life 2: Deathmatch --> "C:\Program Files\Steam\steam.exe" steam://uninstall/320
Half-Life 2: Episode One --> "C:\Program Files\Steam\steam.exe" steam://uninstall/380
Half-Life 2: Episode Two --> "C:\Program Files\Steam\steam.exe" steam://uninstall/420
Half-Life 2: Lost Coast --> "C:\Program Files\Steam\steam.exe" steam://uninstall/340
High Definition Audio Driver Package - KB888111 --> C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
HP Customer Participation Program 7.0 --> C:\Program Files\HP\Digital Imaging\ExtCapUninstall\hpzscr01.exe -datfile hpqhsc01.dat
HP Imaging Device Functions 7.0 --> C:\Program Files\HP\Digital Imaging\DeviceManagement\hpzscr01.exe -datfile hpqbud01.dat
HP Officejet Pro All-In-One Series --> C:\Program Files\HP\Digital Imaging\{7729A02E-D1AD-4830-8FC5-11853500D90D}\setup\hpzscr01.exe -datfile hpwscr05.dat
HP Photosmart Essential --> MsiExec.exe /X{6994491D-D491-48F1-AE1F-E179C1FFFC2F}
HP Software Update --> MsiExec.exe /X{BB85ED9C-AFC9-43BD-B8DC-258C3C7DF72E}
HP Solution Center 7.0 --> C:\Program Files\HP\Digital Imaging\eSupport\hpzscr01.exe -datfile hpqbud05.dat
iTunes --> MsiExec.exe /I{80FD852F-5AAC-4129-B931-06AAFFA43138}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
MPM --> MsiExec.exe /X{D48AD533-BAD5-469B-A9AA-272C6D80E70B}
Nero OEM --> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
NVIDIA Drivers --> C:\WINDOWS\system32\nvuide.exe UninstallGUI
OCR Software by I.R.I.S 7.0 --> C:\Program Files\HP\Digital Imaging\OCR\hpzscr01.exe -datfile hpqbud11.dat
Panda ActiveScan --> C:\WINDOWS\system32\ASUninst.exe Panda ActiveScan
QuickTime --> MsiExec.exe /I{BFD96B89-B769-4CD6-B11E-E79FFD46F067}
SoundMAX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\setup.exe" -l0x9 -removeonly
Source SDK Base --> "C:\Program Files\Steam\steam.exe" steam://uninstall/215
Steam --> MsiExec.exe /X{048298C9-A4D3-490B-9FF9-AB023A9238F3}
Team Fortress 2 --> "C:\Program Files\Steam\steam.exe" steam://uninstall/440
Ventrilo Client --> MsiExec.exe /I{789289CA-F73A-4A16-A331-54D498CE069F}
Warcraft III: All Products --> C:\WINDOWS\War3Unin.exe C:\WINDOWS\War3Unin.dat
Windows Driver Package - Advanced Micro Devices (AmdK8) Processor (05/27/2006 1.3.2.0) --> C:\PROGRA~1\DIFX\7B44739871F4D539FA473F57A832EA4B6A59EF06\DPInst.exe /d /u C:\WINDOWS\system32\DRVSTORE\amdk8_6FE44FCD212D4A086C7BC0C98B9A619782073FB7\amdk8.inf
World of Warcraft --> C:\Program Files\Common Files\Blizzard Entertainment\World of Warcraft\Uninstall.exe
Xvid 1.1.3 final uninstall --> "C:\Program Files\Xvid\unins000.exe"


-- Application Event Log -------------------------------------------------------

Event Record #/Type2085 / Error
Event Submitted/Written: 04/02/2008 03:44:52 PM
Event ID/Source: 11 / crypt32
Event Description:
Failed extract of third-party root list from auto update cab at: <http://www.download....uthrootstl.cab> with error: The data is invalid.

Event Record #/Type2047 / Error
Event Submitted/Written: 04/01/2008 09:21:35 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application IEXPLORE.EXE, version 6.0.2900.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type2046 / Error
Event Submitted/Written: 04/01/2008 09:21:35 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application IEXPLORE.EXE, version 6.0.2900.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type2045 / Error
Event Submitted/Written: 04/01/2008 09:18:39 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application IEXPLORE.EXE, version 6.0.2900.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type2044 / Error
Event Submitted/Written: 04/01/2008 09:18:38 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application IEXPLORE.EXE, version 6.0.2900.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type5506 / Error
Event Submitted/Written: 04/02/2008 03:42:18 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
Beep
nvatabus

Event Record #/Type5505 / Error
Event Submitted/Written: 04/02/2008 03:42:18 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Task Scheduler service failed to start due to the following error:
%%2

Event Record #/Type5482 / Error
Event Submitted/Written: 04/02/2008 03:36:17 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
Beep
nvatabus

Event Record #/Type5481 / Error
Event Submitted/Written: 04/02/2008 03:36:17 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Task Scheduler service failed to start due to the following error:
%%2

Event Record #/Type5429 / Error
Event Submitted/Written: 04/02/2008 00:03:37 AM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
Beep
nvatabus



-- End of Deckard's System Scanner: finished at 2008-04-02 15:45:19 ------------
  • 0

#5
kahdah
Posted 02 April 2008 - 06:49 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Please download FixWareout from here:
http://downloads.sub.../Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. If your firewall gives an alert, (because this tool will download an additional file from the internet), please don't let your firewall block it, but allow it instead.
Then you will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.
Once the desktop loads please post the text that will open (report.txt)
==============================================
Then::
Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
  • 0

#6
Fuertisimo
Posted 02 April 2008 - 11:51 PM

Fuertisimo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
here is the fixwareout report after rebooting:

Username "Stephen" - 04/03/2008 0:47:21 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
"nameserver"="85.255.115.74 85.255.112.8" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{56EA1225-4A09-4583-87B9-6B28F8CFBC59}
"nameserver"="85.255.115.74,85.255.112.8" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{DC0680FA-DC5A-42A8-838D-6A5CC17298ED}
"DhcpNameServer"="85.255.115.74,85.255.112.8" <Value cleared.

Successfully flushed the DNS Resolver Cache.


System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\\Program Files\\Analog Devices\\Core\\smax4pnp.exe"
"SoundMAX"="\"C:\\Program Files\\Analog Devices\\SoundMAX\\Smax4.exe\" /tray"
"StartCCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\Core-Static\\CLIStart.exe\""
"HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"autoload"="C:\\Documents and Settings\\Stephen\\Local Settings\\Application Data\\spool.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"Steam"="\"C:\\Program Files\\Steam\\Steam.exe\" -silent"
"Jnskdfmf9eldfd"="C:\\DOCUME~1\\Stephen\\LOCALS~1\\Temp\\csrssc.exe"
"autoload"="C:\\Documents and Settings\\Stephen\\Local Settings\\Application Data\\spool.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~
  • 0

#7
Fuertisimo
Posted 03 April 2008 - 12:11 AM

Fuertisimo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
here is my new hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:10:04 AM, on 4/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 4381 bytes


And here is the combofix log:

ComboFix 08-04-02.1 - Stephen 2008-04-03 1:01:42.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.638 [GMT -5:00]
Running from: C:\Documents and Settings\Stephen\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\grande48.sys
C:\WINDOWS\system32\ras\hhlmken.scp
C:\WINDOWS\system32\winload.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_hhlmken


((((((((((((((((((((((((( Files Created from 2008-03-03 to 2008-04-03 )))))))))))))))))))))))))))))))
.

2008-04-03 00:47 . 2008-04-03 00:49 <DIR> d-------- C:\fixwareout
2008-04-02 15:44 . 2008-04-02 15:44 <DIR> d-------- C:\Deckard
2008-04-01 00:05 . 2008-04-01 00:05 <DIR> d-------- C:\Program Files\ASF-AVI-RM-WMV Repair
2008-03-28 03:36 . 2008-03-28 03:36 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-28 03:01 . 2008-03-28 03:27 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-03-28 03:01 . 2008-03-28 03:01 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-03-28 03:01 . 2008-03-28 03:01 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-03-28 03:01 . 2008-03-28 03:01 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-03-28 02:48 . 2008-03-28 02:54 1,766 --a------ C:\WINDOWS\system32\tmp.reg
2008-03-28 02:47 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-03-28 02:47 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-03-28 02:47 . 2008-03-22 15:49 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-03-28 02:47 . 2008-03-26 08:50 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-03-28 02:47 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-03-28 02:47 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-03-28 02:47 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-03-28 02:07 . 2008-03-28 02:07 <DIR> d-------- C:\Documents and Settings\Stephen\Application Data\Grisoft
2008-03-28 02:07 . 2007-05-30 07:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-03-27 22:57 . 2008-03-27 22:57 <DIR> d-------- C:\Program Files\Lavasoft
2008-03-19 08:53 . 2008-03-31 06:41 <DIR> d-------- C:\Documents and Settings\Stephen\Application Data\AVG7
2008-03-19 08:53 . 2008-03-19 08:53 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-03-19 08:53 . 2008-03-19 08:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-19 08:53 . 2008-03-21 07:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-03-19 08:36 . 2008-03-19 08:36 269,334 --a------ C:\WINDOWS\system32\bitkb.bmp
2008-03-19 08:16 . 2008-03-27 22:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-19 08:08 . 2008-03-19 08:08 269,334 --a------ C:\WINDOWS\system32\bmpcjatkf.bmp
2008-03-19 08:03 . 2008-03-19 08:03 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\HP
2008-03-19 08:03 . 2008-03-19 08:03 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\ATI
2008-03-19 08:03 . 2008-03-19 08:03 269,334 --a------ C:\WINDOWS\system32\ojatcr.bmp
2008-03-19 08:03 . 2008-03-19 08:03 8,704 --a------ C:\WINDOWS\system32\rcdll.dll
2008-03-19 08:03 . 2008-03-19 08:03 8,192 --a------ C:\WINDOWS\system32\regapi32.dll
2008-03-19 08:03 . 2008-03-19 08:03 8,192 --a------ C:\WINDOWS\system32\cbrowse.dll
2008-03-19 08:03 . 2008-03-19 08:03 6,144 --a------ C:\WINDOWS\system32\netd.dll
2008-03-19 08:03 . 2008-03-19 08:03 4,608 --a------ C:\WINDOWS\system32\credigui.dll
2008-03-19 08:03 . 2008-03-19 08:03 3,072 --a------ C:\WINDOWS\system32\pxcrt.dll
2008-03-19 08:03 . 2008-03-19 08:19 10 --a------ C:\WINDOWS\system32\winsoft.nls
2008-03-19 08:02 . 2008-03-19 08:02 7,168 --a------ C:\WINDOWS\system32\protect.dll
2008-03-19 08:02 . 2008-03-19 08:02 4,096 --a------ C:\WINDOWS\system32\mscert.dll
2008-03-19 08:02 . 2008-03-19 08:02 92 --a------ C:\WINDOWS\system32\delself.bat
2008-03-19 08:02 . 2008-03-19 08:02 2 --a------ C:\-462321886
2008-03-18 23:56 . 2008-03-18 23:56 29 --a------ C:\WINDOWS\system32\ytprhgrp.tmp
2008-03-18 23:55 . 2008-03-18 23:56 <DIR> d-------- C:\Program Files\AntiVirusPro
2008-03-18 23:55 . 2008-03-18 23:55 <DIR> d-------- C:\Documents and Settings\Stephen\Application Data\Anti-Virus-Pro.com
2008-03-18 23:55 . 2008-03-18 23:55 269,334 --a------ C:\WINDOWS\system32\fidob.bmp
2008-03-10 08:17 . 2008-03-28 03:21 <DIR> d-------- C:\Program Files\iTunes
2008-03-10 08:17 . 2008-03-10 08:17 <DIR> d-------- C:\Program Files\iPod
2008-03-10 08:17 . 2008-04-03 00:49 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-10 08:17 . 2008-03-10 08:17 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-03 05:50 --------- d-----w C:\Program Files\Steam
2008-04-02 22:53 --------- d-----w C:\Program Files\Warcraft III
2008-04-02 06:48 --------- d-----w C:\Program Files\eMule
2008-03-28 03:57 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-02-13 04:27 --------- d-----w C:\Program Files\QuickTime
2008-02-12 04:57 --------- d-----w C:\Documents and Settings\Stephen\Application Data\Bioshock
2008-01-06 02:59 139,264 ----a-w C:\WINDOWS\War3Unin.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 01:06 1667584]
"Steam"="C:\Program Files\Steam\Steam.exe" [2008-03-27 21:25 1271032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2006-12-18 08:34 868352]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2006-07-13 07:12 729088]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35 90112]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 02:41 49152]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-31 23:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 13:10 267048]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-03-19 08:53 579072]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25 6731312]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-03-19 08:53 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 04:21:22 288472]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\eMule\\emule.exe"=
"C:\\Documents and Settings\\Stephen\\My Documents\\Mud Master\\MudMaster.exe"=
"C:\\Program Files\\Kevin Cook\\Mud Master 2000\\MudMaster.exe"=
"C:\\WINDOWS\\system32\\spoolsv.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"C:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"C:\\Program Files\\Steam\\steamapps\\fuertisimo\\half-life 2 deathmatch\\hl2.exe"=
"C:\\Program Files\\Steam\\steamapps\\masspsycho\\source sdk base\\hl2.exe"=
"C:\\Program Files\\Steam\\steamapps\\masspsycho\\team fortress 2\\hl2.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{280790d1-bbc2-11dc-9d6c-001d60c33424}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2008-03-17 13:06:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-03 01:04:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\drivers\Cii46.sys 167936 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Cii46]

.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-04-03 1:05:39 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-03 06:05:37
Pre-Run: 4,034,564,096 bytes free
Post-Run: 3,982,737,408 bytes free
  • 0

#8
kahdah
Posted 03 April 2008 - 03:20 AM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

http://www.geekstogo.com/forum/Agent-IGL-rootkit-infection-think-t192749.html#entry1203950

Collect::
C:\WINDOWS\system32\regapi32.dll
C:\WINDOWS\system32\cbrowse.dll
C:\WINDOWS\system32\netd.dll
C:\WINDOWS\system32\credigui.dll
C:\WINDOWS\system32\pxcrt.dll
C:\WINDOWS\system32\winsoft.nls
C:\WINDOWS\system32\protect.dll
C:\WINDOWS\system32\mscert.dll
C:\WINDOWS\system32\delself.bat
C:\WINDOWS\system32\ytprhgrp.tmp
C:\WINDOWS\system32\drivers\Cii46.sys
Folder:
C:\-462321886
C:\Program Files\AntiVirusPro
C:\Documents and Settings\Stephen\Application Data\Anti-Virus-Pro.com
Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Cii46]


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. Additonally, ComboFix will generate the following files on your desktop
  • A zipped file on your desktop called Submit [Date Time].zip
  • And another file named - CF-Submit.htm
6. ComboFix may need to reboot to finish its work. Let it.

7. When CF has finished running, it will generate the ComboFix.log which will appear on your screen.

8. If CF-Submit.htm is detected, ComboFix will generate this message box:

Posted Image

Clicking OK will cause the machine's browser to load CF-Submit.htm

Posted Image

9. Click the "Browse" button and locate the Submit [Date Time].zip file on your desktop.
  • Click on the file to Select it.
  • Submit the file by clicking "OK"
10. Once the file has been submitted, please DELETE both files on your desktop.

11. Post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log (run after ComboFix has finished its work.)

  • 0

#9
Fuertisimo
Posted 03 April 2008 - 02:35 PM

Fuertisimo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
When I drag the CFScript.txt file onto the Combofix.exe icon, it begins to run Combofix, then it gives me the error "you cannot rename Combofix.exe as Combofix.exe" and closes the program.

Please advise.
  • 0

#10
kahdah
Posted 03 April 2008 - 06:26 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hmm that is strange.
But let's do the following instead.
=====================
1. Please download The Avenger2 by Swandog46 to your Desktop.
  • Right click on the Avenger.zip folder and select "Extract All..."
  • Follow the prompts and extract the avenger folder to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
C:\WINDOWS\system32\regapi32.dll
C:\WINDOWS\system32\cbrowse.dll
C:\WINDOWS\system32\netd.dll
C:\WINDOWS\system32\credigui.dll
C:\WINDOWS\system32\pxcrt.dll
C:\WINDOWS\system32\winsoft.nls
C:\WINDOWS\system32\protect.dll
C:\WINDOWS\system32\mscert.dll
C:\WINDOWS\system32\delself.bat
C:\WINDOWS\system32\ytprhgrp.tmp
C:\WINDOWS\system32\drivers\Cii46.sys

Folders to delete:
C:\-462321886
C:\Program Files\AntiVirusPro
C:\Documents and Settings\Stephen\Application Data\Anti-Virus-Pro.com

Drivers to delete:
Cii46

Registry Keys to delete:
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Cii46

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.
  • Right click on the window under Input script here:, and select Paste.
  • You can also Paste the text copied to the clipboard into this window by pressing (Ctrl+V), or click on the third button under the menu to paste it from the clipboard.
  • Click on Execute
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete" or "Drivers to Disable", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh Hijackthis log .
  • 0

Advertisements

#11
Fuertisimo
Posted 03 April 2008 - 09:00 PM

Fuertisimo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
This is the new HJT log after running avenger:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:59:31 PM, on 4/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 4919 bytes


This is the Avenger log:

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "Cii46" found!
Start Type: 4 (Disabled)

Rootkit scan completed.

File "C:\WINDOWS\system32\regapi32.dll" deleted successfully.
File "C:\WINDOWS\system32\cbrowse.dll" deleted successfully.
File "C:\WINDOWS\system32\netd.dll" deleted successfully.
File "C:\WINDOWS\system32\credigui.dll" deleted successfully.
File "C:\WINDOWS\system32\pxcrt.dll" deleted successfully.
File "C:\WINDOWS\system32\winsoft.nls" deleted successfully.
File "C:\WINDOWS\system32\protect.dll" deleted successfully.
File "C:\WINDOWS\system32\mscert.dll" deleted successfully.
File "C:\WINDOWS\system32\delself.bat" deleted successfully.
File "C:\WINDOWS\system32\ytprhgrp.tmp" deleted successfully.
File "C:\WINDOWS\system32\drivers\Cii46.sys" deleted successfully.

Error: "C:\-462321886" is not a folder! It may instead be a file.
Deletion of folder "C:\-462321886" failed!
Status: 0xc0000103 (STATUS_NOT_A_DIRECTORY)
--> use "Files to delete:" instead of "Folders to delete:" to delete an ordinary file

Folder "C:\Program Files\AntiVirusPro" deleted successfully.
Folder "C:\Documents and Settings\Stephen\Application Data\Anti-Virus-Pro.com" deleted successfully.
Driver "Cii46" deleted successfully.

Error: registry key "HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Cii46" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Cii46" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.
  • 0

#12
kahdah
Posted 03 April 2008 - 09:03 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.
  • 0

#13
Fuertisimo
Posted 04 April 2008 - 05:54 AM

Fuertisimo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
Here is the log following the Malwarebytes scan:

Malwarebytes' Anti-Malware 1.10
Database version: 589

Scan type: Full Scan (A:\|C:\|D:\|E:\|Z:\|)
Objects scanned: 65090
Time elapsed: 12 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Typelib\{50ccd00a-66b6-4d95-aaef-8ee959498f92} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\stfngdvw.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Stephen\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Stephen\Application Data\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\winload.dll.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bitkb.bmp (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bmpcjatkf.bmp (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fidob.bmp (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ojatcr.bmp (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rcdll.dll (Trojan.Agent) -> Quarantined and deleted successfully.
  • 0

#14
kahdah
Posted 04 April 2008 - 10:37 AM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
=================================================================
Please do an online scan with Kaspersky WebScanner
(This scanner is for use with internet explorer only)
Click on "Accept"

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

  • 0

#15
Fuertisimo
Posted 04 April 2008 - 10:16 PM

Fuertisimo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
Here is the Text report from Kaspersky after running the ATF cleaner:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, April 04, 2008 11:10:31 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 5/04/2008
Kaspersky Anti-Virus database records: 682912
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
Z:\

Scan Statistics:
Total number of scanned objects: 38143
Number of viruses found: 1
Number of infected objects: 3
Number of suspicious objects: 0
Duration of the scan process: 00:25:14

Infected Object Name / Virus Name / Last Action
C:\Avenger\Cii46.sys Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Stephen\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Stephen\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Stephen\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Stephen\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Stephen\Local Settings\History\History.IE5\MSHist012008040420080405\index.dat Object is locked skipped
C:\Documents and Settings\Stephen\Local Settings\Temp\hpodvd09.log Object is locked skipped
C:\Documents and Settings\Stephen\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Stephen\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Stephen\ntuser.dat.LOG Object is locked skipped
C:\QooBox\Quarantine\catchme2008-04-03_ 10417.32.zip/Documents and Settings/Stephen/Desktop/catchme.zip/hhlmken.scp Infected: Trojan-Clicker.Win32.Costrat.fe skipped
C:\QooBox\Quarantine\catchme2008-04-03_ 10417.32.zip/Documents and Settings/Stephen/Desktop/catchme.zip Infected: Trojan-Clicker.Win32.Costrat.fe skipped
C:\QooBox\Quarantine\catchme2008-04-03_ 10417.32.zip ZIP: infected - 2 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{0B8877DB-1D10-40D9-960F-E9010A65A3DF}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edbtmp.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP