Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Win32Bagle and its variants[RESOLVED]


  • This topic is locked This topic is locked

#16
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Please download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with DrWeb-CureIt as follows:
  • Double-click on drweb-cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
  • Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan tab" and UNcheck "Heuristic analysis"
  • Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
  • Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
  • When done, a message will be displayed at the bottom advising if any viruses were found.
  • Click "Yes to all" if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
    (This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
  • Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)
Also tell me how the computer is running now.

Regards,
RatHat
  • 0

Advertisements


#17
cherriedpie

cherriedpie

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
I don't understand by what you mean as how my computer is running.
In what aspect should I tell you?

I'll reboot into Safe mode now, will post when I'm done.
  • 0

#18
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts

I don't understand by what you mean as how my computer is running.
In what aspect should I tell you?

I'll reboot into Safe mode now, will post when I'm done.


By that I mean how is it behaving? Are you still experiencing any problems, and if so, what is it that is happening. I am hoping that we have killed the bagle worm, so want to find out what symptoms you have remaining, if any.

Regards,
RatHat
  • 0

#19
cherriedpie

cherriedpie

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts

101365.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down;Trojan.PWS.Nerf;Deleted.;
101726.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down;Win32.HLLM.Beagle;Deleted.;
103448.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down;Trojan.PWS.Nerf;Deleted.;
103739.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down;Win32.HLLM.Beagle;Deleted.;
10413313.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down;Trojan.PWS.Nerf;Deleted.;
10413333.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down;Trojan.PWS.Nerf;Deleted.;
104189.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down;Win32.HLLM.Beagle;Deleted.;
10442896.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down;Win32.HLLM.Beagle;Deleted.;
10447422.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down;Win32.HLLM.Beagle;Deleted.;
109747.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down;Win32.HLLM.Beagle;Deleted.;
109777.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down;Win32.HLLM.Beagle;Deleted.;
110388.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down;Win32.HLLM.Beagle;Deleted.;
110909.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down;Win32.HLLM.Beagle;Deleted.;
112882.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down;Win32.HLLM.Beagle;Deleted.;
114254.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down;Win32.HLLM.Beagle;Deleted.;
115916.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down;Win32.HLLM.Beagle;Deleted.;
117298.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down;Win32.HLLM.Beagle;Deleted.;
120743.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down;Win32.HLLM.Beagle;Deleted.;
121024.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down;Win32.HLLM.Beagle;Deleted.;
122766.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down;Win32.HLLM.Beagle;Deleted.;
124719.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down;Win32.HLLM.Beagle;Deleted.;
125029.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down;Win32.HLLM.Beagle;Deleted.;
125630.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down;Win32.HLLM.Beagle;Deleted.;
128494.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down;Win32.HLLM.Beagle;Deleted.;
130707.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down;Win32.HLLM.Beagle;Deleted.;
131298.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down;Win32.HLLM.Beagle;Deleted.;
131749.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down;Win32.HLLM.Beagle;Deleted.;
135334.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down;Win32.HLLM.Beagle;Deleted.;
135745.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down;Win32.HLLM.Beagle;Deleted.;
1382287.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down;Win32.HLLM.Beagle;Deleted.;
14730972.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down;Win32.HLLM.Beagle;Deleted.;
14784909.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down;Trojan.PWS.Nerf;Deleted.;
14921676.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down;Win32.HLLM.Beagle;Deleted.;
14940793.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down;Trojan.PWS.Nerf;Deleted.;
15126300.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down;Win32.HLLM.Beagle;Deleted.;
152058.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down;Win32.HLLM.Beagle;Deleted.;
15206625.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down;Win32.HLLM.Beagle;Deleted.;
15305828.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down;Win32.HLLM.Beagle;Deleted.;
15313159.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down;Win32.HLLM.Beagle;Deleted.;
15386104.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down;Win32.HLLM.Beagle;Deleted.;
15397340.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down;Win32.HLLM.Beagle;Deleted.;
15435074.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down;Win32.HLLM.Beagle;Deleted.;
15512635.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down;Win32.HLLM.Beagle;Deleted.;
15579191.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down;Win32.HLLM.Beagle;Deleted.;
15592070.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down;Win32.HLLM.Beagle;Deleted.;
15677262.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down;Trojan.PWS.Nerf;Deleted.;
15732131.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down;Win32.HLLM.Beagle;Deleted.;
211393.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down;Win32.HLLM.Beagle;Deleted.;
221017.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down;Win32.HLLM.Beagle;Deleted.;
265241.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down;Win32.HLLM.Beagle;Deleted.;
29574375.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down;Win32.HLLM.Beagle;Deleted.;
29682611.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down;Win32.HLLM.Beagle;Deleted.;
29818136.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down;Trojan.PWS.Nerf;Deleted.;
30204021.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down;Win32.HLLM.Beagle;Deleted.;
30428594.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down;Win32.HLLM.Beagle;Deleted.;
30438798.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down;Win32.HLLM.Beagle;Deleted.;
30618857.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down;Win32.HLLM.Beagle;Deleted.;
30622773.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down;Win32.HLLM.Beagle;Deleted.;
3445143.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down;Win32.HLLM.Beagle;Deleted.;
356632.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down;Win32.HLLM.Beagle;Deleted.;
44157515.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down;Win32.HLLM.Beagle;Deleted.;
44221487.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down;Trojan.PWS.Nerf;Deleted.;
44247885.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down;Win32.HLLM.Beagle;Deleted.;
44483764.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down;Trojan.PWS.Nerf;Deleted.;
58961702.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down;Trojan.PWS.Nerf;Deleted.;
59135983.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down;Trojan.PWS.Nerf;Deleted.;
59143003.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down;Win32.HLLM.Beagle;Deleted.;
59666325.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down;Win32.HLLM.Beagle;Deleted.;
67937.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down;Trojan.PWS.Nerf;Deleted.;
713796.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down;Win32.HLLM.Beagle;Deleted.;
73635.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down;Win32.HLLM.Beagle;Deleted.;
74010771.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down;Trojan.PWS.Nerf;Deleted.;
74058951.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down;Win32.HLLM.Beagle;Deleted.;
74773007.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down;Trojan.PWS.Nerf;Deleted.;
74842527.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down;Win32.HLLM.Beagle;Deleted.;
77100.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down;Win32.HLLM.Beagle;Deleted.;
77551.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down;Trojan.PWS.Nerf;Deleted.;
83349.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down;Win32.HLLM.Beagle;Deleted.;
85733.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down;Win32.HLLM.Beagle;Deleted.;
86364.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down;Win32.HLLM.Beagle;Deleted.;
90210616.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down;Win32.HLLM.Beagle;Deleted.;
90850.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down;Win32.HLLM.Beagle;Deleted.;
91411.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down;Win32.HLLM.Beagle;Deleted.;
92633.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down;Trojan.PWS.Nerf;Deleted.;
93764.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down;Win32.HLLM.Beagle;Deleted.;
99402.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down;Win32.HLLM.Beagle;Deleted.;
99463.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down;Win32.HLLM.Beagle;Deleted.;
99503.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down;Win32.HLLM.Beagle;Deleted.;
99513.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down;Win32.HLLM.Beagle;Deleted.;
99853.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\down;Win32.HLLM.Beagle;Deleted.;
A0000035.sys;C:\System Volume Information\_restore{482071DA-BC19-4DB3-B448-285C26F54359}\RP1;Win32.HLLM.Beagle;Deleted.;
A0000036.exe;C:\System Volume Information\_restore{482071DA-BC19-4DB3-B448-285C26F54359}\RP1;Win32.HLLM.Beagle;Deleted.;
A0000106.exe;C:\System Volume Information\_restore{482071DA-BC19-4DB3-B448-285C26F54359}\RP2;Trojan.PWS.Nerf;Deleted.;
A0000108.exe;C:\System Volume Information\_restore{482071DA-BC19-4DB3-B448-285C26F54359}\RP2;Win32.HLLM.Beagle;Deleted.;
A0000111.exe;C:\System Volume Information\_restore{482071DA-BC19-4DB3-B448-285C26F54359}\RP2;Trojan.PWS.Nerf;Deleted.;
A0000112.exe;C:\System Volume Information\_restore{482071DA-BC19-4DB3-B448-285C26F54359}\RP2;Win32.HLLM.Beagle;Deleted.;
A0000113.exe;C:\System Volume Information\_restore{482071DA-BC19-4DB3-B448-285C26F54359}\RP2;Trojan.PWS.Nerf;Deleted.;
A0000114.exe;C:\System Volume Information\_restore{482071DA-BC19-4DB3-B448-285C26F54359}\RP2;Trojan.PWS.Nerf;Deleted.;
A0000115.exe;C:\System Volume Information\_restore{482071DA-BC19-4DB3-B448-285C26F54359}\RP2;Win32.HLLM.Beagle;Deleted.;
A0000116.exe;C:\System Volume Information\_restore{482071DA-BC19-4DB3-B448-285C26F54359}\RP2;Win32.HLLM.Beagle;Deleted.;
A0000117.exe;C:\System Volume Information\_restore{482071DA-BC19-4DB3-B448-285C26F54359}\RP2;Win32.HLLM.Beagle;Deleted.;
A0000140.exe;C:\System Volume Information\_restore{482071DA-BC19-4DB3-B448-285C26F54359}\RP2;Win32.HLLM.Beagle;Deleted.;
A0000141.exe;C:\System Volume Information\_restore{482071DA-BC19-4DB3-B448-285C26F54359}\RP2;Win32.HLLM.Beagle;Deleted.;
A0000142.exe;C:\System Volume Information\_restore{482071DA-BC19-4DB3-B448-285C26F54359}\RP2;Win32.HLLM.Beagle;Deleted.;
A0000145.exe;C:\System Volume Information\_restore{482071DA-BC19-4DB3-B448-285C26F54359}\RP2;Win32.HLLM.Beagle;Deleted.;
A0000148.exe;C:\System Volume Information\_restore{482071DA-BC19-4DB3-B448-285C26F54359}\RP2;Win32.HLLM.Beagle;Deleted.;
A0000150.exe;C:\System Volume Information\_restore{482071DA-BC19-4DB3-B448-285C26F54359}\RP2;Win32.HLLM.Beagle;Deleted.;
A0000154.exe;C:\System Volume Information\_restore{482071DA-BC19-4DB3-B448-285C26F54359}\RP2;Win32.HLLM.Beagle;Deleted.;
A0000155.exe;C:\System Volume Information\_restore{482071DA-BC19-4DB3-B448-285C26F54359}\RP2;Win32.HLLM.Beagle;Deleted.;
A0000160.exe;C:\System Volume Information\_restore{482071DA-BC19-4DB3-B448-285C26F54359}\RP2;Win32.HLLM.Beagle;Deleted.;
A0000161.exe;C:\System Volume Information\_restore{482071DA-BC19-4DB3-B448-285C26F54359}\RP2;Win32.HLLM.Beagle;Deleted.;
A0000166.exe;C:\System Volume Information\_restore{482071DA-BC19-4DB3-B448-285C26F54359}\RP2;Win32.HLLM.Beagle;Deleted.;
A0000170.exe;C:\System Volume Information\_restore{482071DA-BC19-4DB3-B448-285C26F54359}\RP2;Win32.HLLM.Beagle;Deleted.;
A0000172.exe;C:\System Volume Information\_restore{482071DA-BC19-4DB3-B448-285C26F54359}\RP2;Win32.HLLM.Beagle;Deleted.;
A0000173.exe;C:\System Volume Information\_restore{482071DA-BC19-4DB3-B448-285C26F54359}\RP2;Win32.HLLM.Beagle;Deleted.;
A0000176.exe;C:\System Volume Information\_restore{482071DA-BC19-4DB3-B448-285C26F54359}\RP2;Win32.HLLM.Beagle;Deleted.;
A0000177.exe;C:\System Volume Information\_restore{482071DA-BC19-4DB3-B448-285C26F54359}\RP2;Win32.HLLM.Beagle;Deleted.;
A0000179.exe;C:\System Volume Information\_restore{482071DA-BC19-4DB3-B448-285C26F54359}\RP2;Win32.HLLM.Beagle;Deleted.;
A0000180.exe;C:\System Volume Information\_restore{482071DA-BC19-4DB3-B448-285C26F54359}\RP2;Win32.HLLM.Beagle;Deleted.;
A0000184.exe;C:\System Volume Information\_restore{482071DA-BC19-4DB3-B448-285C26F54359}\RP2;Win32.HLLM.Beagle;Deleted.;
A0000185.exe;C:\System Volume Information\_restore{482071DA-BC19-4DB3-B448-285C26F54359}\RP2;Win32.HLLM.Beagle;Deleted.;
A0000192.exe;C:\System Volume Information\_restore{482071DA-BC19-4DB3-B448-285C26F54359}\RP2;Win32.HLLM.Beagle;Deleted.;
A0000211.exe;C:\System Volume Information\_restore{482071DA-BC19-4DB3-B448-285C26F54359}\RP2;Win32.HLLM.Beagle;Deleted.;
A0000215.exe;C:\System Volume Information\_restore{482071DA-BC19-4DB3-B448-285C26F54359}\RP2;Trojan.PWS.Nerf;Deleted.;
A0000237.exe;C:\System Volume Information\_restore{482071DA-BC19-4DB3-B448-285C26F54359}\RP2;Win32.HLLM.Beagle;Deleted.;
A0000243.exe;C:\System Volume Information\_restore{482071DA-BC19-4DB3-B448-285C26F54359}\RP2;Trojan.PWS.Nerf;Deleted.;
A0000263.exe;C:\System Volume Information\_restore{482071DA-BC19-4DB3-B448-285C26F54359}\RP2;Win32.HLLM.Beagle;Deleted.;
A0000277.exe;C:\System Volume Information\_restore{482071DA-BC19-4DB3-B448-285C26F54359}\RP2;Win32.HLLM.Beagle;Deleted.;
A0000278.exe;C:\System Volume Information\_restore{482071DA-BC19-4DB3-B448-285C26F54359}\RP2;Win32.HLLM.Beagle;Deleted.;
A0000298.exe;C:\System Volume Information\_restore{482071DA-BC19-4DB3-B448-285C26F54359}\RP2;Win32.HLLM.Beagle;Deleted.;
A0000304.exe;C:\System Volume Information\_restore{482071DA-BC19-4DB3-B448-285C26F54359}\RP2;Win32.HLLM.Beagle;Deleted.;
A0000317.exe;C:\System Volume Information\_restore{482071DA-BC19-4DB3-B448-285C26F54359}\RP2;Win32.HLLM.Beagle;Deleted.;
A0000322.exe;C:\System Volume Information\_restore{482071DA-BC19-4DB3-B448-285C26F54359}\RP2;Win32.HLLM.Beagle;Deleted.;
A0000335.exe;C:\System Volume Information\_restore{482071DA-BC19-4DB3-B448-285C26F54359}\RP2;Win32.HLLM.Beagle;Deleted.;
A0000351.exe;C:\System Volume Information\_restore{482071DA-BC19-4DB3-B448-285C26F54359}\RP2;Win32.HLLM.Beagle;Deleted.;
A0000369.exe;C:\System Volume Information\_restore{482071DA-BC19-4DB3-B448-285C26F54359}\RP2;Win32.HLLM.Beagle;Deleted.;
A0000372.exe;C:\System Volume Information\_restore{482071DA-BC19-4DB3-B448-285C26F54359}\RP2;Win32.HLLM.Beagle;Deleted.;
A0000388.exe;C:\System Volume Information\_restore{482071DA-BC19-4DB3-B448-285C26F54359}\RP2;Trojan.PWS.Nerf;Deleted.;
A0000396.exe;C:\System Volume Information\_restore{482071DA-BC19-4DB3-B448-285C26F54359}\RP2;Win32.HLLM.Beagle;Deleted.;
A0000534.exe;C:\System Volume Information\_restore{482071DA-BC19-4DB3-B448-285C26F54359}\RP2;Win32.HLLM.Beagle;Deleted.;
A0000544.exe;C:\System Volume Information\_restore{482071DA-BC19-4DB3-B448-285C26F54359}\RP2;Win32.HLLM.Beagle;Deleted.;
A0000606.exe;C:\System Volume Information\_restore{482071DA-BC19-4DB3-B448-285C26F54359}\RP2;Win32.HLLM.Beagle;Deleted.;
A0000631.exe;C:\System Volume Information\_restore{482071DA-BC19-4DB3-B448-285C26F54359}\RP2;Win32.HLLM.Beagle;Deleted.;
A0000643.exe;C:\System Volume Information\_restore{482071DA-BC19-4DB3-B448-285C26F54359}\RP2;Win32.HLLM.Beagle;Deleted.;
A0000657.exe;C:\System Volume Information\_restore{482071DA-BC19-4DB3-B448-285C26F54359}\RP2;Trojan.PWS.Nerf;Deleted.;
A0000684.exe;C:\System Volume Information\_restore{482071DA-BC19-4DB3-B448-285C26F54359}\RP2;Win32.HLLM.Beagle;Deleted.;
A0000700.exe;C:\System Volume Information\_restore{482071DA-BC19-4DB3-B448-285C26F54359}\RP2;Win32.HLLM.Beagle;Deleted.;
A0000702.exe;C:\System Volume Information\_restore{482071DA-BC19-4DB3-B448-285C26F54359}\RP2;Win32.HLLM.Beagle;Deleted.;
A0000710.exe;C:\System Volume Information\_restore{482071DA-BC19-4DB3-B448-285C26F54359}\RP2;Win32.HLLM.Beagle;Deleted.;
A0000711.exe;C:\System Volume Information\_restore{482071DA-BC19-4DB3-B448-285C26F54359}\RP2;Win32.HLLM.Beagle;Deleted.;
A0000783.exe;C:\System Volume Information\_restore{482071DA-BC19-4DB3-B448-285C26F54359}\RP2;Win32.HLLM.Beagle;Deleted.;
A0000796.exe;C:\System Volume Information\_restore{482071DA-BC19-4DB3-B448-285C26F54359}\RP2;Win32.HLLM.Beagle;Deleted.;
A0000890.exe;C:\System Volume Information\_restore{482071DA-BC19-4DB3-B448-285C26F54359}\RP2;Win32.HLLM.Beagle;Deleted.;
A0000895.exe;C:\System Volume Information\_restore{482071DA-BC19-4DB3-B448-285C26F54359}\RP2;Trojan.PWS.Nerf;Deleted.;
A0000896.exe;C:\System Volume Information\_restore{482071DA-BC19-4DB3-B448-285C26F54359}\RP2;Win32.HLLM.Beagle;Deleted.;
A0000914.exe;C:\System Volume Information\_restore{482071DA-BC19-4DB3-B448-285C26F54359}\RP2;Trojan.PWS.Nerf;Deleted.;
A0001054.exe;C:\System Volume Information\_restore{482071DA-BC19-4DB3-B448-285C26F54359}\RP2;Trojan.PWS.Nerf;Deleted.;
A0001063.exe;C:\System Volume Information\_restore{482071DA-BC19-4DB3-B448-285C26F54359}\RP2;Trojan.PWS.Nerf;Deleted.;
A0001064.exe;C:\System Volume Information\_restore{482071DA-BC19-4DB3-B448-285C26F54359}\RP2;Win32.HLLM.Beagle;Deleted.;
A0001089.exe;C:\System Volume Information\_restore{482071DA-BC19-4DB3-B448-285C26F54359}\RP2;Win32.HLLM.Beagle;Deleted.;
A0001145.exe;C:\System Volume Information\_restore{482071DA-BC19-4DB3-B448-285C26F54359}\RP2;Trojan.PWS.Nerf;Deleted.;
A0001161.exe;C:\System Volume Information\_restore{482071DA-BC19-4DB3-B448-285C26F54359}\RP2;Win32.HLLM.Beagle;Deleted.;
A0001175.exe;C:\System Volume Information\_restore{482071DA-BC19-4DB3-B448-285C26F54359}\RP2;Win32.HLLM.Beagle;Deleted.;
A0001180.exe;C:\System Volume Information\_restore{482071DA-BC19-4DB3-B448-285C26F54359}\RP2;Trojan.PWS.Nerf;Deleted.;
A0001182.exe;C:\System Volume Information\_restore{482071DA-BC19-4DB3-B448-285C26F54359}\RP2;Win32.HLLM.Beagle;Deleted.;
A0001200.exe;C:\System Volume Information\_restore{482071DA-BC19-4DB3-B448-285C26F54359}\RP2;Trojan.PWS.Nerf;Deleted.;
A0001201.exe;C:\System Volume Information\_restore{482071DA-BC19-4DB3-B448-285C26F54359}\RP2;Win32.HLLM.Beagle;Deleted.;
A0001216.exe;C:\System Volume Information\_restore{482071DA-BC19-4DB3-B448-285C26F54359}\RP2;Win32.HLLM.Beagle;Deleted.;
A0001217.exe;C:\System Volume Information\_restore{482071DA-BC19-4DB3-B448-285C26F54359}\RP2;Trojan.PWS.Nerf;Deleted.;
A0001235.exe;C:\System Volume Information\_restore{482071DA-BC19-4DB3-B448-285C26F54359}\RP2;Win32.HLLM.Beagle;Deleted.;
A0001244.exe;C:\System Volume Information\_restore{482071DA-BC19-4DB3-B448-285C26F54359}\RP2;Win32.HLLM.Beagle;Deleted.;
A0001246.exe;C:\System Volume Information\_restore{482071DA-BC19-4DB3-B448-285C26F54359}\RP2;Win32.HLLM.Beagle;Deleted.;
A0001251.exe;C:\System Volume Information\_restore{482071DA-BC19-4DB3-B448-285C26F54359}\RP2;Win32.HLLM.Beagle;Deleted.;
A0001262.exe;C:\System Volume Information\_restore{482071DA-BC19-4DB3-B448-285C26F54359}\RP2;Win32.HLLM.Beagle;Deleted.;
A0001263.exe;C:\System Volume Information\_restore{482071DA-BC19-4DB3-B448-285C26F54359}\RP2;Win32.HLLM.Beagle;Deleted.;
A0001266.exe;C:\System Volume Information\_restore{482071DA-BC19-4DB3-B448-285C26F54359}\RP2;Trojan.PWS.Nerf;Deleted.;
A0001270.exe;C:\System Volume Information\_restore{482071DA-BC19-4DB3-B448-285C26F54359}\RP2;Win32.HLLM.Beagle;Deleted.;
A0001281.exe;C:\System Volume Information\_restore{482071DA-BC19-4DB3-B448-285C26F54359}\RP2;Win32.HLLM.Beagle;Deleted.;
A0001282.exe;C:\System Volume Information\_restore{482071DA-BC19-4DB3-B448-285C26F54359}\RP2;Win32.HLLM.Beagle;Deleted.;
A0001283.exe;C:\System Volume Information\_restore{482071DA-BC19-4DB3-B448-285C26F54359}\RP2;Win32.HLLM.Beagle;Deleted.;
A0001284.exe;C:\System Volume Information\_restore{482071DA-BC19-4DB3-B448-285C26F54359}\RP2;Win32.HLLM.Beagle;Deleted.;
A0001290.exe;C:\System Volume Information\_restore{482071DA-BC19-4DB3-B448-285C26F54359}\RP2;Win32.HLLM.Beagle;Deleted.;
A0001306.exe;C:\System Volume Information\_restore{482071DA-BC19-4DB3-B448-285C26F54359}\RP2;Win32.HLLM.Beagle;Deleted.;
A0001308.EXE;C:\System Volume Information\_restore{482071DA-BC19-4DB3-B448-285C26F54359}\RP2;Program.PsExec.170;Moved.;
A0001389.EXE;C:\System Volume Information\_restore{482071DA-BC19-4DB3-B448-285C26F54359}\RP3;Program.PsExec.170;Moved.;
A0001400.EXE;C:\System Volume Information\_restore{482071DA-BC19-4DB3-B448-285C26F54359}\RP3;Program.PsExec.170;Moved.;
mirc_upp.exe;C:\upp_2.00_final_[2005.01.28];Program.mIRC.616;Moved.;
PSEXESVC.EXE;C:\WINDOWS;Program.PsExec.170;Moved.;


Well, I was experiencing the symptoms of unable to install antivirus program properly, and now I'm able to install Kaspersky perfectly. I'm now running a scan check. I was wondering what should I do with all the programs (eg, Dr.Web, ComboxFix, DSS, Hijackthis, etc) you asked me to install earlier, now? Should I delete/keep them?

Edited by cherriedpie, 05 April 2008 - 06:30 PM.

  • 0

#20
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Before removing anything, could you disable any Anti Viruses that you have, then download, install, update and run a full scan with this free AV which works well against bagle:

Avira AntiVir PersonalEdition.

When done, post me a new DSS log and let me know if you are having any further problems with the computer.

Regards,
RatHat
  • 0

#21
cherriedpie

cherriedpie

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Occasionally, my computer will suddenly enter blue screen. Especially a moment ago, when I wanted to switch FF tabs to download the Avira AV program. It's a bit odd, and I don't know what triggered it. The other time it entered blue screen happened a few days ago, but I can't remember what caused it.

With Avira, I had 2 detections. And I clicked 'delete' for both but I don't know whether did they really delete those files.

AntiVir PersonalEdition Classic
Report file date: Sunday, April 06, 2008 17:14

Scanning for 1181591 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Username: SYSTEM
Computer name: CALADAN

Version information:
BUILD.DAT : 270 15603 Bytes 2007-9-19 13:32:00
AVSCAN.EXE : 7.0.6.1 290856 Bytes 2007-8-23 21:16:29
AVSCAN.DLL : 7.0.6.0 49192 Bytes 2007-8-16 20:23:51
LUKE.DLL : 7.0.5.3 147496 Bytes 2007-8-14 23:32:47
LUKERES.DLL : 7.0.6.1 10280 Bytes 2007-8-21 20:35:20
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 2007-7-18 22:27:15
ANTIVIR1.VDF : 7.0.3.2 5447168 Bytes 2008-3-7 00:13:18
ANTIVIR2.VDF : 7.0.3.85 434176 Bytes 2008-3-27 00:13:18
ANTIVIR3.VDF : 7.0.3.122 195072 Bytes 2008-4-5 00:13:18
AVEWIN32.DLL : 7.6.0.81 3424768 Bytes 2008-4-7 00:13:19
AVWINLL.DLL : 1.0.0.7 14376 Bytes 2007-2-26 18:36:26
AVPREF.DLL : 7.0.2.2 25640 Bytes 2007-7-18 15:39:17
AVREP.DLL : 7.0.0.1 155688 Bytes 2007-4-16 21:16:24
AVPACK32.DLL : 7.6.0.3 360488 Bytes 2008-4-7 00:13:19
AVREG.DLL : 7.0.1.6 30760 Bytes 2007-7-18 15:17:06
AVARKT.DLL : 1.0.0.20 278568 Bytes 2007-8-28 20:26:33
AVEVTLOG.DLL : 7.0.0.20 86056 Bytes 2007-7-18 15:10:18
NETNT.DLL : 7.0.0.0 7720 Bytes 2007-3-8 19:09:42
RCIMAGE.DLL : 7.0.1.30 2342952 Bytes 2007-8-7 20:38:13
RCTEXT.DLL : 7.0.62.0 86056 Bytes 2007-8-21 20:50:37
SQLITE3.DLL : 3.3.17.1 339968 Bytes 2007-7-23 17:37:21

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: off
Scan boot sector.................: on
Boot sectors.....................: G:,
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: Sunday, April 06, 2008 17:14

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'wscntfy.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'WgaTray.exe' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'ServiceLayer.exe' - '1' Module(s) have been scanned
Scan process 'firefox.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'LaunchApplication.exe' - '1' Module(s) have been scanned
Scan process 'DLACTRLW.EXE' - '1' Module(s) have been scanned
Scan process 'GooglePinyinDaemon.exe' - '1' Module(s) have been scanned
Scan process 'E_S10IC2.EXE' - '1' Module(s) have been scanned
Scan process 'qttask.exe' - '1' Module(s) have been scanned
Scan process 'SOUNDMAN.EXE' - '1' Module(s) have been scanned
Scan process 'sstray.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'SAgent2.exe' - '1' Module(s) have been scanned
Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'SDMCP.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'aawservice.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
37 processes with 37 modules were scanned

Start scanning boot sectors:
Boot sector 'C:\'
[NOTE] No virus was found!
Boot sector 'E:\'
[NOTE] No virus was found!
Boot sector 'F:\'
[NOTE] No virus was found!
Boot sector 'G:\'
[NOTE] No virus was found!

Starting to scan the registry.
The registry was scanned ( '40' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\hldrrr.exe.vir
[DETECTION] Is the Trojan horse TR/Trash.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{482071DA-BC19-4DB3-B448-285C26F54359}\RP2\A0001298.exe
[DETECTION] Is the Trojan horse TR/Killav.28714
[INFO] The file was deleted!
Begin scan in 'E:\'
Begin scan in 'F:\'
Begin scan in 'G:\'


End of the scan: Sunday, April 06, 2008 19:02
Used time: 1:48:20 min

The scan has been done completely.

9746 Scanning directories
248071 Files were scanned
2 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
2 files were deleted
0 files were repaired
0 files were moved to quarantine
0 files were renamed
1 Files cannot be scanned
248069 Files not concerned
1918 Archives were scanned
1 Warnings
0 Notes



And here's DSS log.

Deckard's System Scanner v20071014.68
Run by kuroko on 2008-04-06 19:27:59
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Percentage of Memory in Use: 82% (more than 75%).


-- HijackThis (run as kuroko.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:28:24 PM, on 4/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\sstray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
E:\Google Pinyin\GooglePinyinDaemon.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\WINDOWS\system32\fscagent.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Documents and Settings\kuroko\Desktop\dss.exe
C:\WINDOWS\system32\conime.exe
C:\DOCUME~1\kuroko\Desktop\kuroko.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EPSON Stylus C41 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C41 Series" /O6 "USB001" /M "Stylus C41"
O4 - HKLM\..\Run: [Google IME Autoupdater] "E:\Google Pinyin\GooglePinyinDaemon.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [EPSON Stylus C41 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /A "C:\WINDOWS\system32\E_S4F.tmp"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKUS\S-1-5-18\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {072039AB-2117-4ED5-A85F-9B9EB903E021} (NowStarter Control) - http://www.clubbox.c.../NowStarter.cab
O16 - DPF: {0AE0F5F9-8233-49A4-A3C8-004CE190787B} (BMSpeedCheck Control) - http://www.pdbox.co....MSpeedCheck.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {14E35D5F-DEBA-4DB3-B2ED-17542BA12D1F} (CV781Object Object) - http://tentco.homeip.net/AV718.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewi...oOnlineScan.cab
O16 - DPF: {1FAF427B-1EE5-43D3-A023-3009142AFCD4} (CS Order Entry Control (RHS)) - http://download.exce...b/csoex_rhs.cab
O16 - DPF: {1FAF427B-1EE5-43D3-A023-3009142AFCD9} (CS Order Entry Control (MBB)) - https://www.maybank2...b/csoex_mbb.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail....es/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1176247111030
O16 - DPF: {A22B8FD2-4CAA-4EFB-82F7-680CD656D9B0} (NowStarter Control) - http://www.gogobox.c...GNowStarter.cab
O16 - DPF: {B9B2EE1A-E314-4338-A305-BE845EACB112} (CyberStock 250) - http://download.exce...hs/cab/cswx.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://3dlifeplayer....l/installer.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{BED72584-7F04-4214-B19B-FA43192191EE}: NameServer = 10.0.0.2,10.0.0.5
O20 - AppInit_DLLs: ,wbsys.dll,C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\Program Files\McAfee\VirusScan\McShield.exe (file missing)
O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing)
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 9575 bytes

-- Files created between 2008-03-06 and 2008-04-06 -----------------------------

2008-04-06 17:07:26 0 d-------- C:\Program Files\Avira
2008-04-06 17:07:26 0 d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-04-06 08:40:15 0 d-------- C:\Program Files\uTorrent
2008-04-06 08:40:05 0 d-------- C:\Documents and Settings\kuroko\Application Data\uTorrent
2008-04-06 08:02:05 91700 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-04-06 08:02:05 85860 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-04-06 08:01:00 9248 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-04-06 08:01:00 3711264 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-04-06 08:00:59 0 d-------- C:\Program Files\Kaspersky Lab
2008-04-06 08:00:00 0 d-------- C:\kav
2008-04-05 22:09:04 0 d-------- C:\Documents and Settings\kuroko\DoctorWeb
2008-04-05 00:04:33 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-04 20:38:15 68096 --a------ C:\WINDOWS\zip.exe
2008-04-04 20:38:15 49152 --a------ C:\WINDOWS\VFind.exe
2008-04-04 20:38:15 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-04-04 20:38:15 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-04-04 20:38:15 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-04-04 20:38:15 98816 --a------ C:\WINDOWS\sed.exe
2008-04-04 20:38:15 80412 --a------ C:\WINDOWS\grep.exe
2008-04-04 20:38:15 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-04-04 20:24:52 0 d-------- C:\Program Files\youar
2008-04-02 22:45:53 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-02 22:45:46 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-04-02 22:45:46 0 d-------- C:\Documents and Settings\kuroko\Application Data\SUPERAntiSpyware.com
2008-04-02 17:31:33 0 d-------- C:\Documents and Settings\All Users\Application Data\Uniblue
2008-04-01 07:07:02 1531904 -ra------ C:\WINDOWS\system32\clubbox.exe <Not Verified; Nowcom, Co. LTD.; CLUBBOX File Transfer Manager V2>
2008-04-01 07:06:30 155648 -ra------ C:\WINDOWS\system32\downengine.dll <Not Verified; (?)???; ClubBox>
2008-03-31 22:14:58 0 d-------- C:\Program Files\S450RC
2008-03-31 21:47:09 0 d-------- C:\Program Files\Autoruns
2008-03-31 21:28:06 0 d-------- C:\Program Files\DiskInternals
2008-03-31 20:19:47 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-31 20:19:02 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-31 18:01:31 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-03-24 14:10:23 0 d-------- C:\WINDOWS\system32\LogFiles
2008-03-24 14:08:01 0 d-------- C:\Netgear
2008-03-19 09:57:51 0 d-------- C:\Documents and Settings\soon chieh\Contacts
2008-03-10 22:34:48 0 d-------- C:\Documents and Settings\kuroko\Application Data\U3


-- Find3M Report ---------------------------------------------------------------

2008-04-06 16:51:26 0 d-------- C:\Program Files\Common Files
2008-04-04 23:03:34 221617 --a------ C:\Documents and Settings\kuroko\Application Data\NMM-MetaData.db
2008-04-03 17:22:12 0 d-------- C:\Documents and Settings\kuroko\Application Data\PC Suite
2008-03-31 20:19:47 0 d-------- C:\Program Files\Lavasoft
2008-03-06 16:22:26 0 d-------- C:\Program Files\Zoom Player
2008-03-02 02:28:28 0 d-------- C:\Documents and Settings\kuroko\Application Data\Nokia Multimedia Player
2008-03-01 23:28:00 0 d-------- C:\Documents and Settings\kuroko\Application Data\Nokia
2008-03-01 23:18:30 0 d-------- C:\Program Files\Common Files\PCSuite
2008-03-01 23:18:28 0 d-------- C:\Program Files\Common Files\Nokia
2008-03-01 23:16:39 0 d-------- C:\Program Files\DIFX
2008-03-01 23:16:21 0 d-------- C:\Program Files\PC Connectivity Solution
2008-03-01 23:15:40 0 d-------- C:\Program Files\Nokia
2008-02-25 09:24:40 159744 -ra------ C:\WINDOWS\system32\fscagent.exe <Not Verified; Nowcom Co., Ltd.; FSCAgent>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [08/31/2004 05:00 PM]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [08/31/2004 05:00 PM]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [08/31/2004 05:00 PM]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [08/31/2004 05:00 PM]
"nForce Tray Options"="sstray.exe" [11/13/2002 12:34 AM C:\WINDOWS\system32\sstray.exe]
"ClubBox"="" []
"SoundMan"="SOUNDMAN.EXE" [06/18/2004 04:31 PM C:\WINDOWS\SOUNDMAN.EXE]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [10/07/2006 09:51 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [09/01/2006 04:57 PM]
"EPSON Stylus C41 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.exe" [02/18/2002 08:03 PM]
"Google IME Autoupdater"="E:\Google Pinyin\GooglePinyinDaemon.exe" [01/07/2008 03:15 AM]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [06/13/2006 05:20 AM]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [06/18/2007 04:10 PM]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" [02/08/2008 06:36 PM]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [04/06/2008 05:13 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [02/10/2005 05:00 PM]
"EPSON Stylus C41 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.exe" [02/18/2002 08:03 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/31/2004 05:00 PM]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Norton SystemWorks"="C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
"Nokia.PCSync"=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 11:05:26 PM]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [9/25/2005 10:45:41 PM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/12/2001 5:01:04 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient]
C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll 01/31/2005 04:13 PM 49152 C:\PROGRA~1\COMMON~1\stardock\MCPStub.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbsrv.dll 11/30/2007 12:36 AM 229376 C:\Program Files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"= ,wbsys.dll,C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e83aa278-2a6b-11da-81b7-806d6172696f}]
AutoRun\command- D:\Autorun.exe root.ini

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e9032c31-eb06-11dc-86e5-00179a3a12da}]
AutoRun\command- H:\LaunchU3.exe -a

*Newly Created Service* - ANTIVIRSCHEDULER
*Newly Created Service* - ANTIVIRSERVICE
*Newly Created Service* - AVGIO
*Newly Created Service* - AVGNTFLT
*Newly Created Service* - AVIPBB
*Newly Created Service* - NOWMEMDF



-- End of Deckard's System Scanner: finished at 2008-04-06 19:29:32 ------------


  • 0

#22
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
The files that Antivir deleted were in quarantine folders, so that is OK.

You still have uTorrent running, did you try to uninstall it when I asked? As long as this is installed, I cannot be sure we are cleaning everything from your computer. P2P programs can act as a gateway for malware to access the internet and download new files, so I need you to remove it. If you choose to reinstall it later, you will be opening yourself up to reinfection.

You now need to uninstall AntiVir PersonalEdition so that you only have Kaspersky Internet Security 7.0 running.

When done, run an F-Secure online scan for Viruses, Spyware and RootKits:
  • Go to http://support.f-sec.../home/ols.shtml
  • Scroll to the bottom of the page and click the Start scanning button. A window will pop up.
  • Allow the Active X control to be installed on your computer, then click the Accept button
  • Click Full System Scan and allow the components to download and the scan to complete.
  • If malware is found, check Submit samples to F-Secure then select Automatic cleaning
  • When cleaning has finitished, click Show report (this will open an Internet Explorer window containing the report)
  • Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post
If Automatic cleaning with Submit samples hangs, click Cancel, then New Scan
  • When the cleaning option is presented, Uncheck Submit samples to F-Secure
  • Click Automatic cleaning
  • When cleaning has finitished, click Show report (this will open an Internet Explorer window containing the report)
  • Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post
Notes:
  • This scan will only work with Internet Explorer
  • You must have administrator rights to run this scan
  • This scan can take a while, so please be patient

Post me the log along with a fress DSS log in your next reply.

Regards,
RatHat
  • 0

#23
cherriedpie

cherriedpie

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Scanning Report
Monday, April 07, 2008 17:32:47 - 21:18:14

Computer name: CALADAN
Scanning type: Scan system for malware, rootkits
Target: C:\ E:\ F:\ G:\
Result: 1 malware found
Tracking Cookie (spyware)

* System

Statistics
Scanned:

* Files: 80232
* System: 4474
* Not scanned: 6

Actions:

* Disinfected: 0
* Renamed: 0
* Deleted: 0
* None: 1
* Submitted: 0

Files not scanned:

* C:\PAGEFILE.SYS
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* C:\WINDOWS\SYSTEM32\CONFIG\SAM
* C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
* C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM

Options
Scanning engines:

* F-Secure USS: 2.30.0
* F-Secure Blacklight: 1.0.64
* F-Secure Hydra: 2.8.8110, 2008-04-07
* F-Secure Pegasus: 1.20.0, 2008-02-28
* F-Secure AVP: 7.0.171, 2008-04-07

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
* Use Advanced heuristics

Copyright © 1998-2007 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.

Edited by cherriedpie, 07 April 2008 - 07:17 AM.

  • 0

#24
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Could you post me the new DSS log please. Also did you remove uTorrent?

Regards,
RatHat
  • 0

#25
cherriedpie

cherriedpie

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Deckard's System Scanner v20071014.68
Run by kuroko on 2008-04-08 23:00:00
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as kuroko.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:00:11 PM, on 4/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\sstray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
E:\Google Pinyin\GooglePinyinDaemon.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Documents and Settings\kuroko\Desktop\dss.exe
C:\DOCUME~1\kuroko\Desktop\kuroko.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EPSON Stylus C41 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C41 Series" /O6 "USB001" /M "Stylus C41"
O4 - HKLM\..\Run: [Google IME Autoupdater] "E:\Google Pinyin\GooglePinyinDaemon.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [EPSON Stylus C41 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /A "C:\WINDOWS\system32\E_S4F.tmp"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKUS\S-1-5-18\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {072039AB-2117-4ED5-A85F-9B9EB903E021} (NowStarter Control) - http://www.clubbox.c.../NowStarter.cab
O16 - DPF: {0AE0F5F9-8233-49A4-A3C8-004CE190787B} (BMSpeedCheck Control) - http://www.pdbox.co....MSpeedCheck.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {14E35D5F-DEBA-4DB3-B2ED-17542BA12D1F} (CV781Object Object) - http://tentco.homeip.net/AV718.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewi...oOnlineScan.cab
O16 - DPF: {1FAF427B-1EE5-43D3-A023-3009142AFCD4} (CS Order Entry Control (RHS)) - http://download.exce...b/csoex_rhs.cab
O16 - DPF: {1FAF427B-1EE5-43D3-A023-3009142AFCD9} (CS Order Entry Control (MBB)) - https://www.maybank2...b/csoex_mbb.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail....es/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1176247111030
O16 - DPF: {A22B8FD2-4CAA-4EFB-82F7-680CD656D9B0} (NowStarter Control) - http://www.gogobox.c...GNowStarter.cab
O16 - DPF: {B9B2EE1A-E314-4338-A305-BE845EACB112} (CyberStock 250) - http://download.exce...hs/cab/cswx.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://3dlifeplayer....l/installer.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{BED72584-7F04-4214-B19B-FA43192191EE}: NameServer = 10.0.0.2,10.0.0.5
O20 - AppInit_DLLs: ,wbsys.dll,C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\Program Files\McAfee\VirusScan\McShield.exe (file missing)
O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing)
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 9313 bytes

-- Files created between 2008-03-08 and 2008-04-08 -----------------------------

2008-04-08 22:57:19 0 d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-04-08 22:57:14 0 d-------- C:\Program Files\Security Task Manager
2008-04-07 17:23:15 0 d-------- C:\fsaua.data
2008-04-06 17:07:26 0 d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-04-06 08:02:05 91700 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-04-06 08:02:05 85860 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-04-06 08:01:00 19232 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-04-06 08:01:00 8064032 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-04-06 08:00:59 0 d-------- C:\Program Files\Kaspersky Lab
2008-04-06 08:00:00 0 d-------- C:\kav
2008-04-05 22:09:04 0 d-------- C:\Documents and Settings\kuroko\DoctorWeb
2008-04-05 00:04:33 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-04 20:38:15 68096 --a------ C:\WINDOWS\zip.exe
2008-04-04 20:38:15 49152 --a------ C:\WINDOWS\VFind.exe
2008-04-04 20:38:15 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-04-04 20:38:15 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-04-04 20:38:15 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-04-04 20:38:15 98816 --a------ C:\WINDOWS\sed.exe
2008-04-04 20:38:15 80412 --a------ C:\WINDOWS\grep.exe
2008-04-04 20:38:15 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-04-04 20:24:52 0 d-------- C:\Program Files\youar
2008-04-02 22:45:53 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-02 22:45:46 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-04-02 22:45:46 0 d-------- C:\Documents and Settings\kuroko\Application Data\SUPERAntiSpyware.com
2008-04-02 17:31:33 0 d-------- C:\Documents and Settings\All Users\Application Data\Uniblue
2008-04-01 07:07:02 1531904 -ra------ C:\WINDOWS\system32\clubbox.exe <Not Verified; Nowcom, Co. LTD.; CLUBBOX File Transfer Manager V2>
2008-04-01 07:06:30 155648 -ra------ C:\WINDOWS\system32\downengine.dll <Not Verified; (?)???; ClubBox>
2008-03-31 22:14:58 0 d-------- C:\Program Files\S450RC
2008-03-31 21:47:09 0 d-------- C:\Program Files\Autoruns
2008-03-31 21:28:06 0 d-------- C:\Program Files\DiskInternals
2008-03-31 20:19:47 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-31 20:19:02 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-31 18:01:31 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-03-24 14:10:23 0 d-------- C:\WINDOWS\system32\LogFiles
2008-03-24 14:08:01 0 d-------- C:\Netgear
2008-03-19 09:57:51 0 d-------- C:\Documents and Settings\soon chieh\Contacts
2008-03-10 22:34:48 0 d-------- C:\Documents and Settings\kuroko\Application Data\U3


-- Find3M Report ---------------------------------------------------------------

2008-04-08 22:45:21 0 d-------- C:\Program Files\Common Files
2008-04-04 23:03:34 221617 --a------ C:\Documents and Settings\kuroko\Application Data\NMM-MetaData.db
2008-04-03 17:22:12 0 d-------- C:\Documents and Settings\kuroko\Application Data\PC Suite
2008-03-31 20:19:47 0 d-------- C:\Program Files\Lavasoft
2008-03-06 16:22:26 0 d-------- C:\Program Files\Zoom Player
2008-03-02 02:28:28 0 d-------- C:\Documents and Settings\kuroko\Application Data\Nokia Multimedia Player
2008-03-01 23:28:00 0 d-------- C:\Documents and Settings\kuroko\Application Data\Nokia
2008-03-01 23:18:30 0 d-------- C:\Program Files\Common Files\PCSuite
2008-03-01 23:18:28 0 d-------- C:\Program Files\Common Files\Nokia
2008-03-01 23:16:39 0 d-------- C:\Program Files\DIFX
2008-03-01 23:16:21 0 d-------- C:\Program Files\PC Connectivity Solution
2008-03-01 23:15:40 0 d-------- C:\Program Files\Nokia
2008-02-25 09:24:40 159744 -ra------ C:\WINDOWS\system32\fscagent.exe <Not Verified; Nowcom Co., Ltd.; FSCAgent>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [08/31/2004 05:00 PM]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [08/31/2004 05:00 PM]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [08/31/2004 05:00 PM]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [08/31/2004 05:00 PM]
"nForce Tray Options"="sstray.exe" [11/13/2002 12:34 AM C:\WINDOWS\system32\sstray.exe]
"ClubBox"="" []
"SoundMan"="SOUNDMAN.EXE" [06/18/2004 04:31 PM C:\WINDOWS\SOUNDMAN.EXE]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [10/07/2006 09:51 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [09/01/2006 04:57 PM]
"EPSON Stylus C41 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.exe" [02/18/2002 08:03 PM]
"Google IME Autoupdater"="E:\Google Pinyin\GooglePinyinDaemon.exe" [01/07/2008 03:15 AM]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [06/13/2006 05:20 AM]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [06/18/2007 04:10 PM]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" [02/08/2008 06:36 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [02/10/2005 05:00 PM]
"EPSON Stylus C41 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.exe" [02/18/2002 08:03 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/31/2004 05:00 PM]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=Narrator.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Norton SystemWorks"="C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
"Nokia.PCSync"=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 11:05:26 PM]
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [9/25/2005 10:45:41 PM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/12/2001 5:01:04 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient]
C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll 01/31/2005 04:13 PM 49152 C:\PROGRA~1\COMMON~1\stardock\MCPStub.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbsrv.dll 11/30/2007 12:36 AM 229376 C:\Program Files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"= ,wbsys.dll,C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e83aa278-2a6b-11da-81b7-806d6172696f}]
AutoRun\command- D:\Autorun.exe root.ini

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e9032c31-eb06-11dc-86e5-00179a3a12da}]
AutoRun\command- H:\LaunchU3.exe -a




-- End of Deckard's System Scanner: finished at 2008-04-08 23:01:04 ------------
  • 0

Advertisements


#26
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Hi there,

You are looking clean now. How is the computer performing after removing uTorrent and AntiVir?

Regards,
RatHat
  • 0

#27
cherriedpie

cherriedpie

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
I deleted Kaspersky after I realized it could be the program causing the blue screen because it's been eating up so much memory with its auto-scanning. So I re-downloaded Avira and I'm using it now, with Windows Firewall. Hope that's enough security. Also, my computer is looking fine for now. ^^
  • 0

#28
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Could you post me a HijackThis log so I can make a last check on your system?

Thanks,
RatHat
  • 0

#29
cherriedpie

cherriedpie

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:29:12 PM, on 4/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\sstray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
E:\Google Pinyin\GooglePinyinDaemon.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EPSON Stylus C41 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C41 Series" /O6 "USB001" /M "Stylus C41"
O4 - HKLM\..\Run: [Google IME Autoupdater] "E:\Google Pinyin\GooglePinyinDaemon.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [EPSON Stylus C41 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /A "C:\WINDOWS\system32\E_S4F.tmp"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKUS\S-1-5-18\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {072039AB-2117-4ED5-A85F-9B9EB903E021} (NowStarter Control) - http://www.clubbox.c.../NowStarter.cab
O16 - DPF: {0AE0F5F9-8233-49A4-A3C8-004CE190787B} (BMSpeedCheck Control) - http://www.pdbox.co....MSpeedCheck.cab
O16 - DPF: {14E35D5F-DEBA-4DB3-B2ED-17542BA12D1F} (CV781Object Object) - http://tentco.homeip.net/AV718.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewi...oOnlineScan.cab
O16 - DPF: {1FAF427B-1EE5-43D3-A023-3009142AFCD4} (CS Order Entry Control (RHS)) - http://download.exce...b/csoex_rhs.cab
O16 - DPF: {1FAF427B-1EE5-43D3-A023-3009142AFCD9} (CS Order Entry Control (MBB)) - https://www.maybank2...b/csoex_mbb.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail....es/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1176247111030
O16 - DPF: {A22B8FD2-4CAA-4EFB-82F7-680CD656D9B0} (NowStarter Control) - http://www.gogobox.c...GNowStarter.cab
O16 - DPF: {B9B2EE1A-E314-4338-A305-BE845EACB112} (CyberStock 250) - http://download.exce...hs/cab/cswx.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://3dlifeplayer....l/installer.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{BED72584-7F04-4214-B19B-FA43192191EE}: NameServer = 10.0.0.2,10.0.0.5
O20 - AppInit_DLLs: ,wbsys.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\Program Files\McAfee\VirusScan\McShield.exe (file missing)
O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing)
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 8825 bytes
  • 0

#30
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Hey there,

OK! Well done, your log is clean again! :)

The first thing we need to do is to remove all the tools that you have used. This is so that should you ever be re-infected, you will download updated versions. It will also remove the quarantined Malware from your computer.

Click Here to download OTCleanIt
Double-click OTCleanIt.exe to run it.
Click the Clean up button
Click Yes to the reboot.

OK, lets carry out a few preventative steps to make sure you reduce the risk of further infections.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Now lets Reset and Re-enable your System Restore to remove any infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected, but that's good news).

Turn OFF System Restore.
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • Check Turn off System Restore.
  • Click Apply, and then click OK.
Restart your computer.

Turn ON System Restore.
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • UN-Check Turn off System Restore.
  • Click Apply, and then click OK.

System Restore will now be active again.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Next, lets reset your hidden/system files and folders. System files are hidden for a reason and we don't want to have them openly available and susceptible to accidental deletion.

Reset Hidden/System Files & Folders
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading UNSELECT Show hidden files and folders.
  • CHECK the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Another essential is to keep your computer updated with the latest operating system patches and security fixes. Windows Updates are constantly being revised to combat the newest hacks and threats, Microsoft releases security updates that help your computer from becoming vunerable. It is best if you have these set to download automatically.

Automatic Updates for Windows
  • Click Start.
  • Select Settings and then Control Panel.
  • Select Automatic Updates.
  • Click Automatic (recommended)
  • Choose a day and a time when you know the computer will be on and connected to the internet.
  • Click Apply then OK.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


In addition to Windows updates, you also need to ensure that your version of Java is the latest.Click here to download the latest version (Java Runtime Environment (JRE) 6 Update 5). Once downloaded, install it and then Reboot your computer.

It is most important that you also uninstall older versions of Java.
  • Click Start, Control Panel, Add/Remove Programs.
  • Delete all Java updates except Java ™ 6 Update 5
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


OK, now lets download some preventative programs that will help to keep the nasties away! We will start with Anti Spyware programs. I would advise getting a couple of them at least, and running each at least once a month.

Anti Spyware
  • SpywareBlaster to help prevent spyware from installing in the first place. A tutorial can be found here.
  • SpywareGuard to catch and block spyware before it can execute. A tutorial can be found here.
  • IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email. A tutorial can be found here.
  • Spybot Search & Destroy a powerful tool which can "search and destroy" nasties that make it onto your system. Now with an Immunize section that will help prevent future infections. A tutorial can be found here.
  • AdAware another very powerful tool which searches and kills nasties that infect your system. A tutorial can be found here. AdAware and Spybot Search & Destroy compliment each other very well.

Note: If you find your system slows down after installing any of these, just uninstall it, or disable it from running at startup.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Next lets look at Firewalls. These help to prevent unauthorised access both to and from the internet or your local network. A firewall is considered a first line of defense in protecting private information. Below are two free firewalls to choose from, if you do not already have one. Note: You only need one firewall one your system.

Personal Firewalls~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Nearly done! If you like to use chat, MSN and Yahoo have vunerabilities that can leave you open to infections. There are however a couple of very good, Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN):

Instant Messengers~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Lastly, it is a good idea to clear out all your temp files every now and again. This will help your computer from bogging down and slowing. It also can assist in getting rid of files that may contain malicious code that could re-infect your computer.

Temp File Cleaners
  • CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Note: Do NOT run this program if you have XP Professional 64 bit edition.
  • ATF Cleaner A very powerful cleaning program for XP and Windows 2000 only. Note: You may have this already as part of the fixes you have run.

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I will keep this log open for the next couple of days, so if you have any further problems post another reply here.

OK, all the best, and stay safe!

Best regards,
RatHat
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP