Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Computer totally infected by viruses [RESOLVED]


  • This topic is locked This topic is locked

#1
Fidel Castro

Fidel Castro

    Member

  • Member
  • PipPipPip
  • 162 posts
Hello! [again]

First I have to say that my computer is working great, thanks to the great JSntgRvr.

But I'm right now in the other town where my sister lives and her computer [this one] it totally infected by viruses.

I have problems with everything. I can't open Yahoo, I often can't download many thing from the internet, the computer restart without any reason, without any "time rule" or anything...

I see that Kaspersky is installed in this computer and I often see messages abour viruses like Trojans etc.

My probles have been alsways solved in less than 7 days but this time I need a favor to solve this as soon as possble because I'm leaving on Thuesday and my sister can't solve this problem alone. So I would really appreciate if you can help me as soon as possible.

Here is the HiJackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:05:41 PM, on 6/14/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\VTTimer.exe
C:\WINDOWS\System32\VTtrayp.exe
C:\Program Files\Common Files\PrivacyConductor\stm.exe
C:\Program Files\Common Files\PCPrivacyTool\stm.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\smax4.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HP\Smart Web Printing\hpswp_clipbook.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: C:\WINDOWS\System32\hg543fdg.dll - {B2AC49A2-94F3-42BD-F434-2604812C897D} - C:\WINDOWS\System32\hg543fdg.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [bm] "C:\Program Files\Common Files\TrustedAntivirus\bm.exe" dm=http://trustedantivirus.com ad=http://trustedantivirus.com sd=http://ykeeper.trustedantivirus.com
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\PrivacyConductor\stm.exe" dm=http://privacyconductor.com ad=http://privacyconductor.com sd=http://ilp.privacyconductor.com
O4 - HKLM\..\Run: [Salestart(1)] "C:\Program Files\Common Files\PCPrivacyTool\stm.exe" dm=http://pcprivacytool.com ad=http://pcprivacytool.com sd=http://ilp.pcprivacytool.com
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\smax4.exe" /tray
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKLM\..\Run: [Device Detector] DevDetect.exe -autorun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Startup: MSWin--77365122.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: ConferenceRoom Java Client - http://irc.cg.yu:8000/java/cr.cab
O16 - DPF: {64311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} (MediaGatewayX) - http://static.zangoc.../bridge-c32.cab
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~2.0\adialhk.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O24 - Desktop Component 0: (no name) - http://ehg-nokiafin....mp;vpc=090101rn

--End of file - 6966 bytes


Onace again, I need to treat this issue as soon as possible...

Thanks a lot in advance,

Fidel
  • 0

Advertisements


#2
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,958 posts
Hi again, Fidel :)

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.

    Go to Start -> Run, copy and paste the following command (entirely) and click OK:

    CMD /C REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\system /v DisableRegedit /t REG_DWORD /d 0 /f

    Then:
Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O2 - BHO: C:\WINDOWS\System32\hg543fdg.dll - {B2AC49A2-94F3-42BD-F434-2604812C897D} - C:\WINDOWS\System32\hg543fdg.dll (file missing)
O4 - HKLM\..\Run: [bm] "C:\Program Files\Common Files\TrustedAntivirus\bm.exe" dm=http://trustedantivirus.com ad=http://trustedantivirus.com sd=http://ykeeper.trustedantivirus.com
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\PrivacyConductor\stm.exe" dm=http://privacyconductor.com ad=http://privacyconductor.com sd=http://ilp.privacyconductor.com
O4 - HKLM\..\Run: [Salestart(1)] "C:\Program Files\Common Files\PCPrivacyTool\stm.exe" dm=http://pcprivacytool.com ad=http://pcprivacytool.com sd=http://ilp.pcprivacytool.com
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Startup: MSWin--77365122.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: ConferenceRoom Java Client - http://irc.cg.yu:8000/java/cr.cab
O16 - DPF: {64311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} (MediaGatewayX) - http://static.zangoc.../bridge-c32.cab
O24 - Desktop Component 0: (no name) - http://ehg-nokiafin....mp;vpc=090101rn


Now close all windows and browsers, other than HiJackThis, then click Fix Checked.

Close Hijackthis.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the entire contents of the codebox below to the clipboard by highlighting ALL of it and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    [kill explorer]C:\Program Files\Common Files\PrivacyConductorC:\Program Files\Common Files\TrustedAntivirusC:\Program Files\Common Files\PCPrivacyTool%UserProfile%\start menu\programs\startup\MSWin--77365122.exec:\eied_s7.cabEmptyTemp[start explorer]
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh Hijackthis log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
  • 0

#3
Fidel Castro

Fidel Castro

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 162 posts
Hi,

First thanks a lot for the fast reply...

Ok, here is OTMoveIt2 log...

< [kill explorer]C:\Program Files\Common Files\PrivacyConductorC:\Program Files\Common Files\TrustedAntivirusC:\Program Files\Common Files\PCPrivacyTool%UserProfile%\start menu\programs\startup\MSWin--77365122.exec:\eied_s7.cabEmptyTemp[start explorer] >
File/Folder [kill explorer]C:\Program Files\Common Files\PrivacyConductorC:\Program Files\Common Files\TrustedAntivirusC:\Program Files\Common Files\PCPrivacyTool%UserProfile%\start menu\programs\startup\MSWin--77365122.exec:\eied_s7.cabEmptyTemp[start explorer] not found.

OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 06152008_002843


Here is the MBAM log...

Malwarebytes' Anti-Malware 1.17
Database version: 856

12:59:21 AM 6/15/2008
mbam-log-6-15-2008 (00-59-21).txt

Scan type: Quick Scan
Objects scanned: 47381
Time elapsed: 15 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 22
Registry Values Infected: 3
Registry Data Items Infected: 1
Folders Infected: 11
Files Infected: 21

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{610e0e95-8f2f-4b71-966e-f91701d4dc2c} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mediagatewayx.installer (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mediagatewayx.installer.1 (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{67a89831-6bc7-4cc0-a2c3-560f9a581e64} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{91e523db-2a1c-4231-bb06-9be27c28739a} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{dd469a88-316c-441d-b712-783d9b9a6707} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{981bda1d-c8ad-46ff-be2c-fddd859ac6f5} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{d28cd14c-50be-4cfa-951e-b37f25da3472} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{ea7522f6-87cf-411e-8a55-19ee4344b676} (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{ea7522f6-87cf-411e-8a55-19ee4344b676} (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{d761645b-6b20-4698-aee8-729981152a82} (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\sbiebho.iefw (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\sbiebho.iefw.2 (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{6f87f145-dc2d-4766-af03-3a3b96ffad98} (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popupblocker.iegpb (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popupblocker.iegpb.1 (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{5c3f6257-3e00-45c2-88d5-cb0f3a17bf0e} (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Purchased Products (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\pblock.DLL (Rogue.PCSecureSystem) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\ugac (Rogue.PCSecureSystem) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\Shell\Secure Delete (Rogue.SecurePCCleaner) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Zango (Adware.Zango) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Products\rdomain (Rogue.PCVirusless) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Products\prodname (Rogue.PCVirusless) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Products\compname (Rogue.PCVirusless) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\TrustedAntivirus (Rogue.TrustedProtection) -> Quarantined and deleted successfully.
C:\TrustedAntivirus\AVQuar (Rogue.TrustedProtection) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\PCPrivacyTool (Rogue.PCPrivacyTool) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\PCPrivacyTool (Rogue.PCPrivacyTool) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\PrivacyConductor (Rogue.PrivacyConductor) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\PrivacyConductor (Rogue.PrivacyConductor) -> Quarantined and deleted successfully.
C:\Documents and Settings\x\Local Settings\Temp\NI.UGA6P_0001_N122M2210 (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\x\Application Data\TrustedAntivirus (Rogue.TrustedAntivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\x\Application Data\TrustedAntivirus\Logs (Rogue.TrustedAntivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\x\Application Data\PCPrivacyTool (Rogue.PCPrivacyTool) -> Quarantined and deleted successfully.
C:\Documents and Settings\x\Application Data\PCPrivacyTool\Logs (Rogue.PCPrivacyTool) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\sqlite3.dll (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\WINDOWS\Downloaded Program Files\UGA6P_0001_N122M2210NetInstaller.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UGA6P_0001_N122M2210NetInstaller.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\x\Local Settings\Temp\installer_en.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\x\Application Data\setup_en[1].exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\PCPrivacyTool\stm.exe (Rogue.PCPrivacyTool) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\PCPrivacyTool\Abbr (Rogue.PCPrivacyTool) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\PCPrivacyTool\actn_email (Rogue.PCPrivacyTool) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\PCPrivacyTool\actn_name (Rogue.PCPrivacyTool) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\PCPrivacyTool\actn_order_id (Rogue.PCPrivacyTool) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\PCPrivacyTool\prod_code (Rogue.PCPrivacyTool) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\PrivacyConductor\Abbr (Rogue.PrivacyConductor) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\PrivacyConductor\prod_code (Rogue.PrivacyConductor) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\PrivacyConductor\stm.exe (Rogue.PrivacyConductor) -> Quarantined and deleted successfully.
C:\Documents and Settings\x\Local Settings\Temp\NI.UGA6P_0001_N122M2210\settings.ini (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\x\Local Settings\Temp\NI.UGA6P_0001_N122M2210\setup.exe (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\x\Local Settings\Temp\NI.UGA6P_0001_N122M2210\setup.len (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\x\Application Data\TrustedAntivirus\Logs\threats.log (Rogue.TrustedAntivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\x\Application Data\TrustedAntivirus\Logs\update.log (Rogue.TrustedAntivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\x\Application Data\PCPrivacyTool\Logs\update.log (Rogue.PCPrivacyTool) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\autorun.inf (Trojan.Agent) -> Quarantined and deleted successfully.


And this is the final HiJackThis log...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:15:04 AM, on 6/15/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\VTTimer.exe
C:\WINDOWS\System32\VTtrayp.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\smax4.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\smax4.exe" /tray
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKLM\..\Run: [Device Detector] DevDetect.exe -autorun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~2.0\adialhk.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 5106 bytes


P.S. I have to say that I had a few errors during some operations but I think everything finished OK...
  • 0

#4
Fidel Castro

Fidel Castro

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 162 posts
P.S.

I just wanted to say that I noticed that now my computer is working a little bit faster [at least the system is restoring faster] but I still get messages from Kaspersky AntiVisrus that my computer is infected etc.

My computer is still restarting without any reason...

P.S. What about the antivirus? Should I remove Kaspersky? Or get something else?

Tnx
  • 0

#5
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,958 posts
Kaspersky AntiVirus is a good program.

Open Notepad. Select Format from the menu. Make sure Word Wrap is not checked.

Please run the OTMoveit Fix again. Seems that the script was read as a single line.

Then download ComboFix from url="http://subs.geekstog.../ComboFix.exe"]Here[/url] or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
  • 0

#6
Fidel Castro

Fidel Castro

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 162 posts
Ok, here is the ComboFix log...

ComboFix 08-06-12.2 - x 2008-06-15 11:04:43.1 - NTFSx86
Running from: C:\Documents and Settings\x\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\x\ResErrors.log

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DHLP
-------\Legacy_PROTECT
-------\Legacy_SYSLIBRARY


((((((((((((((((((((((((( Files Created from 2008-05-15 to 2008-06-15 )))))))))))))))))))))))))))))))
.

2008-06-15 01:00 . 2008-06-15 01:00 0 --a------ C:\2008-06-15 at 01
2008-06-15 00:31 . 2008-06-15 00:31 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-15 00:31 . 2008-06-15 00:31 <DIR> d-------- C:\Documents and Settings\x\Application Data\Malwarebytes
2008-06-15 00:31 . 2008-06-15 00:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-15 00:31 . 2008-06-10 19:02 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-15 00:31 . 2008-06-10 19:02 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-15 00:28 . 2008-06-15 00:28 <DIR> d-------- C:\_OTMoveIt
2008-06-15 00:23 . 2008-06-15 00:23 <DIR> d-------- C:\Program Files\Screenshot Pilot
2008-06-14 14:05 . 2008-06-14 14:05 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-30 18:31 . 2008-05-30 18:31 <DIR> d-------- C:\Program Files\EA SPORTS
2008-05-30 18:04 . 2008-06-13 21:28 <DIR> d-------- C:\WINDOWS\LastGood
2008-05-30 18:04 . 2004-08-22 16:31 155,136 --a------ C:\WINDOWS\system32\drivers\d347bus.sys
2008-05-30 18:04 . 2004-08-22 16:31 5,248 --a------ C:\WINDOWS\system32\drivers\d347prt.sys
2008-05-30 18:03 . 2008-05-30 18:03 <DIR> d-------- C:\Program Files\D-Tools
2008-05-30 17:36 . 2008-05-30 17:49 <DIR> d-------- C:\Documents and Settings\x\Application Data\LimeWire
2008-05-30 17:35 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-05-30 17:24 . 2008-05-30 17:34 <DIR> d-------- C:\Program Files\Java
2008-05-30 17:19 . 2008-05-30 17:19 <DIR> d-------- C:\Program Files\Common Files\Java
2008-05-30 17:14 . 2008-05-30 17:16 <DIR> d-------- C:\Program Files\LimeWire

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-15 09:16 7,952,928 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-06-15 09:11 228,384 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
2008-06-15 09:11 20,684 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2008-06-15 09:11 107,540 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-06-15 08:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-14 12:30 --------- d-----w C:\Program Files\OpenOffice.org1.1.4
2008-05-29 18:44 88,774 ----a-w C:\WINDOWS\system32\drivers\klick.dat
2008-05-28 15:24 96,966 ----a-w C:\WINDOWS\system32\drivers\klin.dat
2008-05-28 15:24 112,144 ----a-w C:\WINDOWS\system32\drivers\kl1.sys
2008-05-21 14:24 8,192 ----a-w C:\WINDOWS\java\Local Data\x\STG10C.tmp
2008-05-13 20:17 --------- d-----w C:\Documents and Settings\x\Application Data\HPAppData
2008-05-06 14:48 494,617 ----a-w C:\WINDOWS\java\Packages\Y20GY71J.ZIP
2008-01-15 23:35 260,128 ----a-w C:\Documents and Settings\x\Application Data\installer_en[1].exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-29 05:41 13312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" [2005-03-08 21:33 53248 C:\WINDOWS\system32\VTTimer.exe]
"VTTrayp"="VTtrayp.exe" [2005-03-12 11:33 147456 C:\WINDOWS\system32\VTTrayp.exe]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-04-01 10:52 1368064]
"Device Detector"="DevDetect.exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" [2004-08-22 17:05 81920]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" [2007-12-18 01:43 227856]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2002-08-29 05:41 13312]

C:\Documents and Settings\x\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50 113664]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 21:26:24 210520]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegedit"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\KASPER~1\KASPER~2.0\adialhk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=C:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VIA RAID TOOL.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VIA RAID TOOL.lnk
backup=C:\WINDOWS\pss\VIA RAID TOOL.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^x^Start Menu^Programs^Startup^OpenOffice.org 1.1.4.lnk]
path=C:\Documents and Settings\x\Start Menu\Programs\Startup\OpenOffice.org 1.1.4.lnk
backup=C:\WINDOWS\pss\OpenOffice.org 1.1.4.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\f94mggfhfghodftdf]
C:\DOCUME~1\x\LOCALS~1\Temp\winlogan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Firewall auto setup]
C:\DOCUME~1\x\LOCALS~1\Temp\winlogon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gsfjefefue9fidjfod]
C:\DOCUME~1\x\LOCALS~1\Temp\lsass.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2007-03-11 21:34 49152 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
---h----- 2002-08-20 15:08 1511453 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\MSN Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
--a------ 2006-06-15 12:36 229376 C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PcSync]
--a------ 2006-06-27 16:21 1449984 C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ptask]
C:\Program Files\TrustedAntivirus\ptask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-12-06 22:32 286720 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TelSIP]
--a------ 2005-06-10 09:17 958464 C:\Program Files\TelSIP\TelSIP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

R0 bdoeevwz;bdoeevwz;C:\WINDOWS\System32\drivers\btkyjrlz.dat []
R3 iadusb;MT882;C:\WINDOWS\System32\DRIVERS\glauiad.sys [2006-03-20 09:32]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\System32\DRIVERS\klim5.sys [2007-12-13 14:28]
S0 wasfsd;wasfsd;C:\WINDOWS\System32\drivers\wasfsd.sys []
S3 ss_bus;SAMSUNG Mobile USB Device 1.0 driver (WDM);C:\WINDOWS\System32\DRIVERS\ss_bus.sys [2005-08-30 18:57]
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;C:\WINDOWS\System32\DRIVERS\ss_mdfl.sys [2005-08-30 18:58]
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;C:\WINDOWS\System32\DRIVERS\ss_mdm.sys [2005-08-30 18:59]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-15 11:14:11
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\bdoeevwz]
"ImagePath"="system32\drivers\btkyjrlz.dat"
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
.
**************************************************************************
.
Completion time: 2008-06-15 11:25:40 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-15 09:24:59

Pre-Run: 2,314,219,520 bytes free
Post-Run: 3,571,904,512 bytes free

155


And the fresh HiJackThis log...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:30:57 AM, on 6/15/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\VTTimer.exe
C:\WINDOWS\System32\VTtrayp.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HP\Smart Web Printing\hpswp_clipbook.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [Device Detector] DevDetect.exe -autorun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~2.0\adialhk.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 5118 bytes

  • 0

#7
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,958 posts
  • Copy the entire contents of the Quote Box below to Notepad.
  • Name the file as CFScript.txt
  • Change the Save as Type to All Files
  • and Save it on the desktop
File::C:\Documents and Settings\x\Application Data\installer_en[1].exeC:\WINDOWS\java\Local Data\x\STG10C.tmpC:\WINDOWS\System32\drivers\btkyjrlz.datC:\WINDOWS\System32\drivers\wasfsd.sysDriver::wasfsdbdoeevwzRegistry::[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Device Detector"=-[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\f94mggfhfghodftdf][-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Firewall auto setup][-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gsfjefefue9fidjfod]

Posted Image

Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report along with a Hijackthis log..
  • 0

#8
Fidel Castro

Fidel Castro

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 162 posts
Ok, here is the new ComboFix log...

ComboFix 08-06-12.2 - x 2008-06-15 17:49:25.2 - NTFSx86
Running from: C:\Documents and Settings\x\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\x\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
File::C:\Documents and Settings\x\Application Data\installer_en[1].exeC:\WINDOWS\java\Local Data\x\STG10C.tmpC:\WINDOWS\System32\drivers\btkyjrlz.datC:\WINDOWS\System32\drivers\wasfsd.sysDriver::wasfsdbdoeevwzRegistry::[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Device Detector"=-[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\f94mggfhfghodftdf][-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Firewall auto setup][-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gsfjefefue9fidjfod]
.

((((((((((((((((((((((((( Files Created from 2008-05-15 to 2008-06-15 )))))))))))))))))))))))))))))))
.

2008-06-15 01:00 . 2008-06-15 01:00 0 --a------ C:\2008-06-15 at 01
2008-06-15 00:31 . 2008-06-15 00:31 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-15 00:31 . 2008-06-15 00:31 <DIR> d-------- C:\Documents and Settings\x\Application Data\Malwarebytes
2008-06-15 00:31 . 2008-06-15 00:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-15 00:31 . 2008-06-10 19:02 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-15 00:31 . 2008-06-10 19:02 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-15 00:28 . 2008-06-15 00:28 <DIR> d-------- C:\_OTMoveIt
2008-06-15 00:23 . 2008-06-15 00:23 <DIR> d-------- C:\Program Files\Screenshot Pilot
2008-06-14 14:05 . 2008-06-14 14:05 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-30 18:31 . 2008-05-30 18:31 <DIR> d-------- C:\Program Files\EA SPORTS
2008-05-30 18:04 . 2008-06-13 21:28 <DIR> d-------- C:\WINDOWS\LastGood
2008-05-30 18:04 . 2004-08-22 16:31 155,136 --a------ C:\WINDOWS\system32\drivers\d347bus.sys
2008-05-30 18:04 . 2004-08-22 16:31 5,248 --a------ C:\WINDOWS\system32\drivers\d347prt.sys
2008-05-30 18:03 . 2008-05-30 18:03 <DIR> d-------- C:\Program Files\D-Tools
2008-05-30 17:36 . 2008-05-30 17:49 <DIR> d-------- C:\Documents and Settings\x\Application Data\LimeWire
2008-05-30 17:35 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-05-30 17:24 . 2008-05-30 17:34 <DIR> d-------- C:\Program Files\Java
2008-05-30 17:19 . 2008-05-30 17:19 <DIR> d-------- C:\Program Files\Common Files\Java
2008-05-30 17:14 . 2008-05-30 17:16 <DIR> d-------- C:\Program Files\LimeWire

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-15 15:53 8,053,280 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-06-15 15:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-15 11:39 228,384 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
2008-06-15 11:39 20,828 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2008-06-15 11:39 108,476 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-06-14 12:30 --------- d-----w C:\Program Files\OpenOffice.org1.1.4
2008-05-29 18:44 88,774 ----a-w C:\WINDOWS\system32\drivers\klick.dat
2008-05-28 15:24 96,966 ----a-w C:\WINDOWS\system32\drivers\klin.dat
2008-05-28 15:24 112,144 ----a-w C:\WINDOWS\system32\drivers\kl1.sys
2008-05-21 14:24 8,192 ----a-w C:\WINDOWS\java\Local Data\x\STG10C.tmp
2008-05-13 20:17 --------- d-----w C:\Documents and Settings\x\Application Data\HPAppData
2008-05-06 14:48 494,617 ----a-w C:\WINDOWS\java\Packages\Y20GY71J.ZIP
2008-01-15 23:35 260,128 ----a-w C:\Documents and Settings\x\Application Data\installer_en[1].exe
.

((((((((((((((((((((((((((((( [email protected]_11.23.12.00 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-15 09:12:40 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-15 15:32:13 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-06-14 20:46:51 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-06-15 15:32:39 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-06-14 20:46:51 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-06-15 15:32:39 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-06-15 15:50:05 616,448 ---ha-w C:\WINDOWS\TEMP\StashIMAPI.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-29 05:41 13312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" [2005-03-08 21:33 53248 C:\WINDOWS\system32\VTTimer.exe]
"VTTrayp"="VTtrayp.exe" [2005-03-12 11:33 147456 C:\WINDOWS\system32\VTTrayp.exe]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-04-01 10:52 1368064]
"Device Detector"="DevDetect.exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" [2004-08-22 17:05 81920]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2002-08-29 05:41 13312]

C:\Documents and Settings\x\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50 113664]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 21:26:24 210520]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegedit"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\KASPER~1\KASPER~2.0\adialhk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=C:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VIA RAID TOOL.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VIA RAID TOOL.lnk
backup=C:\WINDOWS\pss\VIA RAID TOOL.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^x^Start Menu^Programs^Startup^OpenOffice.org 1.1.4.lnk]
path=C:\Documents and Settings\x\Start Menu\Programs\Startup\OpenOffice.org 1.1.4.lnk
backup=C:\WINDOWS\pss\OpenOffice.org 1.1.4.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\f94mggfhfghodftdf]
C:\DOCUME~1\x\LOCALS~1\Temp\winlogan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Firewall auto setup]
C:\DOCUME~1\x\LOCALS~1\Temp\winlogon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gsfjefefue9fidjfod]
C:\DOCUME~1\x\LOCALS~1\Temp\lsass.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2007-03-11 21:34 49152 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
---h----- 2002-08-20 15:08 1511453 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\MSN Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
--a------ 2006-06-15 12:36 229376 C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PcSync]
--a------ 2006-06-27 16:21 1449984 C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ptask]
C:\Program Files\TrustedAntivirus\ptask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-12-06 22:32 286720 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TelSIP]
--a------ 2005-06-10 09:17 958464 C:\Program Files\TelSIP\TelSIP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

R0 bdoeevwz;bdoeevwz;C:\WINDOWS\System32\drivers\btkyjrlz.dat []
R3 iadusb;MT882;C:\WINDOWS\System32\DRIVERS\glauiad.sys [2006-03-20 09:32]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\System32\DRIVERS\klim5.sys [2007-12-13 14:28]
S0 wasfsd;wasfsd;C:\WINDOWS\System32\drivers\wasfsd.sys []
S3 ss_bus;SAMSUNG Mobile USB Device 1.0 driver (WDM);C:\WINDOWS\System32\DRIVERS\ss_bus.sys [2005-08-30 18:57]
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;C:\WINDOWS\System32\DRIVERS\ss_mdfl.sys [2005-08-30 18:58]
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;C:\WINDOWS\System32\DRIVERS\ss_mdm.sys [2005-08-30 18:59]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-15 17:54:13
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\bdoeevwz]
"ImagePath"="system32\drivers\btkyjrlz.dat"
.
Completion time: 2008-06-15 17:57:40
ComboFix-quarantined-files.txt 2008-06-15 15:57:33
ComboFix2.txt 2008-06-15 09:25:56

Pre-Run: 3,788,988,416 bytes free
Post-Run: 3,798,020,096 bytes free

151


And the new HijiackThis log...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:00:16 PM, on 6/15/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\VTTimer.exe
C:\WINDOWS\System32\VTtrayp.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HP\Smart Web Printing\hpswp_clipbook.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [Device Detector] DevDetect.exe -autorun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~2.0\adialhk.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 5045 bytes

  • 0

#9
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,958 posts
This wont work as it seems that the fix is a single line:

FILE ::
File::C:\Documents and Settings\x\Application Data\installer_en[1].exeC:\WINDOWS\java\Local Data\x\STG10C.tmpC:\WINDOWS\System32\drivers\btkyjrlz.datC:\WINDOWS\System32\drivers\wasfsd.sysDriver::wasfsdbdoeevwzRegistry::[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Device Detector"=-[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\f94mggfhfghodftdf][-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Firewall auto setup][-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gsfjefefue9fidjfod]


It should look like this:

File::
C:\Documents and Settings\x\Application Data\installer_en[1].exe
C:\WINDOWS\java\Local Data\x\STG10C.tmp
C:\WINDOWS\System32\drivers\btkyjrlz.dat
C:\WINDOWS\System32\drivers\wasfsd.sys

Driver::
wasfsd
bdoeevwz

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Device Detector"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\f94mggfhfghodftdf]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Firewall auto setup]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gsfjefefue9fidjfod]


It happened before with OTMoveIt. Is either the Word Wrap in Notepad, or you may be using a program, other than Notepad. Please repeat the fix. Make sure it looks as above.
  • 0

#10
Fidel Castro

Fidel Castro

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 162 posts
What about now?

ComboFix 08-06-12.2 - x 2008-06-15 19:56:56.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.47 [GMT 2:00]
Running from: C:\Documents and Settings\x\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\x\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Documents and Settings\x\Application Data\installer_en[1].exe
C:\WINDOWS\java\Local Data\x\STG10C.tmp
C:\WINDOWS\System32\drivers\btkyjrlz.dat
C:\WINDOWS\System32\drivers\wasfsd.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\x\Application Data\installer_en[1].exe
C:\WINDOWS\java\Local Data\x\STG10C.tmp
C:\WINDOWS\System32\drivers\btkyjrlz.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_BDOEEVWZ
-------\Service_bdoeevwz
-------\Service_wasfsd


((((((((((((((((((((((((( Files Created from 2008-05-15 to 2008-06-15 )))))))))))))))))))))))))))))))
.

2008-06-15 01:00 . 2008-06-15 01:00 0 --a------ C:\2008-06-15 at 01
2008-06-15 00:31 . 2008-06-15 00:31 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-15 00:31 . 2008-06-15 00:31 <DIR> d-------- C:\Documents and Settings\x\Application Data\Malwarebytes
2008-06-15 00:31 . 2008-06-15 00:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-15 00:31 . 2008-06-10 19:02 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-15 00:31 . 2008-06-10 19:02 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-15 00:28 . 2008-06-15 00:28 <DIR> d-------- C:\_OTMoveIt
2008-06-15 00:23 . 2008-06-15 00:23 <DIR> d-------- C:\Program Files\Screenshot Pilot
2008-06-14 14:05 . 2008-06-14 14:05 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-30 18:31 . 2008-05-30 18:31 <DIR> d-------- C:\Program Files\EA SPORTS
2008-05-30 18:04 . 2008-06-13 21:28 <DIR> d-------- C:\WINDOWS\LastGood
2008-05-30 18:04 . 2004-08-22 16:31 155,136 --a------ C:\WINDOWS\system32\drivers\d347bus.sys
2008-05-30 18:04 . 2004-08-22 16:31 5,248 --a------ C:\WINDOWS\system32\drivers\d347prt.sys
2008-05-30 18:03 . 2008-05-30 18:03 <DIR> d-------- C:\Program Files\D-Tools
2008-05-30 17:36 . 2008-05-30 17:49 <DIR> d-------- C:\Documents and Settings\x\Application Data\LimeWire
2008-05-30 17:35 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-05-30 17:24 . 2008-05-30 17:34 <DIR> d-------- C:\Program Files\Java
2008-05-30 17:19 . 2008-05-30 17:19 <DIR> d-------- C:\Program Files\Common Files\Java
2008-05-30 17:14 . 2008-05-30 17:16 <DIR> d-------- C:\Program Files\LimeWire

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-15 18:05 8,139,296 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-06-15 18:02 228,384 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
2008-06-15 18:02 21,380 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2008-06-15 18:02 110,036 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-06-15 16:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-14 12:30 --------- d-----w C:\Program Files\OpenOffice.org1.1.4
2008-05-29 18:44 88,774 ----a-w C:\WINDOWS\system32\drivers\klick.dat
2008-05-28 15:24 96,966 ----a-w C:\WINDOWS\system32\drivers\klin.dat
2008-05-28 15:24 112,144 ----a-w C:\WINDOWS\system32\drivers\kl1.sys
2008-05-13 20:17 --------- d-----w C:\Documents and Settings\x\Application Data\HPAppData
2008-05-06 14:48 494,617 ----a-w C:\WINDOWS\java\Packages\Y20GY71J.ZIP
.

((((((((((((((((((((((((((((( [email protected]_11.23.12.00 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-15 09:12:40 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-15 18:03:13 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-06-14 20:46:51 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-06-15 15:32:39 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-06-14 20:46:51 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-06-15 15:32:39 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-29 05:41 13312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" [2005-03-08 21:33 53248 C:\WINDOWS\system32\VTTimer.exe]
"VTTrayp"="VTtrayp.exe" [2005-03-12 11:33 147456 C:\WINDOWS\system32\VTTrayp.exe]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-04-01 10:52 1368064]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" [2004-08-22 17:05 81920]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" [2007-12-18 01:43 227856]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2002-08-29 05:41 13312]

C:\Documents and Settings\x\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50 113664]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-03-11 21:26:24 210520]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegedit"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\KASPER~1\KASPER~2.0\adialhk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=C:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VIA RAID TOOL.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VIA RAID TOOL.lnk
backup=C:\WINDOWS\pss\VIA RAID TOOL.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^x^Start Menu^Programs^Startup^OpenOffice.org 1.1.4.lnk]
path=C:\Documents and Settings\x\Start Menu\Programs\Startup\OpenOffice.org 1.1.4.lnk
backup=C:\WINDOWS\pss\OpenOffice.org 1.1.4.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2007-03-11 21:34 49152 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
---h----- 2002-08-20 15:08 1511453 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\MSN Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
--a------ 2006-06-15 12:36 229376 C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PcSync]
--a------ 2006-06-27 16:21 1449984 C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ptask]
C:\Program Files\TrustedAntivirus\ptask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-12-06 22:32 286720 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TelSIP]
--a------ 2005-06-10 09:17 958464 C:\Program Files\TelSIP\TelSIP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-15 20:03:54
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
.
**************************************************************************
.
Completion time: 2008-06-15 20:14:05 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-15 18:13:32
ComboFix2.txt 2008-06-15 15:57:41
ComboFix3.txt 2008-06-15 09:25:56

Pre-Run: 3,754,749,952 bytes free
Post-Run: 3,754,766,336 bytes free

156


And the Hijack This log...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:17:13 PM, on 6/15/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\VTTimer.exe
C:\WINDOWS\System32\VTtrayp.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HP\Smart Web Printing\hpswp_clipbook.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~2.0\adialhk.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 4997 bytes

  • 0

Advertisements


#11
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,958 posts
That log looks clear. How is the computer doing?
  • 0

#12
Fidel Castro

Fidel Castro

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 162 posts
Well... The Kaspersky i still saying that there are viruses and etc.

I just didn't have any unexpected restart but I'm afriad it can happen in any moment...
  • 0

#13
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 10,958 posts
Is it possible to obtain the Kaspersky report? If not, try this:

Please do an online scan with Kaspersky WebScanner (Use internet Explorer)

Click on Accept

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

  • 0

#14
Fidel Castro

Fidel Castro

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 162 posts
I can't...

When I open that link the browser automatically close, the same thing happen to this browser... The others stand open... I closed the Kaspersky but the same thing happened again...

I'll try to scan the PC and post the log here...
  • 0

#15
Fidel Castro

Fidel Castro

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 162 posts
Well... I just scanned the whole PC [more than few hours] and seems to be only 1 virus left or somthing like that...

This is the report of the scan:

Posted Image

But when I wanted to find some detailed log I found a log with 74 viruses found [that is probably the log of the scan made before] but also 1 virus is "untreated"..

Here is the screenshot of that report... [in 2 parts]

Posted Image Posted Image
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP