Locations of Trojans
6/21/2008 11:30:17 AM Owner 1676 Sign of "Win32:Crypt-CIL [Trj]" has been found in "C:\Documents and Settings\Owner.YOUR-89AF14A9B4\Desktop\wr-1-2073.exe" file.
6/21/2008 11:30:51 AM Owner 1676 Sign of "Win32:Crypt-CIL [Trj]" has been found in "http://admin.waverevenue.com/download.php?affID=0002073\unp205992023" file.
6/21/2008 4:06:25 PM Owner 1676 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Program Files\InetGet2\Installeur.exe" file.
6/21/2008 4:06:32 PM Owner 1676 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Program Files\InetGet2\Installeur.exe" file.
6/22/2008 9:20:40 PM Owner 1668 Sign of "Win32:Homles [Trj]" has been found in "C:\WINDOWS\mrofinu2073.exe\[UPX]" file.
6/22/2008 9:54:48 PM Owner 1600 Sign of "Win32:Homles [Trj]" has been found in "C:\WINDOWS\mrofinu2073.exe\[UPX]" file.
6/22/2008 9:57:42 PM Owner 1640 Sign of "Win32:Homles [Trj]" has been found in "C:\WINDOWS\mrofinu2073.exe\[UPX]" file.
6/23/2008 7:47:55 AM Owner 1664 Sign of "Win32:Homles [Trj]" has been found in "C:\WINDOWS\mrofinu2073.exe\[UPX]" file.
6/23/2008 7:51:27 AM Owner 1632 Sign of "Win32:Homles [Trj]" has been found in "C:\WINDOWS\mrofinu2073.exe\[UPX]" file.
6/23/2008 7:52:05 AM Owner 1632 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\WINDOWS\IA\ASAPPSRV.DLL" file.
6/23/2008 8:25:22 AM Owner 1632 Sign of "VBS:Malware-gen" has been found in "C:\WINDOWS\IA\KE.vbs" file.
6/23/2008 8:35:39 AM Owner 1632 Sign of "Win32:Small-KXF [Trj]" has been found in "http://download.dailykeys.com/files/spyhunter%203.exe\keygen.exe" file.
6/23/2008 10:57:50 AM Owner 352 Sign of "Win32:Homles [Trj]" has been found in "c:\windows\mrofinu2073.exe\[UPX]" file.
6/23/2008 2:00:51 PM Owner 3264 Sign of "Win32:Spyware-gen [Trj]" has been found in "C:\Documents and Settings\Owner.YOUR-89AF14A9B4\Local Settings\Temp\cmdinst.exe" file.
6/23/2008 2:06:47 PM Owner 3264 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\Program Files\Network Monitor\netmon.exe" file.
6/23/2008 2:11:52 PM Owner 3264 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP37\A0005429.exe" file.
6/23/2008 2:12:20 PM Owner 3264 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP44\A0010541.dll" file.
6/23/2008 2:12:20 PM Owner 3264 Sign of "VBS:Malware-gen" has been found in "C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP44\A0010548.vbs" file.
6/23/2008 2:12:21 PM Owner 3264 Sign of "Win32:Homles [Trj]" has been found in "C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP44\A0010553.exe\[UPX]" file.
6/23/2008 2:12:21 PM Owner 3264 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP44\A0010556.exe" file.
6/23/2008 2:14:37 PM Owner 3264 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\WINDOWS\b104.exe" file.
6/23/2008 2:15:43 PM Owner 3264 Sign of "Win32:Adware-gen [Adw]" has been found in "C:\WINDOWS\IA\command.exe" file.
HijackThis Log
Thanks...Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:20:57 PM, on 6/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe
C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Intel\IntelDH\CCU\CCU_Engine.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe
C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe
C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\rsvp.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Documents and Settings\Owner.YOUR-89AF14A9B4\My Documents\WC3\WC3 Programs\Inventory A+.exe
C:\Program Files\LimeWire\LimeWire.exe
c:\program files\warcraft iii\war3.exe
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.c...h...P&M=GT5238E
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.c...h...P&M=GT5238E
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.c...h...P&M=GT5238E
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [CCUTRAYICON] C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe
O4 - HKLM\..\Run: [NMSSupport] "C:\Program Files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe" /startup
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Octoshape Streaming Services] "C:\Program Files\Octoshape Streaming Services\Owner\OctoshapeClient.exe" -inv:bootrun
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O23 - Service: Intel® Alert Service (AlertService) - Intel Corporation - C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Intel® Quick Resume technology (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: Intel® Software Services Manager (ISSM) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
O23 - Service: Intel® Viiv Media Server (M1 Server) - Unknown owner - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
O23 - Service: Intel® Application Tracker (MCLServiceATL) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Intel® Remoting Service (Remote UI Service) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 8072 bytes
Edited by ljohnson4541, 23 June 2008 - 01:42 PM.