Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Suspected Loader X Module infection [RESOLVED]

Started by dreadpiratedaz , Aug 31 2005 02:30 PM

  • This topic is locked This topic is locked

#31
tampabelle
Posted 01 October 2005 - 07:37 AM

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0

Advertisements

#32
dreadpiratedaz
Posted 21 October 2005 - 02:01 AM

dreadpiratedaz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Hi Tampabelle,
thaks for opening this string again. Here are the logs: Ad-aware then AVG
cheers
Dreadpiratedaz


Ad-Aware SE Build 1.06r1
Logfile Created on:20 October 2005 22:44:43
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R68 28.09.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
MRU List(TAC index:0):3 total references
Win32.Trojan.StartPage(TAC index:8):1 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Definition File:
=========================
Definitions File Loaded:
Reference Number : SE1R68 28.09.2005
Internal build : 80
File location : C:\PROGRAM FILES\LAVASOFT\AD-AWARE SE PERSONAL\defs.ref
File size : 526954 Bytes
Total size : 1581029 Bytes
Signature data size : 1547745 Bytes
Reference data size : 32772 Bytes
Signatures total : 43961
CSI Fingerprints total : 1047
CSI data size : 37307 Bytes
Target categories : 15
Target families : 753

20-10-2005 22:43:46 Performing WebUpdate...

Installing Update...

20-10-2005 22:44:23 Failed
No updates installed.

20-10-2005 22:44:24 <RESTORE BCKP>
Definitions File Loaded:
Reference Number : SE1R68 28.09.2005
Internal build : 80
File location : C:\PROGRAM FILES\LAVASOFT\AD-AWARE SE PERSONAL\defs.ref
File size : 526954 Bytes
Total size : 1581029 Bytes
Signature data size : 1547745 Bytes
Reference data size : 32772 Bytes
Signatures total : 43961
CSI Fingerprints total : 1047
CSI data size : 37307 Bytes
Target categories : 15
Target families : 753

20-10-2005 22:44:31 <OK>


Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Intel Pentium III
Memory available:0 %
Total physical memory:122304 kb
Available physical memory:3684 kb
Total page file size:1974844 kb
Available on page file:1705716 kb
Total virtual memory:2093056 kb
Available virtual memory:2035712 kb
OS:Microsoft Windows Millennium Edition

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Obtain command line of scanned processes
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Write-protect system files after repair (Hosts file, etc.)
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


20-10-2005 22:44:43 - Scan started. (Custom mode)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [KERNEL32.DLL]
ModuleName : C:\WINDOWS\SYSTEM\KERNEL32.DLL
Command Line : n/a
ProcessID : 4293865637
Threads : 10
Priority : High
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : Win32 Kernel core component
InternalName : KERNEL32
LegalCopyright : Copyright © Microsoft Corp. 1991-2000
OriginalFilename : KERNEL32.DLL

#:2 [MSGSRV32.EXE]
ModuleName : C:\WINDOWS\SYSTEM\MSGSRV32.EXE
Command Line : n/a
ProcessID : 4294964749
Threads : 1
Priority : Normal
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows 32-bit VxD Message Server
InternalName : MSGSRV32
LegalCopyright : Copyright © Microsoft Corp. 1992-1998
OriginalFilename : MSGSRV32.EXE

#:3 [mmtask.tsk]
ModuleName : C:\WINDOWS\SYSTEM\mmtask.tsk
Command Line : n/a
ProcessID : 4294858481
Threads : 1
Priority : Normal
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
ProductName : Microsoft Windows
CompanyName : Microsoft Corporation
FileDescription : Multimedia background task support module
InternalName : mmtask.tsk
LegalCopyright : Copyright © Microsoft Corp. 1991-2000
OriginalFilename : mmtask.tsk

#:4 [MPREXE.EXE]
ModuleName : C:\WINDOWS\SYSTEM\MPREXE.EXE
Command Line : C:\WINDOWS\SYSTEM\MPREXE.EXE
ProcessID : 4294860449
Threads : 3
Priority : Normal
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : WIN32 Network Interface Service Process
InternalName : MPREXE
LegalCopyright : Copyright © Microsoft Corp. 1993-2000
OriginalFilename : MPREXE.EXE

#:5 [SSDPSRV.EXE]
ModuleName : C:\WINDOWS\SYSTEM\SSDPSRV.EXE
Command Line : C:\WINDOWS\SYSTEM\ssdpsrv.exe
ProcessID : 4294847025
Threads : 5
Priority : Normal
FileVersion : 4.90.3003.0
ProductVersion : 4.90.3003.0
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : SSDP Service on Windows Millennium
InternalName : ssdpsrv.exe
LegalCopyright : Copyright © Microsoft Corp. 1981-2000
OriginalFilename : ssdpsrv.exe

#:6 [THOTKEY.EXE]
ModuleName : C:\WINDOWS\SYSTEM\THOTKEY.EXE
Command Line : C:\WINDOWS\SYSTEM\THotkey.exe
ProcessID : 4294892305
Threads : 2
Priority : Normal
FileVersion : 1, 0, 0, 0
ProductVersion : 1, 0, 0, 0
ProductName : TOSHIBA THotkey
CompanyName : TOSHIBA Corp.
FileDescription : THotkey
InternalName : THotkey
LegalCopyright : Copyright © 1999
OriginalFilename : THotkey.exe

#:7 [STIMON.EXE]
ModuleName : C:\WINDOWS\SYSTEM\STIMON.EXE
Command Line : C:\WINDOWS\SYSTEM\STIMON.EXE
ProcessID : 4294894661
Threads : 6
Priority : Normal
FileVersion : 4.90.3000.1
ProductVersion : 4.90.3000.1
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : Still Image Devices Monitor
InternalName : STIMON
LegalCopyright : Copyright © Microsoft Corp. 1981-2000
OriginalFilename : STIMON.EXE

#:8 [MSTASK.EXE]
ModuleName : C:\WINDOWS\SYSTEM\MSTASK.EXE
Command Line : mstask.exe
ProcessID : 4294884041
Threads : 3
Priority : Normal
FileVersion : 4.71.2721.1
ProductVersion : 4.71.2721.1
ProductName : Microsoft® Windows® Task Scheduler
CompanyName : Microsoft Corporation
FileDescription : Task Scheduler Engine
InternalName : TaskScheduler
LegalCopyright : Copyright © Microsoft Corp. 2000
OriginalFilename : mstask.exe

#:9 [KB891711.EXE]
ModuleName : C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
Command Line : n/a
ProcessID : 4294881273
Threads : 1
Priority : Normal
FileVersion : 4.10.2223
ProductVersion : 4.10.2222
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows KB891711 component
InternalName : KB891711
LegalCopyright : Copyright © Microsoft Corp. 1991-2005
OriginalFilename : KB891711.EXE

#:10 [SMC.EXE]
ModuleName : C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
Command Line : "C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE"
ProcessID : 4292941213
Threads : 22
Priority : Normal
FileVersion : 5.6.00.2808
ProductVersion : 5.6.00.2808
ProductName : Sygate® Security Agent and Personal Firewall
CompanyName : Sygate Technologies, Inc.
FileDescription : Sygate Agent Firewall
InternalName : Smc
LegalCopyright : Copyright © 1999 - 2004 Sygate Technologies, Inc. All rights reserved.
OriginalFilename : Smc.EXE

#:11 [HPBPRO.EXE]
ModuleName : C:\WINDOWS\SYSTEM\HPBPRO.EXE
Command Line : C:\WINDOWS\SYSTEM\hpbpro.exe
ProcessID : 4292994001
Threads : 1
Priority : Normal
FileVersion : 1, 0, 42, 0
ProductVersion : 1, 0, 42, 0
ProductName : PortResolver Module
CompanyName : Hewlett-Packard Company
FileDescription : PortResolver Module
InternalName : PortResolver
LegalCopyright : Copyright 2000
OriginalFilename : PortResolver.exe

#:12 [HPBOID.EXE]
ModuleName : C:\WINDOWS\SYSTEM\HPBOID.EXE
Command Line : C:\WINDOWS\SYSTEM\hpboid.exe
ProcessID : 4294887881
Threads : 2
Priority : Normal
FileVersion : 1, 0, 42, 0
ProductVersion : 1, 0, 42, 0
ProductName : HP Status Server
CompanyName : Hewlett-Packard Company
FileDescription : HP Status Server Module
InternalName : HP Status Server
LegalCopyright : Copyright © 2000 by Hewlett-Packard Company
OriginalFilename : HPboid.EXE

#:13 [RPCSS.EXE]
ModuleName : C:\WINDOWS\SYSTEM\RPCSS.EXE
Command Line : RPCSS
ProcessID : 4292902457
Threads : 6
Priority : Normal
FileVersion : 4.71.3328
ProductVersion : 4.71.3328
ProductName : Microsoft® Windows NT™ Operating System
CompanyName : Microsoft Corporation
FileDescription : Distributed COM Services
InternalName : rpcss.exe
LegalCopyright : Copyright © Microsoft Corp. 1981-1998
OriginalFilename : rpcss.exe

#:14 [EXPLORER.EXE]
ModuleName : C:\WINDOWS\EXPLORER.EXE
Command Line : C:\WINDOWS\Explorer.exe
ProcessID : 4292892849
Threads : 25
Priority : Normal
FileVersion : 5.50.4134.100
ProductVersion : 5.50.4134.100
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : Copyright © Microsoft Corp. 1981-2000
OriginalFilename : EXPLORER.EXE

#:15 [WINMGMT.EXE]
ModuleName : C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
Command Line : C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE -Embedding
ProcessID : 4293097477
Threads : 4
Priority : Normal
FileVersion : 1.50.1164.0000
ProductVersion : 1.50.1164.0000
ProductName : Windows Management Instrumentation
CompanyName : Microsoft Corporation
FileDescription : Windows Management Instrumentation
InternalName : WINMGMT
LegalCopyright : Copyright © Microsoft Corp. 1995-1999

#:16 [STMGR.EXE]
ModuleName : C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
Command Line : C:\WINDOWS\System\Restore\StMgr.exe
ProcessID : 4293123121
Threads : 5
Priority : Normal
FileVersion : 4.90.0.2533
ProductVersion : 4.90.0.2533
ProductName : Microsoft ® PCHealth
CompanyName : Microsoft Corporation
FileDescription : Microsoft ® PC State Manager
InternalName : StateMgr.exe
LegalCopyright : Copyright © Microsoft Corp. 1981-2000
OriginalFilename : StateMgr.exe

#:17 [TASKMON.EXE]
ModuleName : C:\WINDOWS\TASKMON.EXE
Command Line : "C:\WINDOWS\taskmon.exe"
ProcessID : 4293052849
Threads : 2
Priority : Normal
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : Task Monitor
InternalName : TaskMon
LegalCopyright : Copyright © Microsoft Corp. 1998
OriginalFilename : TASKMON.EXE

#:18 [SYSTRAY.EXE]
ModuleName : C:\WINDOWS\SYSTEM\SYSTRAY.EXE
Command Line : "C:\WINDOWS\SYSTEM\SysTray.Exe"
ProcessID : 4293038377
Threads : 3
Priority : Normal
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : System Tray Applet
InternalName : SYSTRAY
LegalCopyright : Copyright © Microsoft Corp. 1993-2000
OriginalFilename : SYSTRAY.EXE

#:19 [IRMON.EXE]
ModuleName : C:\WINDOWS\SYSTEM\IRMON.EXE
Command Line : "C:\WINDOWS\SYSTEM\irmon.exe"
ProcessID : 4293219885
Threads : 7
Priority : Normal
FileVersion : 4.90.3000.1
ProductVersion : 4.90.3000.1
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : Infrared Monitor
InternalName : irmon.dll
LegalCopyright : Copyright © Microsoft Corp. 1981-2000
OriginalFilename : irmon.dll

#:20 [ALISNDMG.EXE]
ModuleName : C:\WINDOWS\SYSTEM\ALISNDMG.EXE
Command Line : "C:\WINDOWS\SYSTEM\ALiSndMg.exe"
ProcessID : 4293198437
Threads : 2
Priority : Normal
FileVersion : 1.01
ProductVersion : 1.01
ProductName : ALiSndMgr
CompanyName : ALi Laboratories Inc.
FileDescription : ALiSndMgr
InternalName : ALiSndMgr
LegalCopyright : Copyright © 2000
OriginalFilename : ALiSndMgr.exe

#:21 [EM_EXEC.EXE]
ModuleName : C:\PROGRAM FILES\MOUSEWARE\SYSTEM\EM_EXEC.EXE
Command Line : "C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE"
ProcessID : 4293216457
Threads : 2
Priority : Normal
FileVersion : 9.11.62
ProductVersion : 9.11
ProductName : MouseWare
CompanyName : Logitech Inc.
FileDescription : Control Center
InternalName : EM_EXEC
LegalCopyright : Copyright © Logitech Inc. 1987-2000.
LegalTrademarks : Logitech® and MouseWare® are registered trademarks of Logitech Inc.
OriginalFilename : EM_EXEC.CPP
Comments : Created by the MouseWare Team

#:22 [TPWRTRAY.EXE]
ModuleName : C:\WINDOWS\SYSTEM\TPWRTRAY.EXE
Command Line : "C:\WINDOWS\SYSTEM\TPWRTRAY.EXE"
ProcessID : 4293213949
Threads : 2
Priority : Normal
FileVersion : 4. 0. 0. 0
ProductVersion : 4. 0. 0. 0
ProductName : Toshiba Power Saver
CompanyName : TOSHIBA Corporation
FileDescription : Toshiba Power Saver
InternalName : Tpwrtray
LegalCopyright : Copyright 1999-2001 Toshiba Corporation.
OriginalFilename : Tpwrtray.exe
Comments : Toshiba Power Saver

#:23 [TFNCKY.EXE]
ModuleName : C:\WINDOWS\SYSTEM\TFNCKY.EXE
Command Line : "C:\WINDOWS\SYSTEM\TFncKy.exe"
ProcessID : 4293246173
Threads : 2
Priority : Normal
FileVersion : 1.21
ProductVersion : 1.21
ProductName : TFncKy
CompanyName : Toshiba Corporation
FileDescription : TFncKy
InternalName : TFncKy
LegalCopyright : Copyright 1997-2000 Toshiba Corporation. All rights reserved.
OriginalFilename : TFncKy.EXE

#:24 [WMIEXE.EXE]
ModuleName : C:\WINDOWS\SYSTEM\WMIEXE.EXE
Command Line : WmiExe WMI_ffe293e5
ProcessID : 4293134965
Threads : 4
Priority : Normal
FileVersion : 4.90.2452.1
ProductVersion : 4.90.2452.1
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : WMI service exe housing
InternalName : wmiexe
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : wmiexe.exe

#:25 [DCFSSVC.EXE]
ModuleName : C:\WINDOWS\SYSTEM32\DRIVERS\DCFSSVC.EXE
Command Line : "C:\WINDOWS\System32\Drivers\dcfssvc.exe"
ProcessID : 4293214185
Threads : 3
Priority : Normal
FileVersion : 1.1.4400.0
ProductVersion : 3.2.0400.0
ProductName : Kodak DC File System Driver (Win32)
CompanyName : Eastman Kodak Company
FileDescription : Kodak DC Ring 3 Conduit (Win32)
InternalName : DcFsSvc.exe
LegalCopyright : Copyright © Eastman Kodak Co. 2000-2002
OriginalFilename : DcFsSvc.exe

#:26 [AVGCC.EXE]
ModuleName : C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
Command Line : "C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE" /STARTUP
ProcessID : 4293080745
Threads : 6
Priority : Normal
FileVersion : 7,1,0,338
ProductVersion : 7.1.0.338
ProductName : AVG Anti-Virus System
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG Control Center
InternalName : AvgCC
LegalCopyright : Copyright © 2005, GRISOFT, s.r.o.
OriginalFilename : AvgCC.EXE

#:27 [AVGEMC.EXE]
ModuleName : C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
Command Line : "C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE"
ProcessID : 4293346369
Threads : 7
Priority : Normal
FileVersion : 7,1,0,338
ProductVersion : 7.1.0.338
ProductName : AVG Anti-Virus System
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG E-Mail Scanner
InternalName : avgemc
LegalCopyright : Copyright © 2005, GRISOFT, s.r.o.
OriginalFilename : avgemc.exe

#:28 [AVGAMSVR.EXE]
ModuleName : C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
Command Line : "C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE"
ProcessID : 4293334393
Threads : 8
Priority : Normal
FileVersion : 7,1,0,321
ProductVersion : 7.1.0.321
ProductName : AVG Anti-Virus System
CompanyName : GRISOFT, s.r.o.
FileDescription : AVG Alert Manager
InternalName : avgamsvr
LegalCopyright : Copyright © 2005, GRISOFT, s.r.o.
OriginalFilename : avgamsvr.EXE

#:29 [STATUSCLIENT.EXE]
ModuleName : C:\PROGRAM FILES\HEWLETT-PACKARD\TOOLBOX2.0\APACHE TOMCAT 4.0\WEBAPPS\TOOLBOX\STATUSCLIENT\STATUSCLIENT.EXE
Command Line : "C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe" /auto
ProcessID : 4293132381
Threads : 4
Priority : Normal
FileVersion : 00.00.13
ProductVersion : 00.00.13
ProductName : Hewlett-Packard T-TR Status Client
CompanyName : Hewlett-Packard
FileDescription : Hewlett-Packard T-TR Status Client
InternalName : StatusClient.exe
LegalCopyright : Copyright © 2002 Hewlett-Packard Company
LegalTrademarks : All Rights Reserved.
OriginalFilename : StatusClient.exe

#:30 [RunDLL.exe]
ModuleName : C:\WINDOWS\RunDLL.exe
Command Line : n/a
ProcessID : 4293376001
Threads : 1
Priority : Normal
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : Run a DLL as an App
InternalName : rundll
LegalCopyright : Copyright © Microsoft Corp. 1991-1998
OriginalFilename : RUNDLL.EXE

#:31 [AIRPLUS.EXE]
ModuleName : C:\PROGRAM FILES\D-LINK AIRPLUS\AIRPLUS.EXE
Command Line : "C:\Program Files\D-Link AirPlus\AirPlus.exe"
ProcessID : 4293367169
Threads : 2
Priority : Normal
FileVersion : 4, 0, 0, 0
ProductVersion : 4, 0, 0, 0
ProductName : D-Link AirPlus
CompanyName : D-Link
FileDescription : WLAN Adapter Utility
InternalName : WLANMON
LegalCopyright : Copyright © All Rights Reserved.
OriginalFilename : AIRPLUS.EXE

#:32 [SGMAIN.EXE]
ModuleName : C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
Command Line : "C:\Program Files\SpywareGuard\sgmain.exe"
ProcessID : 4293328733
Threads : 2
Priority : Normal
FileVersion : 2.02.0001
ProductVersion : 2.02.0001
ProductName : SpywareGuard
FileDescription : SpywareGuard
InternalName : sgmain
LegalCopyright : Copyright © 2002-2003 Javacool Software LLC
OriginalFilename : sgmain.exe
Comments : SpywareGuard

#:33 [SPOOL32.EXE]
ModuleName : C:\WINDOWS\SYSTEM\SPOOL32.EXE
Command Line : C:\WINDOWS\SYSTEM\spool32.exe
ProcessID : 4293509481
Threads : 5
Priority : Normal
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler Sub System Process
InternalName : spool32
LegalCopyright : Copyright © Microsoft Corp. 1994 - 1998
OriginalFilename : spool32.exe

#:34 [JAVAW.EXE]
ModuleName : C:\PROGRAM FILES\HEWLETT-PACKARD\TOOLBOX2.0\JAVASOFT\JRE\1.3.1\BIN\JAVAW.EXE
Command Line : "C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe" -jar -Duser.dir="C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0" "C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\bin\bootstrap.jar" start
ProcessID : 4293521729
Threads : 24
Priority : Normal


#:35 [PSTORES.EXE]
ModuleName : C:\WINDOWS\SYSTEM\PSTORES.EXE
Command Line : C:\WINDOWS\SYSTEM\PSTORES.EXE
ProcessID : 4293420157
Threads : 3
Priority : Normal
FileVersion : 5.00.2133.2
ProductVersion : 5.00.2133.2
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Protected storage server
InternalName : Protected storage server
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : Protected storage server

#:36 [SGBHP.EXE]
ModuleName : C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
Command Line : "C:\PROGRAM FILES\SPYWAREGUARD\sgbhp.exe"
ProcessID : 4293475497
Threads : 3
Priority : Normal
FileVersion : 2.02.0001
ProductVersion : 2.02.0001
ProductName : SG Browser Hijacking Protection
FileDescription : SG Browser Hijacking Protection
InternalName : sgbhp
LegalCopyright : Copyright © 2002-2003 Javacool Software LLC.
OriginalFilename : sgbhp.exe
Comments : SG Browser Hijacking Protection

#:37 [FIREFOX.EXE]
ModuleName : C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
Command Line : n/a
ProcessID : 4293291037
Threads : 5
Priority : Normal


#:38 [WUAUCLT.EXE]
ModuleName : C:\WINDOWS\WUAUCLT.EXE
Command Line : -AUMagic
ProcessID : 4293453357
Threads : 4
Priority : Idle
FileVersion : 5.4.5681.0
ProductVersion : 5.4.5681.0
ProductName : Microsoft Windows Update - AutoUpdate feature
CompanyName : Microsoft Corporation
FileDescription : Microsoft AutoUpdate
InternalName : WUAUCLT.EXE
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : WUAUCLT.EXE

#:39 [AD-AWARE.EXE]
ModuleName : C:\PROGRAM FILES\LAVASOFT\AD-AWARE SE PERSONAL\AD-AWARE.EXE
Command Line : "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe"
ProcessID : 4293544237
Threads : 3
Priority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0

MRU List Object Recognized!
Location: : C:\WINDOWS\Application Data\microsoft\office\recent
Description : list of recently opened documents using microsoft office


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\internet explorer\main
Description : last save directory used in microsoft internet explorer


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\windows\currentversion\explorer\runmru
Description : mru list for items opened in start | run



Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 3



Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Win32.Trojan.StartPage Object Recognized!
Type : File
Data : A0001744.CPY
TAC Rating : 8
Category : Malware
Comment :
Object : C:\_RESTORE\TEMP\



Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 4


Scanning Hosts file......
Hosts file location:"C:\WINDOWS\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1 entries scanned.
New critical objects:0
Objects found so far: 4




Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 4

22:56:07 Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:11:23.500
Objects scanned:76135
Objects identified:23
Objects ignored:22
New critical objects:0


AVG LOG FOR LAST FEW MONTHS

Trojan horse Startpage.19.J C:\_RESTORE\TEMP\A1785352.CPY 13/07/2005 08:25:16 A1785352.CPY 18 KB
Trojan horse Startpage.19.J C:\_RESTORE\TEMP\A1786219.CPY 13/07/2005 08:25:17 A1786219.CPY 18 KB
Trojan horse Startpage.19.J C:\_RESTORE\TEMP\SE.0 13/07/2005 08:25:17 SE.0 18 KB
Trojan horse Agent.CN C:\_RESTORE\TEMP\A1788087.CPY 13/07/2005 08:25:17 A1788087.CPY 4 KB
Trojan horse Agent.CM C:\_RESTORE\TEMP\A1788092.CPY 13/07/2005 08:25:17 A1788092.CPY 7 KB
Trojan horse Startpage.19.AN C:\WINDOWS\SYSTEM\EMMEO.DLL 13/07/2005 18:21:39 EMMEO.DLL 39 KB
Trojan horse Startpage.19.J C:\_RESTORE\TEMP\A1785352.CPY 13/07/2005 18:52:37 A1785352.CPY 18 KB
Trojan horse Startpage.19.J C:\_RESTORE\TEMP\A1786219.CPY 13/07/2005 18:52:38 A1786219.CPY 18 KB
Trojan horse Startpage.19.J C:\_RESTORE\TEMP\SE.0 13/07/2005 18:52:38 SE.0 18 KB
Trojan horse Agent.CN C:\_RESTORE\TEMP\A1788087.CPY 13/07/2005 18:52:38 A1788087.CPY 4 KB
Trojan horse Agent.CM C:\_RESTORE\TEMP\A1788092.CPY 13/07/2005 18:52:38 A1788092.CPY 7 KB
Trojan horse Startpage.19.AN C:\_RESTORE\TEMP\A1788692.CPY 13/07/2005 18:52:38 A1788692.CPY 39 KB
Trojan horse Startpage.19.AN C:\WINDOWS\SYSTEM\FKJ.DLL 16/07/2005 09:30:13 FKJ.DLL 39 KB
Trojan horse Startpage.19.AN C:\WINDOWS\SYSTEM\ODFHG.DLL 18/07/2005 20:53:53 ODFHG.DLL 39 KB
Trojan horse Startpage.19.AN C:\WINDOWS\SYSTEM\GDDCEG.DLL 25/07/2005 10:46:55 GDDCEG.DLL 39 KB
Trojan horse Startpage.JC C:\_RESTORE\TEMP\A1782897.CPY 26/07/2005 08:28:37 A1782897.CPY 39 KB
Trojan horse Downloader.Generic.BCV C:\_RESTORE\TEMP\A1782912.CPY 26/07/2005 08:28:37 A1782912.CPY 6 KB
Trojan horse Startpage.JC C:\_RESTORE\TEMP\BGLDJBAA.0 26/07/2005 08:28:37 BGLDJBAA.0 39 KB
Trojan horse Startpage.19.J C:\_RESTORE\TEMP\A1785352.CPY 26/07/2005 08:28:37 A1785352.CPY 18 KB
Trojan horse Startpage.19.J C:\_RESTORE\TEMP\A1786219.CPY 26/07/2005 08:28:38 A1786219.CPY 18 KB
Trojan horse Startpage.19.J C:\_RESTORE\TEMP\SE.0 26/07/2005 08:28:38 SE.0 18 KB
Trojan horse Agent.CN C:\_RESTORE\TEMP\A1788087.CPY 26/07/2005 08:28:38 A1788087.CPY 4 KB
Trojan horse Agent.CM C:\_RESTORE\TEMP\A1788092.CPY 26/07/2005 08:28:38 A1788092.CPY 7 KB
Trojan horse Startpage.JC C:\_RESTORE\TEMP\A1788131.CPY 26/07/2005 08:28:38 A1788131.CPY 39 KB
Trojan horse Startpage.19.AN C:\_RESTORE\TEMP\A1788692.CPY 26/07/2005 08:28:39 A1788692.CPY 39 KB
Trojan horse Startpage.19.AN C:\_RESTORE\TEMP\A1789784.CPY 26/07/2005 08:28:39 A1789784.CPY 39 KB
Trojan horse Startpage.19.AN C:\_RESTORE\TEMP\A1789907.CPY 26/07/2005 08:28:39 A1789907.CPY 39 KB
Trojan horse Startpage.19.AN C:\_RESTORE\TEMP\A1792489.CPY 26/07/2005 08:28:39 A1792489.CPY 39 KB
Trojan horse Startpage.19.AN C:\WINDOWS\SYSTEM\kdpc.dll 26/07/2005 08:28:40 kdpc.dll 39 KB
Trojan horse Startpage.19.AN C:\WINDOWS\SYSTEM\ILFDFA.DLL 26/07/2005 13:20:04 ILFDFA.DLL 39 KB
Trojan horse Startpage.JC C:\_RESTORE\TEMP\A1782897.CPY 27/07/2005 13:11:33 A1782897.CPY 39 KB
Trojan horse Downloader.Generic.BCV C:\_RESTORE\TEMP\A1782912.CPY 27/07/2005 13:11:33 A1782912.CPY 6 KB
Trojan horse Startpage.JC C:\_RESTORE\TEMP\BGLDJBAA.0 27/07/2005 13:11:33 BGLDJBAA.0 39 KB
Trojan horse Startpage.19.J C:\_RESTORE\TEMP\A1785352.CPY 27/07/2005 13:11:33 A1785352.CPY 18 KB
Trojan horse Startpage.19.J C:\_RESTORE\TEMP\A1786219.CPY 27/07/2005 13:11:33 A1786219.CPY 18 KB
Trojan horse Startpage.19.J C:\_RESTORE\TEMP\SE.0 27/07/2005 13:11:33 SE.0 18 KB
Trojan horse Agent.CN C:\_RESTORE\TEMP\A1788087.CPY 27/07/2005 13:11:34 A1788087.CPY 4 KB
Trojan horse Agent.CM C:\_RESTORE\TEMP\A1788092.CPY 27/07/2005 13:11:34 A1788092.CPY 7 KB
Trojan horse Startpage.JC C:\_RESTORE\TEMP\A1788131.CPY 27/07/2005 13:11:34 A1788131.CPY 39 KB
Trojan horse Startpage.19.AN C:\_RESTORE\TEMP\A1788692.CPY 27/07/2005 13:11:34 A1788692.CPY 39 KB
Trojan horse Startpage.19.AN C:\_RESTORE\TEMP\A1789784.CPY 27/07/2005 13:11:34 A1789784.CPY 39 KB
Trojan horse Startpage.19.AN C:\_RESTORE\TEMP\A1789907.CPY 27/07/2005 13:11:34 A1789907.CPY 39 KB
Trojan horse Startpage.19.AN C:\_RESTORE\TEMP\A1792489.CPY 27/07/2005 13:11:34 A1792489.CPY 39 KB
Trojan horse Startpage.19.AN C:\_RESTORE\TEMP\A1792735.CPY 27/07/2005 13:11:35 A1792735.CPY 39 KB
Trojan horse Startpage.19.AN C:\_RESTORE\TEMP\A1792923.CPY 27/07/2005 13:11:35 A1792923.CPY 39 KB
Trojan horse Startpage.19.AN C:\WINDOWS\SYSTEM\CEEG.DLL 27/07/2005 15:40:09 CEEG.DLL 39 KB
Trojan horse Startpage.JC C:\_RESTORE\TEMP\A1782897.CPY 28/07/2005 08:28:58 A1782897.CPY 39 KB
Trojan horse Downloader.Generic.BCV C:\_RESTORE\TEMP\A1782912.CPY 28/07/2005 08:28:59 A1782912.CPY 6 KB
Trojan horse Startpage.JC C:\_RESTORE\TEMP\BGLDJBAA.0 28/07/2005 08:28:59 BGLDJBAA.0 39 KB
Trojan horse Startpage.19.J C:\_RESTORE\TEMP\A1785352.CPY 28/07/2005 08:28:59 A1785352.CPY 18 KB
Trojan horse Startpage.19.J C:\_RESTORE\TEMP\A1786219.CPY 28/07/2005 08:28:59 A1786219.CPY 18 KB
Trojan horse Startpage.19.J C:\_RESTORE\TEMP\SE.0 28/07/2005 08:29:00 SE.0 18 KB
Trojan horse Agent.CN C:\_RESTORE\TEMP\A1788087.CPY 28/07/2005 08:29:00 A1788087.CPY 4 KB
Trojan horse Agent.CM C:\_RESTORE\TEMP\A1788092.CPY 28/07/2005 08:29:00 A1788092.CPY 7 KB
Trojan horse Startpage.JC C:\_RESTORE\TEMP\A1788131.CPY 28/07/2005 08:29:00 A1788131.CPY 39 KB
Trojan horse Startpage.19.AN C:\_RESTORE\TEMP\A1788692.CPY 28/07/2005 08:29:00 A1788692.CPY 39 KB
Trojan horse Startpage.19.AN C:\_RESTORE\TEMP\A1789784.CPY 28/07/2005 08:29:01 A1789784.CPY 39 KB
Trojan horse Startpage.19.AN C:\_RESTORE\TEMP\A1789907.CPY 28/07/2005 08:29:01 A1789907.CPY 39 KB
Trojan horse Startpage.19.AN C:\_RESTORE\TEMP\A1792489.CPY 28/07/2005 08:29:01 A1792489.CPY 39 KB
Trojan horse Startpage.19.AN C:\_RESTORE\TEMP\A1792735.CPY 28/07/2005 08:29:01 A1792735.CPY 39 KB
Trojan horse Startpage.19.AN C:\_RESTORE\TEMP\A1792923.CPY 28/07/2005 08:29:01 A1792923.CPY 39 KB
Trojan horse Startpage.19.AN C:\_RESTORE\TEMP\A1793905.CPY 28/07/2005 08:29:02 A1793905.CPY 39 KB
Trojan horse Startpage.JC C:\_RESTORE\TEMP\A1782897.CPY 29/07/2005 08:33:41 A1782897.CPY 39 KB
Trojan horse Downloader.Generic.BCV C:\_RESTORE\TEMP\A1782912.CPY 29/07/2005 08:33:42 A1782912.CPY 6 KB
Trojan horse Startpage.JC C:\_RESTORE\TEMP\BGLDJBAA.0 29/07/2005 08:33:42 BGLDJBAA.0 39 KB
Trojan horse Startpage.19.J C:\_RESTORE\TEMP\A1785352.CPY 29/07/2005 08:33:43 A1785352.CPY 18 KB
Trojan horse Startpage.19.J C:\_RESTORE\TEMP\A1786219.CPY 29/07/2005 08:33:45 A1786219.CPY 18 KB
Trojan horse Startpage.19.J C:\_RESTORE\TEMP\SE.0 29/07/2005 08:33:46 SE.0 18 KB
Trojan horse Agent.CN C:\_RESTORE\TEMP\A1788087.CPY 29/07/2005 08:33:46 A1788087.CPY 4 KB
Trojan horse Agent.CM C:\_RESTORE\TEMP\A1788092.CPY 29/07/2005 08:33:46 A1788092.CPY 7 KB
Trojan horse Startpage.JC C:\_RESTORE\TEMP\A1788131.CPY 29/07/2005 08:33:46 A1788131.CPY 39 KB
Trojan horse Startpage.19.AN C:\_RESTORE\TEMP\A1788692.CPY 29/07/2005 08:33:47 A1788692.CPY 39 KB
Trojan horse Startpage.19.AN C:\_RESTORE\TEMP\A1789784.CPY 29/07/2005 08:33:48 A1789784.CPY 39 KB
Trojan horse Startpage.19.AN C:\_RESTORE\TEMP\A1789907.CPY 29/07/2005 08:33:48 A1789907.CPY 39 KB
Trojan horse Startpage.19.AN C:\_RESTORE\TEMP\A1792489.CPY 29/07/2005 08:33:49 A1792489.CPY 39 KB
Trojan horse Startpage.19.AN C:\_RESTORE\TEMP\A1792735.CPY 29/07/2005 08:33:50 A1792735.CPY 39 KB
Trojan horse Startpage.19.AN C:\_RESTORE\TEMP\A1792923.CPY 29/07/2005 08:33:50 A1792923.CPY 39 KB
Trojan horse Startpage.19.AN C:\_RESTORE\TEMP\A1793905.CPY 29/07/2005 08:33:51 A1793905.CPY 39 KB
Trojan horse Startpage.19.AN C:\WINDOWS\SYSTEM\OHKAG.DLL 30/07/2005 10:45:32 OHKAG.DLL 39 KB
Trojan horse Startpage.JC C:\_RESTORE\TEMP\A1782897.CPY 01/08/2005 08:29:35 A1782897.CPY 39 KB
Trojan horse Downloader.Generic.BCV C:\_RESTORE\TEMP\A1782912.CPY 01/08/2005 08:29:36 A1782912.CPY 6 KB
Trojan horse Startpage.JC C:\_RESTORE\TEMP\BGLDJBAA.0 01/08/2005 08:29:36 BGLDJBAA.0 39 KB
Trojan horse Startpage.19.J C:\_RESTORE\TEMP\A1785352.CPY 01/08/2005 08:29:37 A1785352.CPY 18 KB
Trojan horse Startpage.19.J C:\_RESTORE\TEMP\A1786219.CPY 01/08/2005 08:29:37 A1786219.CPY 18 KB
Trojan horse Startpage.19.J C:\_RESTORE\TEMP\SE.0 01/08/2005 08:29:37 SE.0 18 KB
Trojan horse Agent.CN C:\_RESTORE\TEMP\A1788087.CPY 01/08/2005 08:29:37 A1788087.CPY 4 KB
Trojan horse Agent.CM C:\_RESTORE\TEMP\A1788092.CPY 01/08/2005 08:29:37 A1788092.CPY 7 KB
Trojan horse Startpage.JC C:\_RESTORE\TEMP\A1788131.CPY 01/08/2005 08:29:38 A1788131.CPY 39 KB
Trojan horse Startpage.19.AN C:\_RESTORE\TEMP\A1788692.CPY 01/08/2005 08:29:38 A1788692.CPY 39 KB
Trojan horse Startpage.19.AN C:\_RESTORE\TEMP\A1789784.CPY 01/08/2005 08:29:38 A1789784.CPY 39 KB
Trojan horse Startpage.19.AN C:\_RESTORE\TEMP\A1789907.CPY 01/08/2005 08:29:38 A1789907.CPY 39 KB
Trojan horse Startpage.19.AN C:\_RESTORE\TEMP\A1792489.CPY 01/08/2005 08:29:39 A1792489.CPY 39 KB
Trojan horse Startpage.19.AN C:\_RESTORE\TEMP\A1792735.CPY 01/08/2005 08:29:39 A1792735.CPY 39 KB
Trojan horse Startpage.19.AN C:\_RESTORE\TEMP\A1792923.CPY 01/08/2005 08:29:39 A1792923.CPY 39 KB
Trojan horse Startpage.19.AN C:\_RESTORE\TEMP\A1793905.CPY 01/08/2005 08:29:39 A1793905.CPY 39 KB
Trojan horse Startpage.19.AN C:\_RESTORE\TEMP\A1794138.CPY 01/08/2005 08:29:39 A1794138.CPY 39 KB
Trojan horse Startpage.19.AN C:\WINDOWS\SYSTEM\BKGD.DLL 01/08/2005 14:06:35 BKGD.DLL 39 KB
Trojan horse Startpage.JC C:\_RESTORE\TEMP\A1782897.CPY 02/08/2005 08:32:28 A1782897.CPY 39 KB
Trojan horse Downloader.Generic.BCV C:\_RESTORE\TEMP\A1782912.CPY 02/08/2005 08:32:29 A1782912.CPY 6 KB
Trojan horse Startpage.JC C:\_RESTORE\TEMP\BGLDJBAA.0 02/08/2005 08:32:29 BGLDJBAA.0 39 KB
Trojan horse Startpage.19.J C:\_RESTORE\TEMP\A1785352.CPY 02/08/2005 08:32:29 A1785352.CPY 18 KB
Trojan horse Startpage.19.J C:\_RESTORE\TEMP\A1786219.CPY 02/08/2005 08:32:29 A1786219.CPY 18 KB
Trojan horse Startpage.19.J C:\_RESTORE\TEMP\SE.0 02/08/2005 08:32:29 SE.0 18 KB
Trojan horse Agent.CN C:\_RESTORE\TEMP\A1788087.CPY 02/08/2005 08:32:29 A1788087.CPY 4 KB
Trojan horse Agent.CM C:\_RESTORE\TEMP\A1788092.CPY 02/08/2005 08:32:30 A1788092.CPY 7 KB
Trojan horse Startpage.JC C:\_RESTORE\TEMP\A1788131.CPY 02/08/2005 08:32:30 A1788131.CPY 39 KB
Trojan horse Startpage.19.AN C:\_RESTORE\TEMP\A1788692.CPY 02/08/2005 08:32:30 A1788692.CPY 39 KB
Trojan horse Startpage.19.AN C:\_RESTORE\TEMP\A1789784.CPY 02/08/2005 08:32:31 A1789784.CPY 39 KB
Trojan horse Startpage.19.AN C:\_RESTORE\TEMP\A1789907.CPY 02/08/2005 08:32:31 A1789907.CPY 39 KB
Trojan horse Startpage.19.AN C:\_RESTORE\TEMP\A1792489.CPY 02/08/2005 08:32:31 A1792489.CPY 39 KB
Trojan horse Startpage.19.AN C:\_RESTORE\TEMP\A1792735.CPY 02/08/2005 08:32:36 A1792735.CPY 39 KB
Trojan horse Startpage.19.AN C:\_RESTORE\TEMP\A1792923.CPY 02/08/2005 08:32:36 A1792923.CPY 39 KB
Trojan horse Startpage.19.AN C:\_RESTORE\TEMP\A1793905.CPY 02/08/2005 08:32:36 A1793905.CPY 39 KB
Trojan horse Startpage.19.AN C:\_RESTORE\TEMP\A1794138.CPY 02/08/2005 08:32:36 A1794138.CPY 39 KB
Trojan horse Startpage.19.AN C:\_RESTORE\TEMP\A1794226.CPY 02/08/2005 08:32:36 A1794226.CPY 39 KB
Trojan horse Startpage.19.AN C:\WINDOWS\SYSTEM\BFL.DLL 03/08/2005 08:36:46 BFL.DLL 39 KB
Trojan horse Startpage.19.AN C:\WINDOWS\SYSTEM\JGBOCA.DLL 04/08/2005 08:43:51 JGBOCA.DLL 39 KB
Trojan horse Startpage.JC C:\_RESTORE\TEMP\A1782897.CPY 05/08/2005 09:31:52 A1782897.CPY 39 KB
Trojan horse Downloader.Generic.BCV C:\_RESTORE\TEMP\A1782912.CPY 05/08/2005 09:31:52 A1782912.CPY 6 KB
Trojan horse Startpage.JC C:\_RESTORE\TEMP\BGLDJBAA.0 05/08/2005 09:31:52 BGLDJBAA.0 39 KB
Trojan horse Startpage.19.J C:\_RESTORE\TEMP\A1785352.CPY 05/08/2005 09:31:52 A1785352.CPY 18 KB
Trojan horse Startpage.19.J C:\_RESTORE\TEMP\A1786219.CPY 05/08/2005 09:31:53 A1786219.CPY 18 KB
Trojan horse Startpage.19.J C:\_RESTORE\TEMP\SE.0 05/08/2005 09:31:53 SE.0 18 KB
Trojan horse Agent.CN C:\_RESTORE\TEMP\A1788087.CPY 05/08/2005 09:31:53 A1788087.CPY 4 KB
Trojan horse Agent.CM C:\_RESTORE\TEMP\A1788092.CPY 05/08/2005 09:31:53 A1788092.CPY 7 KB
Trojan horse Startpage.JC C:\_RESTORE\TEMP\A1788131.CPY 05/08/2005 09:31:53 A1788131.CPY 39 KB
Trojan horse Startpage.19.AN C:\_RESTORE\TEMP\A1788692.CPY 05/08/2005 09:31:53 A1788692.CPY 39 KB
Trojan horse Startpage.19.AN C:\_RESTORE\TEMP\A1789784.CPY 05/08/2005 09:31:54 A1789784.CPY 39 KB
Trojan horse Startpage.19.AN C:\_RESTORE\TEMP\A1789907.CPY 05/08/2005 09:31:54 A1789907.CPY 39 KB
Trojan horse Startpage.19.AN C:\_RESTORE\TEMP\A1792489.CPY 05/08/2005 09:31:54 A1792489.CPY 39 KB
Trojan horse Startpage.19.AN C:\_RESTORE\TEMP\A1792735.CPY 05/08/2005 09:31:54 A1792735.CPY 39 KB
Trojan horse Startpage.19.AN C:\_RESTORE\TEMP\A1792923.CPY 05/08/2005 09:31:54 A1792923.CPY 39 KB
Trojan horse Startpage.19.AN C:\_RESTORE\TEMP\A1793905.CPY 05/08/2005 09:31:54 A1793905.CPY 39 KB
Trojan horse Startpage.19.AN C:\_RESTORE\TEMP\A1794138.CPY 05/08/2005 09:31:55 A1794138.CPY 39 KB
Trojan horse Startpage.19.AN C:\_RESTORE\TEMP\A1794226.CPY 05/08/2005 09:31:55 A1794226.CPY 39 KB
Trojan horse Startpage.19.AN C:\_RESTORE\TEMP\A1794279.CPY 05/08/2005 09:31:55 A1794279.CPY 39 KB
Trojan horse Startpage.19.AN C:\_RESTORE\TEMP\A1795350.CPY 05/08/2005 09:31:55 A1795350.CPY 39 KB
Trojan horse Startpage.19.AN C:\WINDOWS\SYSTEM\BOIAP.DLL 05/08/2005 13:52:25 BOIAP.DLL 39 KB
Trojan horse Startpage.19.AN C:\WINDOWS\SYSTEM\HGKL.DLL 06/08/2005 22:04:40 HGKL.DLL 39 KB
Trojan horse Startpage.19.AN C:\WINDOWS\SYSTEM\AMOMA.DLL 09/08/2005 10:47:24 AMOMA.DLL 39 KB
Trojan horse Startpage.19.AN C:\WINDOWS\SYSTEM\KEJE.DLL 11/08/2005 08:12:43 KEJE.DLL 39 KB
Trojan horse Startpage.JC C:\_RESTORE\TEMP\A1782897.CPY 12/08/2005 08:36:25 A1782897.CPY 39 KB
Trojan horse Downloader.Generic.BCV C:\_RESTORE\TEMP\A1782912.CPY 12/08/2005 08:36:26 A1782912.CPY 6 KB
Trojan horse Startpage.JC C:\_RESTORE\TEMP\BGLDJBAA.0 12/08/2005 08:36:26 BGLDJBAA.0 39 KB
Trojan horse Startpage.19.J C:\_RESTORE\TEMP\A1785352.CPY 12/08/2005 08:36:27 A1785352.CPY 18 KB
Trojan horse Startpage.19.J C:\_RESTORE\TEMP\A1786219.CPY 12/08/2005 08:36:27 A1786219.CPY 18 KB
Trojan horse Startpage.19.J C:\_RESTORE\TEMP\SE.0 12/08/2005 08:36:27 SE.0 18 KB
Trojan horse Agent.CN C:\_RESTORE\TEMP\A1788087.CPY 12/08/2005 08:36:28 A1788087.CPY 4 KB
Trojan horse Agent.CM C:\_RESTORE\TEMP\A1788092.CPY 12/08/2005 08:36:28 A1788092.CPY 7 KB
Trojan horse Startpage.JC C:\_RESTORE\TEMP\A1788131.CPY 12/08/2005 08:36:28 A1788131.CPY 39 KB
Trojan horse Startpage.19.AN C:\_RESTORE\TEMP\A1788692.CPY 12/08/2005 08:36:28 A1788692.CPY 39 KB
Trojan horse Startpage.19.AN C:\_RESTORE\TEMP\A1789784.CPY 12/08/2005 08:36:29 A1789784.CPY 39 KB
Trojan horse Startpage.19.AN C:\_RESTORE\TEMP\A1789907.CPY 12/08/2005 08:36:29 A1789907.CPY 39 KB
Trojan horse Startpage.19.AN C:\_RESTORE\TEMP\A1792489.CPY 12/08/2005 08:36:30 A1792489.CPY 39 KB
Trojan horse Startpage.19.AN C:\_RESTORE\TEMP\A1792735.CPY 12/08/2005 08:36:30 A1792735.CPY 39 KB
Trojan horse Startpage.19.AN C:\_RESTORE\TEMP\A1792923.CPY 12/08/2005 08:36:30 A1792923.CPY 39 KB
Trojan horse Startpage.19.AN C:\_RESTORE\TEMP\A1793905.CPY 12/08/2005 08:36:30 A1793905.CPY 39 KB
Trojan horse Startpage.19.AN C:\_RESTORE\TEMP\A1794138.CPY 12/08/2005 08:36:31 A1794138.CPY 39 KB
Trojan horse Startpage.19.AN C:\_RESTORE\TEMP\A1794226.CPY 12/08/2005 08:36:31 A1794226.CPY 39 KB
Trojan horse Startpage.19.AN C:\_RESTORE\TEMP\A1794279.CPY 12/08/2005 08:36:31 A1794279.CPY 39 KB
Trojan horse Startpage.19.AN C:\_RESTORE\TEMP\A1795350.CPY 12/08/2005 08:36:31 A1795350.CPY 39 KB
Trojan horse Startpage.19.AN C:\_RESTORE\TEMP\A1795419.CPY 12/08/2005 08:36:32 A1795419.CPY 39 KB
Trojan horse Startpage.19.AN C:\_RESTORE\TEMP\A1795467.CPY 12/08/2005 08:36:33 A1795467.CPY 39 KB
Trojan horse Startpage.19.AN C:\_RESTORE\TEMP\A1797428.CPY 12/08/2005 08:36:33 A1797428.CPY 39 KB
Trojan horse Startpage.19.AN C:\_RESTORE\TEMP\A1797517.CPY 12/08/2005 08:36:33 A1797517.CPY 39 KB
Trojan horse Startpage.19.AN C:\WINDOWS\SYSTEM\eofil.dll 12/08/2005 08:36:34 eofil.dll 39 KB
Trojan horse Startpage.19.AN C:\WINDOWS\SYSTEM\OEMIP.DLL 12/08/2005 10:38:44 OEMIP.DLL 39 KB
Trojan horse Startpage.19.AN C:\WINDOWS\SYSTEM\DEE.DLL 13/08/2005 10:38:28 DEE.DLL 39 KB
Trojan horse Startpage.19.AN C:\WINDOWS\SYSTEM\LLBPJG.DLL 13/08/2005 15:48:15 LLBPJG.DLL 39 KB
Trojan horse Startpage.JC C:\_RESTORE\TEMP\A1782897.CPY 15/08/2005 09:22:26 A1782897.CPY 39 KB
Trojan horse Downloader.Generic.BCV C:\_RESTORE\TEMP\A1782912.CPY 15/08/2005 09:22:26 A1782912.CPY 6 KB
Trojan horse Startpage.JC C:\_RESTORE\TEMP\BGLDJBAA.0 15/08/2005 09:22:26 BGLDJBAA.0 39 KB
Trojan horse Startpage.19.J C:\_RESTORE\TEMP\A1785352.CPY 15/08/2005 09:22:27 A1785352.CPY 18 KB
Trojan horse Startpage.19.J C:\_RESTORE\TEMP\A1786219.CPY 15/08/2005 09:22:27 A1786219.CPY 18 KB
Trojan horse Startpage.19.J C:\_RESTORE\TEMP\SE.0 15/08/2005 09:22:27 SE.0 18 KB
Trojan horse Agent.CN C:\_RESTORE\TEMP\A1788087.CPY 15/08/2005 09:22:27 A1788087.CPY 4 KB
Trojan horse Agent.CM C:\_RESTORE\TEMP\A1788092.CPY 15/08/2005 09:22:27 A1788092.CPY 7 KB
Trojan horse Startpage.JC C:\_RESTORE\TEMP\A1788131.CPY 15/08/2005 09:22:27 A1788131.CPY 39 KB
Trojan horse Startpage.19.AN C:\_RESTORE\TEMP\A1788692.CPY 15/08/2005 09:22:28 A1788692.CPY 39 KB
Trojan horse Startpage.19.AN C:\_RESTORE\TEMP\A1789784.CPY 15/08/2005 09:22:28 A1789784.CPY 39 KB
Trojan horse Startpage.19.AN C:\_RESTORE\TEMP\A1789907.CPY 15/08/2005 09:22:28 A1789907.CPY 39 KB
Trojan horse Startpage.19.AN C:\_RESTORE\TEMP\A1792489.CPY 15/08/2005 09:22:28 A1792489.CPY 39 KB
Trojan horse Startpage.19.AN C:\_RESTORE\TEMP\A1792735.CPY 15/08/2005 09:22:28 A1792735.CPY 39 KB
Trojan horse Startpage.19.AN C:\_RESTORE\TEMP\A1792923.CPY 15/08/2005 09:22:29 A1792923.CPY 39 KB
Trojan horse Startpage.19.AN C:\_RESTORE\TEMP\A1793905.CPY 15/08/2005 09:22:29 A1793905.CPY 39 KB
Trojan horse Startpage.19.AN C:\_RESTORE\TEMP\A1794138.CPY 15/08/2005 09:22:29 A1794138.CPY 39 KB
Trojan horse Startpage.19.AN C:\_RESTORE\TEMP\A1794226.CPY 15/08/2005 09:22:29 A1794226.CPY 39 KB
Trojan horse Startpage.19.AN C:\_RESTORE\TEMP\A1794279.CPY 15/08/2005 09:22:29 A1794279.CPY 39 KB
Trojan horse Startpage.19.AN C:\_RESTORE\TEMP\A1795350.CPY 15/08/2005 09:22:30 A1795350.CPY 39 KB
Trojan horse Startpage.19.AN C:\_RESTORE\TEMP\A1795419.CPY 15/08/2005 09:22:30 A1795419.CPY 39 KB
Trojan horse Startpage.19.AN C:\_RESTORE\TEMP\A1795467.CPY 15/08/2005 09:22:30 A1795467.CPY 39 KB
Trojan horse Startpage.19.AN C:\_RESTORE\TEMP\A1797428.CPY 15/08/2005 09:22:30 A1797428.CPY 39 KB
Trojan horse Startpage.19.AN C:\_RESTORE\TEMP\A1797517.CPY 15/08/2005 09:22:30 A1797517.CPY 39 KB
Trojan horse Startpage.19.AN C:\_RESTORE\TEMP\A1797545.CPY 15/08/2005 09:22:31 A1797545.CPY 39 KB
Trojan horse Startpage.19.AN C:\_RESTORE\TEMP\A1797591.CPY 15/08/2005 09:22:31 A1797591.CPY 39 KB
Trojan horse Startpage.19.AN C:\_RESTORE\TEMP\A1798603.CPY 15/08/2005 09:22:31 A1798603.CPY 39 KB
Trojan horse Startpage.19.AN C:\_RESTORE\TEMP\A1798627.CPY 15/08/2005 09:22:31 A1798627.CPY 39 KB
Trojan horse Startpage.19.AN C:\WINDOWS\SYSTEM\mcmghia.dll 15/08/2005 09:22:31 mcmghia.dll 39 KB
Trojan horse Startpage.19.AN C:\WINDOWS\SYSTEM\PIN.DLL 17/08/2005 09:08:40 PIN.DLL 39 KB
Trojan horse Startpage.JC C:\_RESTORE\TEMP\A1782897.CPY 19/08/2005 08:45:07 A1782897.CPY 39 KB
Trojan horse Downloader.Generic.BCV C:\_RESTORE\TEMP\A1782912.CPY 19/08/2005 08:45:07 A1782912.CPY 6 KB
Trojan horse Startpage.JC C:\_RESTORE\TEMP\BGLDJBAA.0 19/08/2005 08:45:07 BGLDJBAA.0 39 KB
Trojan horse Startpage.19.J C:\_RESTORE\TEMP\A1785352.CPY 19/08/2005 08:45:07 A1785352.CPY 18 KB
Trojan horse Startpage.19.J C:\_RESTORE\TEMP\A1786219.CPY 19/08/2005 08:45:08 A1786219.CPY 18 KB
Trojan horse Startpage.19.J C:\_RESTORE\TEMP\SE.0 19/08/2005 08:45:08 SE.0 18 KB
Trojan horse Agent.CN C:\_RESTORE\TEMP\A1788087.CPY 19/08/2005 08:45:08 A1788087.CPY 4 KB
Trojan horse Agent.CM C:\_RESTORE\TEMP\A1788092.CPY 19/08/2005 08:45:08 A1788092.CPY 7 KB
Trojan horse Startpage.JC C:\_RESTORE\TEMP\A1788131.CPY 19/08/2005 08:45:08 A1788131.CPY 39 KB
Trojan horse Startpage.19.AN C:\_RESTORE\TEMP\A1788692.CPY 19/08/2005 08:45:08 A1788692.CPY 39 KB
Trojan horse Startpage.19.AN C:\_RESTORE\TEMP\A1789784.CPY 19/08/2005 08:45:09 A1789784.CPY 39 KB
Trojan horse Startpage.19.AN C:\_RESTORE\TEMP\A1789907.CPY 19/08/2005 08:45:09 A1789907.CPY 39 KB
Trojan horse Startpage.19.AN C:\_RESTORE\TEMP\A1792489.CPY 19/08/2005 08:45:09 A1792489.CPY 39 KB
Trojan horse Startpage.19.AN C:\_RESTORE\TEMP\A1792735.CPY 19/08/2005 08:45:10 A1792735.CPY 39 KB
Trojan horse Startpage.19.AN C:\_RESTORE\TEMP\A1792923.CPY 19/08/2005 08:45:10 A1792923.CPY 39 KB
Trojan horse Startpage.19.AN C:\_RESTORE\TEMP\A1793905.CPY 19/08/2005 08:45:10 A1793905.CPY 39 KB
Trojan horse Startpage.19.AN C:\_RESTORE\TEMP\A1794138.CPY 19/08/2005 08:45:11 A1794138.CPY 39 KB
Trojan horse Startpage.19.AN C:\_RESTORE\TEMP\A1794226.CPY 19/08/2005 08:45:11 A1794226.CPY 39 KB
Trojan horse Startpage.19.AN C:\_RESTORE\TEMP\A1794279.CPY 19/08/2005 08:45:11 A1794279.CPY 39 KB
Trojan horse Startpage.19.AN C:\_RESTORE\TEMP\A1795350.CPY 19/08/2005 08:45:11 A1795350.CPY 39 KB
Trojan horse Startpage.19.AN C:\_RESTORE\TEMP\A1795419.CPY 19/08/2005 08:45:11 A1795419.CPY 39 KB
Trojan horse Startpage.19.AN C:\_RESTORE\TEMP\A1795467.CPY 19/08/2005 08:45:11 A1795467.CPY 39 KB
Trojan horse Startpage.19.AN C:\_RESTORE\TEMP\A1797428.CPY 19/08/2005 08:45:12 A1797428.CPY 39 KB
Trojan horse Startpage.19.AN C:\_RESTORE\TEMP\A1797517.CPY 19/08/2005 08:45:12 A1797517.CPY 39 KB
Trojan horse Startpage.19.AN C:\_RESTORE\TEMP\A1797545.CPY 19/08/2005 08:45:12 A1797545.CPY 39 KB
Trojan horse Startpage.19.AN C:\_RESTORE\TEMP\A1797591.CPY 19/08/2005 08:45:12 A1797591.CPY 39 KB
Trojan horse Startpage.19.AN C:\_RESTORE\TEMP\A1798603.CPY 19/08/2005 08:45:12 A1798603.CPY 39 KB
Trojan horse Startpage.19.AN C:\_RESTORE\TEMP\A1798627.CPY 19/08/2005 08:45:12 A1798627.CPY 39 KB
Trojan horse Startpage.19.AN C:\_RESTORE\TEMP\A1798805.CPY 19/08/2005 08:45:13 A1798805.CPY 39 KB
Trojan horse Startpage.19.AN C:\_RESTORE\TEMP\A1798839.CPY 19/08/2005 08:45:13 A1798839.CPY 39 KB
Trojan horse Startpage.19.AN C:\WINDOWS\SYSTEM\PICIPI.DLL 19/08/2005 14:52:34 PICIPI.DLL 39 KB
Trojan horse Startpage.19.AN C:\WINDOWS\SYSTEM\IKAC.DLL 23/08/2005 10:11:27 IKAC.DLL 39 KB
Trojan horse Startpage.19.AN C:\WINDOWS\SYSTEM\ABHMMH.DLL 24/08/2005 10:20:13 ABHMMH.DLL 39 KB
Trojan horse Startpage.19.AN C:\WINDOWS\SYSTEM\INMMK.DLL 27/08/2005 11:12:22 INMMK.DLL 39 KB
Trojan horse Startpage.19.AN C:\WINDOWS\SYSTEM\PLJMPA.DLL 31/08/2005 20:11:05 PLJMPA.DLL 39 KB
Trojan horse Startpage.19.AN C:\WINDOWS\SYSTEM\ALPEBBA.DLL 31/08/2005 20:11:17 ALPEBBA.DLL 39 KB
Trojan horse Startpage.JC C:\_RESTORE\TEMP\A1782897.CPY 01/09/2005 08:40:50 A1782897.CPY 39 KB
Trojan horse Downloader.Generic.BCV C:\_RESTORE\TEMP\A1782912.CPY 01/09/2005 08:40:50 A1782912.CPY 6 KB
Trojan horse Startpage.JC C:\_RESTORE\TEMP\BGLDJBAA.0 01/09/2005 08:40:50 BGLDJBAA.0 39 KB
Trojan horse Startpage.19.J C:\_RESTORE\TEMP\A1785352.CPY 01/09/2005 08:40:50 A1785352.CPY 18 KB
Trojan horse Startpage.19.J C:\_RESTORE\TEMP\A1786219.CPY 01/09/2005 08:40:50 A1786219.CPY 18 KB
Trojan horse Startpage.19.J C:\_RESTORE\TEMP\SE.0 01/09/2005 08:40:50 SE.0 18 KB
Trojan horse Agent.CN C:\_RESTORE\TEMP\A1788087.CPY 01/09/2005
  • 0

#33
tampabelle
Posted 03 November 2005 - 07:20 PM

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Hi,

Since the topic was more than 14 days old since the previous post, I got un-subscribed from it automatically and didnt get the notification about your post. Thanx for sending me a PM. I have picked it up again.


First of all, we need not be concerned about the Systerm Restore entries. System Restore is a facility whereby Windows stores various settings, the action triggered by specified events like installation of a program etc. In case something goes wrong with the installation of a program, system restore can be used to revert the settings to before the problems began. Usually, when the PC gets infected, the infections also get saved in system restore.

These files in system restore cant get activated until and unless you do a system restore.


Can you post a fresh HJT log and a AVG log?? We should be able to clear up the issue.
  • 0

#34
dreadpiratedaz
Posted 04 November 2005 - 03:34 AM

dreadpiratedaz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Hi Tampabelle,
here is the AVG log followed by the HJT log. Thanks.

AVG
"Partition table (MBR)";"ok";"Quick checked"
"Boot sector of disk C:";"Reading error";"Error"
"System registry Software\Microsoft\Windows NT\CurrentVersion\Windows\Load";"";"Scanned"
"System registry Software\Microsoft\Windows NT\CurrentVersion\Windows\Run";"";"Scanned"
"System registry Software\Microsoft\Windows\CurrentVersion\Run";"";"Scanned"
"System registry Software\Microsoft\Windows\CurrentVersion\RunOnce";"";"Scanned"
"System registry Software\Microsoft\Windows\CurrentVersion\RunOnceEx";"";"Scanned"
"System registry Software\Microsoft\Windows\CurrentVersion\RunServices";"";"Scanned"
"System registry Software\Microsoft\Windows\CurrentVersion\RunServicesOnce";"";"Scanned"
"System registry Software\Microsoft\Windows\CurrentVersion\Run";"";"Scanned"
"System registry Software\Microsoft\Windows\CurrentVersion\RunOnce";"";"Scanned"
"System registry Software\Microsoft\Windows\CurrentVersion\RunOnceEx";"";"Scanned"
"System registry Software\Microsoft\Windows\CurrentVersion\RunServices";"";"Scanned"
"System registry Software\Microsoft\Windows\CurrentVersion\RunServicesOnce";"";"Scanned"
"System registry Software\Microsoft\Windows\CurrentVersion\Winlogon\Userinit";"";"Scanned"
"System registry SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell";"";"Scanned"
"System registry exefile\shell\open\command";"";"Scanned"
"System registry scrfile\shell\open\command";"";"Scanned"
"System registry scrfile\shell\config\command";"";"Scanned"
"System registry batfile\shell\open\command";"";"Scanned"
"System registry cmdfile\shell\open\command";"";"Scanned"
"System registry comfile\shell\open\command";"";"Scanned"
"System registry piffile\shell\open\command";"";"Scanned"
"System registry giffile\shell\open\command";"";"Scanned"
"System registry htmlfile\shell\open\command";"";"Scanned"
"System registry htafile\shell\open\command";"";"Scanned"
"System registry jpegfile\shell\open\command";"";"Scanned"
"System registry txtfile\shell\open\command";"";"Scanned"
"System registry regfile\shell\open\command";"";"Scanned"
"System registry cplfile\shell\cplopen\command";"";"Scanned"
"System registry Word.Document.8\shell\open\command";"";"Scanned"
"System registry WordPad.Document.1\shell\open\command";"";"Scanned"
"C:\PROGRA~1\ACCESS~1\WORDPAD.EXE";"ok";"Quick checked"
"C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE";"ok";"Quick checked"
"C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE";"ok";"Quick checked"
"C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE";"ok";"Quick checked"
"C:\PROGRA~1\INTERN~1\IEXPLORE.EXE";"ok";"Quick checked"
"C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE";"ok";"Quick checked"
"C:\Program Files\Common Files\Sony Shared\OpenMG\OmgStartup.exe";"ok";"Quick checked"
"C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe";"ok";"Quick checked"
"C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe";"ok";"Quick checked"
"C:\Program Files\Hewlett-Packard\hp LaserJet 1010 Series\SetConfig.exe";"ok";"Quick checked"
"C:\Program Files\Microsoft Money\System\Money Express.exe";"ok";"Quick checked"
"C:\Program Files\Microsoft Works\WkDetect.exe";"ok";"Quick checked"
"C:\Program Files\Microsoft Works\wkfud.exe";"ok";"Quick checked"
"C:\Program Files\Microsoft Works\wkssb.exe";"ok";"Quick checked"
"C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe";"ok";"Quick checked"
"C:\WINDOWS\NOTEPAD.EXE";"ok";"Quick checked"
"C:\WINDOWS\PCHealth\Support\PCHSCHD.EXE";"ok";"Quick checked"
"C:\WINDOWS\REGEDIT.EXE";"ok";"Quick checked"
"C:\WINDOWS\RUNDLL.EXE";"ok";"Quick checked"
"C:\WINDOWS\RUNDLL32.EXE";"ok";"Quick checked"
"C:\WINDOWS\SYSTEM\ALiSndMg.exe";"ok";"Quick checked"
"C:\WINDOWS\SYSTEM\HPBOID.EXE";"ok";"Quick checked"
"C:\WINDOWS\SYSTEM\HPBPRO.EXE";"ok";"Quick checked"
"C:\WINDOWS\SYSTEM\IRMON.EXE";"ok";"Quick checked"
"C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE";"ok";"Quick checked"
"C:\WINDOWS\SYSTEM\MSHTA.EXE";"ok";"Quick checked"
"C:\WINDOWS\SYSTEM\MSTASK.EXE";"ok";"Quick checked"
"C:\WINDOWS\SYSTEM\SHELL32.DLL";"ok";"Quick checked"
"C:\WINDOWS\SYSTEM\SHIMGVW.DLL";"ok";"Quick checked"
"C:\WINDOWS\SYSTEM\SSDPSRV.EXE";"ok";"Quick checked"
"C:\WINDOWS\SYSTEM\STIMON.EXE";"ok";"Quick checked"
"C:\WINDOWS\SYSTEM\SYSTRAY.EXE";"ok";"Quick checked"
"C:\WINDOWS\SYSTEM\TFncKy.exe";"ok";"Quick checked"
"C:\WINDOWS\SYSTEM\THotkey.exe";"ok";"Quick checked"
"C:\WINDOWS\SYSTEM\TPWRTRAY.EXE";"ok";"Quick checked"
"C:\WINDOWS\SYSTEM\ZONELABS\vsmon.exe";"ok";"Quick checked"
"C:\WINDOWS\System32\Drivers\DCFSSVC.EXE";"ok";"Quick checked"
"C:\WINDOWS\System\Restore\STATEMGR.EXE";"ok";"Quick checked"
"C:\WINDOWS\TASKMON.EXE";"ok";"Quick checked"
"C:\WINDOWS\SYSTEM\kernel32.dll";"ok";"Quick checked"
"C:\WINDOWS\SYSTEM\wsock32.dll";"ok";"Quick checked"
"C:\WINDOWS\SYSTEM\user32.dll";"ok";"Quick checked"
"C:\WINDOWS\SYSTEM\shell32.dll";"ok";"Quick checked"
"System registry Software\Microsoft\Windows NT\CurrentVersion\Windows\Load";"";"Scanned"
"System registry Software\Microsoft\Windows NT\CurrentVersion\Windows\Run";"";"Scanned"
"System registry Software\Microsoft\Windows\CurrentVersion\Run";"";"Scanned"
"System registry Software\Microsoft\Windows\CurrentVersion\RunOnce";"";"Scanned"
"System registry Software\Microsoft\Windows\CurrentVersion\RunOnceEx";"";"Scanned"
"System registry Software\Microsoft\Windows\CurrentVersion\RunServices";"";"Scanned"
"System registry Software\Microsoft\Windows\CurrentVersion\RunServicesOnce";"";"Scanned"
"System registry Software\Microsoft\Windows\CurrentVersion\Run";"";"Scanned"
"System registry Software\Microsoft\Windows\CurrentVersion\RunOnce";"";"Scanned"
"System registry Software\Microsoft\Windows\CurrentVersion\RunOnceEx";"";"Scanned"
"System registry Software\Microsoft\Windows\CurrentVersion\RunServices";"";"Scanned"
"System registry Software\Microsoft\Windows\CurrentVersion\RunServicesOnce";"";"Scanned"
"System registry Software\Microsoft\Windows\CurrentVersion\Winlogon\Userinit";"";"Scanned"
"System registry SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell";"";"Scanned"
"System registry exefile\shell\open\command";"";"Scanned"
"System registry scrfile\shell\open\command";"";"Scanned"
"System registry scrfile\shell\config\command";"";"Scanned"
"System registry batfile\shell\open\command";"";"Scanned"
"System registry cmdfile\shell\open\command";"";"Scanned"
"System registry comfile\shell\open\command";"";"Scanned"
"System registry piffile\shell\open\command";"";"Scanned"
"System registry giffile\shell\open\command";"";"Scanned"
"System registry htmlfile\shell\open\command";"";"Scanned"
"System registry htafile\shell\open\command";"";"Scanned"
"System registry jpegfile\shell\open\command";"";"Scanned"
"System registry txtfile\shell\open\command";"";"Scanned"
"System registry regfile\shell\open\command";"";"Scanned"
"System registry cplfile\shell\cplopen\command";"";"Scanned"
"System registry Word.Document.8\shell\open\command";"";"Scanned"
"System registry WordPad.Document.1\shell\open\command";"";"Scanned"
"C:\PROGRA~1\ACCESS~1\WORDPAD.EXE";"ok";"Quick checked"
"C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE";"ok";"Quick checked"
"C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE";"ok";"Quick checked"
"C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE";"ok";"Quick checked"
"C:\PROGRA~1\INTERN~1\IEXPLORE.EXE";"ok";"Quick checked"
"C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE";"ok";"Quick checked"
"C:\Program Files\Common Files\Sony Shared\OpenMG\OmgStartup.exe";"ok";"Quick checked"
"C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe";"ok";"Quick checked"
"C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe";"ok";"Quick checked"
"C:\Program Files\Hewlett-Packard\hp LaserJet 1010 Series\SetConfig.exe";"ok";"Quick checked"
"C:\Program Files\Microsoft Money\System\Money Express.exe";"ok";"Quick checked"
"C:\Program Files\Microsoft Works\WkDetect.exe";"ok";"Quick checked"
"C:\Program Files\Microsoft Works\wkfud.exe";"ok";"Quick checked"
"C:\Program Files\Microsoft Works\wkssb.exe";"ok";"Quick checked"
"C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe";"ok";"Quick checked"
"C:\WINDOWS\NOTEPAD.EXE";"ok";"Quick checked"
"C:\WINDOWS\PCHealth\Support\PCHSCHD.EXE";"ok";"Quick checked"
"C:\WINDOWS\REGEDIT.EXE";"ok";"Quick checked"
"C:\WINDOWS\RUNDLL.EXE";"ok";"Quick checked"
"C:\WINDOWS\RUNDLL32.EXE";"ok";"Quick checked"
"C:\WINDOWS\SYSTEM\ALiSndMg.exe";"ok";"Quick checked"
"C:\WINDOWS\SYSTEM\HPBOID.EXE";"ok";"Quick checked"
"C:\WINDOWS\SYSTEM\HPBPRO.EXE";"ok";"Quick checked"
"C:\WINDOWS\SYSTEM\IRMON.EXE";"ok";"Quick checked"
"C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE";"ok";"Quick checked"
"C:\WINDOWS\SYSTEM\MSHTA.EXE";"ok";"Quick checked"
"C:\WINDOWS\SYSTEM\MSTASK.EXE";"ok";"Quick checked"
"C:\WINDOWS\SYSTEM\SHELL32.DLL";"ok";"Quick checked"
"C:\WINDOWS\SYSTEM\SHIMGVW.DLL";"ok";"Quick checked"
"C:\WINDOWS\SYSTEM\SSDPSRV.EXE";"ok";"Quick checked"
"C:\WINDOWS\SYSTEM\STIMON.EXE";"ok";"Quick checked"
"C:\WINDOWS\SYSTEM\SYSTRAY.EXE";"ok";"Quick checked"
"C:\WINDOWS\SYSTEM\TFncKy.exe";"ok";"Quick checked"
"C:\WINDOWS\SYSTEM\THotkey.exe";"ok";"Quick checked"
"C:\WINDOWS\SYSTEM\TPWRTRAY.EXE";"ok";"Quick checked"
"C:\WINDOWS\SYSTEM\ZONELABS\vsmon.exe";"ok";"Quick checked"
"C:\WINDOWS\System32\Drivers\DCFSSVC.EXE";"ok";"Quick checked"
"C:\WINDOWS\System\Restore\STATEMGR.EXE";"ok";"Quick checked"
"C:\WINDOWS\TASKMON.EXE";"ok";"Quick checked"
"C:\WINDOWS\qtfobt.for";"";"Deleted"


"2005/10/27 14:06:57";"Update";"default";"Update done. Restart required. (alertmgr:357-321;avgcc:357-338;avgui:357-321;avgw:354-338;avi:652-651;core:354-344;core9x:354-344;corent:354-344;dos:354-344;email:361-321;ems:360-338;fsh9x:354-307;fshnt:361-307;fshntw:354-285;fshxp:361-307;helpsm:341-286;iavi:156-152;kernel:358-338;lng:360-338;setup:361-338;update:359-338;)"
"2005/11/04 08:34:02";"Update";"default";"Update done. Restart required. (avi:655-652;email:362-361;ems:362-360;fshntw:362-354;iavi:167-156;setup:362-361;update:362-359;)"
"2005/11/04 08:44:08";"General";"default";"Complete Test was started."
"2005/11/04 08:44:56";"Virus";"default";"In C:\WINDOWS\qtfobt.for was ""Downloader.Agent.9.BE"" virus found."
"2005/11/04 09:13:57";"General";"default";"Complete Test ended. Found 1 infected files."
"2005/11/04 09:13:59";"Virus";"default";"C:\WINDOWS\qtfobt.for was cleaned."

HJT
Logfile of HijackThis v1.99.1
Scan saved at 08:32:52, on 04/11/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\THOTKEY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\HPBPRO.EXE
C:\WINDOWS\SYSTEM\HPBOID.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\IRMON.EXE
C:\WINDOWS\SYSTEM\ALISNDMG.EXE
C:\PROGRAM FILES\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\TPWRTRAY.EXE
C:\WINDOWS\SYSTEM\TFNCKY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\DCFSSVC.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP LASERJET 1010 SERIES\SETCONFIG.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\TOOLBOX2.0\APACHE TOMCAT 4.0\WEBAPPS\TOOLBOX\STATUSCLIENT\STATUSCLIENT.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\D-LINK AIRPLUS\AIRPLUS.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\TOOLBOX2.0\JAVASOFT\JRE\1.3.1\BIN\J
  • 0

#35
tampabelle
Posted 04 November 2005 - 09:31 AM

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Hi,


Delete the file, if found - C:\WINDOWS\qtfobt.for.

So the AVG scan of the current files is basically clean !!!!! Did you do a full computer scan or only a system files scan ?? The scan lists files only from the key system folders !!!

Can you post the complete HJT log ?? The log you have posted is only a partial log.

Edited by tampabelle, 04 November 2005 - 09:33 AM.

  • 0

#36
dreadpiratedaz
Posted 12 November 2005 - 02:59 PM

dreadpiratedaz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Hi Tampabelle,

sorry its taken me so long to get back to you - I went away for the weekend.

I looked for the file you said to delete but I couldn't find it at all. I carried out another AVG scan of the whole system and it looks completely clean except for an error on the boot sector. Ad-aware says its completely clean as well but I'm not buying it - I've had this 'all clear' before and the infection comes straight back. Anyway, here are the logs. As far as I'm aware, this is the complete log file saved after the scan.

Logfile of HijackThis v1.99.1
Scan saved at 19:09:47, on 12/11/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\THOTKEY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\HPBPRO.EXE
C:\WINDOWS\SYSTEM\HPBOID.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\IRMON.EXE
C:\WINDOWS\SYSTEM\ALISNDMG.EXE
C:\PROGRAM FILES\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\TPWRTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\TFNCKY.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\DCFSSVC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\TOOLBOX2.0\APACHE TOMCAT 4.0\WEBAPPS\TOOLBOX\STATUSCLIENT\STATUSCLIENT.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\HEWLETT-PACKARD\TOOLBOX2.0\JAVASOFT\JRE\1.3.1\BIN\JAVAW.EXE
C:\PROGRAM FILES\D-LINK AIRPLUS\AIRPLUS.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\WINDOWS\WUAUCLT.EXE
C:\MY DOCUMENTS\MY ANTIVIRUS ANTISPY\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.c...ndex_first.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;<local>
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [IrMon] irmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ALiSndMgr] ALiSndMg.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Dcfssvc] C:\WINDOWS\System32\Drivers\dcfssvc.exe
O4 - HKLM\..\Run: [HPLJ Config] C:\Program Files\Hewlett-Packard\hp LaserJet 1010 Series\SetConfig.exe -c Network -p -pn "hp LaserJet 1010 Series Driver" -n 0 -l 1033 -sl 120000
O4 - HKLM\..\Run: [OmgStartup] C:\Program Files\Common Files\Sony Shared\OpenMG\OmgStartup.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [THotkey] C:\WINDOWS\SYSTEM\THotkey.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [HP Port Resolver] C:\WINDOWS\SYSTEM\hpbpro.exe
O4 - HKLM\..\RunServices: [HP Status Server] C:\WINDOWS\SYSTEM\hpboid.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - Startup: D-Link AirPlus.lnk = C:\Program Files\D-Link AirPlus\AirPlus.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...ebscan_ansi.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zone...canner37350.cab


AVG (free edition) test results:

"Partition table (MBR)";"ok";"Quick checked"
"Boot sector of disk C:";"Reading error";"Error"
"System registry Software\Microsoft\Windows NT\CurrentVersion\Windows\Load";"";"Scanned"
"System registry Software\Microsoft\Windows NT\CurrentVersion\Windows\Run";"";"Scanned"
"System registry Software\Microsoft\Windows\CurrentVersion\Run";"";"Scanned"
"System registry Software\Microsoft\Windows\CurrentVersion\RunOnce";"";"Scanned"
"System registry Software\Microsoft\Windows\CurrentVersion\RunOnceEx";"";"Scanned"
"System registry Software\Microsoft\Windows\CurrentVersion\RunServices";"";"Scanned"
"System registry Software\Microsoft\Windows\CurrentVersion\RunServicesOnce";"";"Scanned"
"System registry Software\Microsoft\Windows\CurrentVersion\Run";"";"Scanned"
"System registry Software\Microsoft\Windows\CurrentVersion\RunOnce";"";"Scanned"
"System registry Software\Microsoft\Windows\CurrentVersion\RunOnceEx";"";"Scanned"
"System registry Software\Microsoft\Windows\CurrentVersion\RunServices";"";"Scanned"
"System registry Software\Microsoft\Windows\CurrentVersion\RunServicesOnce";"";"Scanned"
"System registry Software\Microsoft\Windows\CurrentVersion\Winlogon\Userinit";"";"Scanned"
"System registry SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell";"";"Scanned"
"System registry exefile\shell\open\command";"";"Scanned"
"System registry scrfile\shell\open\command";"";"Scanned"
"System registry scrfile\shell\config\command";"";"Scanned"
"System registry batfile\shell\open\command";"";"Scanned"
"System registry cmdfile\shell\open\command";"";"Scanned"
"System registry comfile\shell\open\command";"";"Scanned"
"System registry piffile\shell\open\command";"";"Scanned"
"System registry giffile\shell\open\command";"";"Scanned"
"System registry htmlfile\shell\open\command";"";"Scanned"
"System registry htafile\shell\open\command";"";"Scanned"
"System registry jpegfile\shell\open\command";"";"Scanned"
"System registry txtfile\shell\open\command";"";"Scanned"
"System registry regfile\shell\open\command";"";"Scanned"
"System registry cplfile\shell\cplopen\command";"";"Scanned"
"System registry Word.Document.8\shell\open\command";"";"Scanned"
"System registry WordPad.Document.1\shell\open\command";"";"Scanned"
"C:\PROGRA~1\ACCESS~1\WORDPAD.EXE";"ok";"Quick checked"
"C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE";"ok";"Quick checked"
"C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE";"ok";"Quick checked"
"C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE";"ok";"Quick checked"
"C:\PROGRA~1\INTERN~1\IEXPLORE.EXE";"ok";"Quick checked"
"C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE";"ok";"Quick checked"
"C:\Program Files\Common Files\Sony Shared\OpenMG\OmgStartup.exe";"ok";"Quick checked"
"C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe";"ok";"Quick checked"
"C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe";"ok";"Quick checked"
"C:\Program Files\Hewlett-Packard\hp LaserJet 1010 Series\SetConfig.exe";"ok";"Quick checked"
"C:\Program Files\Microsoft Money\System\Money Express.exe";"ok";"Quick checked"
"C:\Program Files\Microsoft Works\WkDetect.exe";"ok";"Quick checked"
"C:\Program Files\Microsoft Works\wkfud.exe";"ok";"Quick checked"
"C:\Program Files\Microsoft Works\wkssb.exe";"ok";"Quick checked"
"C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe";"ok";"Quick checked"
"C:\WINDOWS\NOTEPAD.EXE";"ok";"Quick checked"
"C:\WINDOWS\PCHealth\Support\PCHSCHD.EXE";"ok";"Quick checked"
"C:\WINDOWS\REGEDIT.EXE";"ok";"Quick checked"
"C:\WINDOWS\RUNDLL.EXE";"ok";"Quick checked"
"C:\WINDOWS\RUNDLL32.EXE";"ok";"Quick checked"
"C:\WINDOWS\SYSTEM\ALiSndMg.exe";"ok";"Quick checked"
"C:\WINDOWS\SYSTEM\HPBOID.EXE";"ok";"Quick checked"
"C:\WINDOWS\SYSTEM\HPBPRO.EXE";"ok";"Quick checked"
"C:\WINDOWS\SYSTEM\IRMON.EXE";"ok";"Quick checked"
"C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE";"ok";"Quick checked"
"C:\WINDOWS\SYSTEM\MSHTA.EXE";"ok";"Quick checked"
"C:\WINDOWS\SYSTEM\MSTASK.EXE";"ok";"Quick checked"
"C:\WINDOWS\SYSTEM\SHELL32.DLL";"ok";"Quick checked"
"C:\WINDOWS\SYSTEM\SHIMGVW.DLL";"ok";"Quick checked"
"C:\WINDOWS\SYSTEM\SSDPSRV.EXE";"ok";"Quick checked"
"C:\WINDOWS\SYSTEM\STIMON.EXE";"ok";"Quick checked"
"C:\WINDOWS\SYSTEM\SYSTRAY.EXE";"ok";"Quick checked"
"C:\WINDOWS\SYSTEM\TFncKy.exe";"ok";"Quick checked"
"C:\WINDOWS\SYSTEM\THotkey.exe";"ok";"Quick checked"
"C:\WINDOWS\SYSTEM\TPWRTRAY.EXE";"ok";"Quick checked"
"C:\WINDOWS\SYSTEM\ZONELABS\vsmon.exe";"ok";"Quick checked"
"C:\WINDOWS\System32\Drivers\DCFSSVC.EXE";"ok";"Quick checked"
"C:\WINDOWS\System\Restore\STATEMGR.EXE";"ok";"Quick checked"
"C:\WINDOWS\TASKMON.EXE";"ok";"Quick checked"
"C:\WINDOWS\SYSTEM\kernel32.dll";"ok";"Quick checked"
"C:\WINDOWS\SYSTEM\wsock32.dll";"ok";"Quick checked"
"C:\WINDOWS\SYSTEM\user32.dll";"ok";"Quick checked"
"C:\WINDOWS\SYSTEM\shell32.dll";"ok";"Quick checked"
"A:\";"Cannot open; not checked!";"Not scanned"
"D:\";"Cannot open; not checked!";"Not scanned"


Personally, I can't make it out. I've hardly used this laptop for a while and just over a week ago it was clearly infected after the scans. Should I try to use this laptop more often so I can see if anything happens?
Thanks for your help once again Tampabelle

Dreadpiratedaz
  • 0

#37
OwNt
Posted 15 November 2005 - 06:42 PM

OwNt

    Malware Expert

  • Retired Staff
  • 7,457 posts
Hello, dreadpiratedaz.

I'll be taking over your log while tampabelle is away. :)

Both AVG and your Hijackthis log show your system is clean again.

Is it possible you may have been re-infected again after you were clean?

Are you having any problems right now that you think are virus/malware related?

Again, sorry for the delayed response. :tazz:
  • 0

#38
dreadpiratedaz
Posted 16 November 2005 - 12:15 PM

dreadpiratedaz

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Hello,
this is a weird one. It is totally unlikely that I have been reinfected. I hardly use the laptop as its 4 years old (I'm replying from my usual laptop). I steer well away from all the dodgy websites. The only I time I use it these days is to do something Tampabelle tells me to do(I want to loan it to a friend who needs it but don't want it to be more trouble than it's worth). At the moment I don't have any virus 'outbreaks' or other problems but after my system was declared clean this file in my restore folder did come back - so Adaware told me!(Win32.Trojan.StartPage Object) I know that the original file that I could not delete had LoaderX information in it and i heard that this particular file was notorious for coming back. It's beyond me. So in short everything looks fine but I'm not holding my breath. I think I'll just have to use it more to reassure myself.
thanks
dreadpiratedaz
  • 0

#39
OwNt
Posted 16 November 2005 - 03:41 PM

OwNt

    Malware Expert

  • Retired Staff
  • 7,457 posts
Hello, dreadpiratedaz. :)

but after my system was declared clean this file in my restore folder did come back - so Adaware told me!

It's likely the file was still inactive, system restore sometimes houses spyware.

Ad-aware most likely found the inactive file being housed by system restore. We'll clear the restore points so it will be clean again. :tazz:

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

How to Turn On and Turn Off System Restore in Windows XP
http://support.micro...kb;en-us;310405

Edited by OwNt, 16 November 2005 - 07:32 PM.

  • 0

#40
OwNt
Posted 27 November 2005 - 01:40 AM

OwNt

    Malware Expert

  • Retired Staff
  • 7,457 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0

Advertisements

Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP