Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Trojan.Win32.Agent.eoc and W32/Rootkit.AVX [RESOLVED]

Started by JadeAsp , Feb 01 2008 12:36 PM

  • This topic is locked This topic is locked

#1
JadeAsp
Posted 01 February 2008 - 12:36 PM

JadeAsp

    New Member

  • Member
  • Pip
  • 5 posts
Hello,

I'm having problems with disinfecting this trojan. I would appreciate your help as I have tried everything I could think of with little success.
This is a description of what happened, in case it might be useful.
BitDefender 10 reported a trojan but stated that "your computer is not infected" Immediately, Spyware Doctor 4 popped up a window about a threat whose name included "WINLOGON". The computer crashed and restarted. Immediately upon loading Windows, the mouse cursor started moving and clicking buttons without any input, leading to the Log Off menu being displayed. I stopped the computer from the button.
When I next started it, it behaved normally. I installed F-secure 2008 and started a full system scan. At some point during the scan a window would pop up with a 60 second countdown to restart, stating "shutdown initiated by NT AUTHORITY/SYSTEM" and "DCOM Server Process Launcher terminated unexpectedly". Afterwards this error would appear spontaneously while the Real-Time protection was active. The only way I can use the computer now is if Real-Time protection is deactivated. After this I tried scanning with the F-Secure on-line scanner. It led to the same error and shutdown but at the stage of disinfection, after the conclusion of the scan. It generated a report containing the following malware:

Trojan-Downloader.JS.Agent.kd (virus)
C:\DOCUMENTS AND SETTINGS\CATALIN\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\GRGRQHYH\69.47.5[1].HTM
Trojan-Downloader.Win32.Agent.hvo (virus)
C:\DOCUMENTS AND SETTINGS\ALEX\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\S1IJ8HAN\1[1].EXE
Trojan-Downloader.Win32.Small.evy (virus)
C:\DOCUMENTS AND SETTINGS\CATALIN\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\GRGRQHYH\FILE[1].EXE
Trojan-Dropper.Win32.Small.azk (virus)
C:\DOCUMENTS AND SETTINGS\ALEX\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\894TVMQ1\M[1].EXE
Trojan.Win32.Pakes.brk (virus)
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\OTUFKDAR\MM27NOV[1].EXE

Trojan.Win32.Agent.eoc (virus)
C:\WINDOWS\system32\svchost.exe:ext.exe
C:\DOCUMENTS AND SETTINGS\ALEX\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\L67XDY4E\D[1].EXE
W32/Rootkit.AVX (virus)
C:\WINDOWS\SYSTEM32\DRIVERS\JJEP51.SYS

I manually deleted all but the last two. JJEP51.sys was not at the stated destination but was visible in the list of drivers loaded in Safe Mode.
I installed Spyware Doctor 5.5 which found the Rootkit and reported it as disinfected. Nevertheless it produces errors when loading after reboot, saying it can not find a certain library file.
Afterwards I scanned again with F-Secure, both the installed and on-line versions. The rootkit and manually deleted trojan were not detected anymore but it still detected Agent.eoc and crashed just as before.
After this I found this forum and went through the steps reccomended in the "You Must Read This Before Posting A Hijackthis Log, Malware Cleaning Guide". The scan with Panda Activescan did not find the trojan in the svchost file.

Here are the Hijack This logs:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:01:42, on 2/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure\Common\FSMA32.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\F-Secure\Common\FSMB32.EXE
C:\WINDOWS\system32\PGPserv.exe
C:\Program Files\F-Secure\Common\FCH32.EXE
C:\WINDOWS\system32\locator.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\F-Secure\Anti-Virus\fsqh.exe
C:\Program Files\F-Secure\Common\FAMEH32.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\F-Secure\FSAUA\program\fsaua.exe
C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
C:\Program Files\F-Secure\FSAUA\program\fsus.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\GigaByte\VGA Utility Manager\G-VGA.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\F-Secure\Common\FSM32.EXE
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
D:\Program Kits\Net\Micro Torrent 1.4 beta\utorrent-1.4.1-beta-build-406.exe
C:\Program Files\F-Secure\FSGUI\fsguidll.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\PGP Corporation\PGP Desktop\PGPtray.exe
C:\Program Files\Privoxy\privoxy.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\Spyware Doctor\pctsGui.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\codeblocks.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: CoTGT_BHO Class - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [NVRTCLK] C:\WINDOWS\system32\NVRTCLK\NVRTClk.exe
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [VGAUtil] C:\Program Files\GigaByte\VGA Utility Manager\G-VGA.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [uTorrent] "D:\Program Kits\Net\Micro Torrent 1.4 beta\utorrent-1.4.1-beta-build-406.exe"
O4 - HKCU\..\Run: [Spyware Doctor] C:\PROGRA~1\SPYWAR~1\swdoctor.exe /Q
O4 - Startup: Hush Messenger.lnk = ?
O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: PGPtray.exe.lnk = ?
O4 - Global Startup: Privoxy.lnk = C:\Program Files\Privoxy\privoxy.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C35F2585-292B-4E38-AD7D-0AAE8392F709}: NameServer = 82.76.253.115 82.76.253.125
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\F-Secure\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PGPserv - PGP Corporation - C:\WINDOWS\system32\PGPserv.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe

--
End of file - 11661 bytes

@BIOS
3ivx D4 4.5.1 (remove only)
ACDSee 7.0 PowerPack
Adobe Acrobat 7.0.9 Professional
Adobe Flash Player ActiveX
Advanced RAR Password Recovery (remove only)
AudibleManager
AudioCatalyst
Bon Echo (2.0a1)
BrainWave Generator
BS.Player PRO
Buddy Spy 2.2.10
Cablenut 4.08
CallerIP
Canon PhotoRecord
Canon PIXMA iP1500
Canon Utilities Easy-PhotoPrint
Canon Utilities Easy-PrintToolBox
Creative MediaSource
Creative Removable Disk Manager
Creative System Information
Creative Zen Vision M
Disk Checker
DivX Content Uploader
DivX Web Player
DMIView
DriverCD
EasyTune5
Easy-WebPrint
eMule
Enable S3 for USB Device
Encyclopaedia Britannica 2006 Ultimate Reference Suite DVD
FastStone MaxView 1.6
ffdshow [rev 890] [2007-02-06]
F-Secure Internet Security 2008
Gaim (remove only)
Gigabyte Face Wizard
GIGABYTE VGA Utility Manager
Gigabyte Windows Utility Manager
GNU Aspell 0.50-3
Google Earth Pro
GTK+ Runtime 2.6.10 rev a (remove only)
HijackThis 2.0.2
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows XP (KB909394)
Hush Messenger (remove only)
Invisible Secrets 4
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Java Web Start
Java™ 6 Update 2
Java™ 6 Update 3
Java™ SE Runtime Environment 6 Update 1
KeyScrambler
KhalSetup
Last.fm 1.4.2.58376
Logitech SetPoint
LucasArts' Grim Fandango
Macromedia Shockwave Player
Magic ISO Maker v5.3 (build 0216)
Microsoft .NET Framework 2.0
Microsoft ActiveSync
Microsoft Office Professional Edition 2003
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
MouScreen 2.01
Mozilla Firefox (2.0.0.7)
Mozilla Thunderbird (1.5)
Mp3tag v2.35
Natural Color
Nero 7 Demo
Neuron GIS
NVIDIA Drivers
Oblivion
Opera
Opera 9.0
Opera Search.ini Editor 1.23B
Panda ActiveScan
PGP Desktop
PowerDVD
Privoxy 3.0.3
QuickTime
RadLight Ogg Media DirectShow filter (remove only)
RealPlayer
Registry Mechanic 5.2
Registry Tweaker 1.8.1.106b
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Skype 3.0
Skype Plugin Manager
Sony Ericsson PC Suite 1.20.173
Spyware Doctor 5.5
StrongDC++ 1.00 RC10
StyleXP (remove only)
Tag&Rename 3.2
Teleport Pro
URGE
Winamp (remove only)
Windows Commander (Remove or Repair)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 10
Windows Media Player 10 Hotfix - KB894476
Windows Media Player 10 Hotfix - KB895316
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB887797
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinRAR archiver
WinTasks Trial
XingMP3 Player
XPlite
XviD 1.1 final uninstall
Yahoo! Install Manager
Yahoo! Messenger

I would appreciate it if you could help me and also tell me if there is any imminent danger of data loss or personal information leakage.
Thank you!
  • 0

Advertisements

#2
Essexboy
Posted 01 February 2008 - 12:59 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Hi there JadeAsp well you definately have a spambot to start with, and until I can look at the rest I would not rule out the possibility of a keylogger

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\codeblocks.exe,
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)


Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):

J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Java™ SE Runtime Environment 6 Update 1
Java™ 6 Update 2

Please note any other programs that you dont recognize in that list in your next response

NEXT

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\WINDOWS\system32\codeblocks.exe
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

FINALLY FOR NOW

Download ComboFix from Here or Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Logs required : OTMoveit and Combofix
  • 0

#3
JadeAsp
Posted 01 February 2008 - 02:13 PM

JadeAsp

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Thank you very much for the fast reply! You are very helpful and I consider myself lucky to have found this forum.

I also found "Java™ 6 Update 3", of 133mb, similar in size and name with the ones you told me to remove. I removed it too.
There was also "Java Web start" but I left it alone.

and there were various programs I do not remember installing but may have been installed together with other programs:

Adobe Flash Player ActiveX
DMI View
Enable S3 for USB device
GNU-Aspell 0.50-3
GTK+ Runtime 2.6.10 rev a (remove only)
Microsoft .NET framework 2.0
Microsoft Visual C++ redistributable
URGE

and a few other small stuff I removed

Here is the OTMoveit report:

File/Folder C:\WINDOWS\system32\codeblocks.exe not found.

OTMoveIt2 v1.0.17 log created on 02012008_214445

and the Combofix report:

ComboFix 08-02.01.6 - Alex 2008-02-01 21:48:27.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.620 [GMT 2:00]
Running from: C:\Documents and Settings\Alex\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
ADS - svchost.exe: deleted 25600 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Alex\Application Data\macromedia\Flash Player\#SharedObjects\XWB8AKCR\www.broadcaster.com
C:\Documents and Settings\Alex\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\Alex\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

----- BITS: Possible infected sites -----

hxxp://javadl.sun.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_FCI


((((((((((((((((((((((((( Files Created from 2008-01-01 to 2008-02-01 )))))))))))))))))))))))))))))))
.

2008-02-01 18:08 . 2008-02-01 18:08 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-01 18:08 . 2008-02-01 18:08 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-01 12:56 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-02-01 12:56 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-02-01 12:56 . 2007-12-10 14:53 41,864 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-02-01 12:56 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-01-31 22:45 . 2008-01-31 22:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\F-Secure
2008-01-31 22:45 . 2007-05-25 15:09 58,128 --a------ C:\WINDOWS\system32\drivers\fsdfw.sys
2008-01-31 22:45 . 2007-05-25 15:09 37,008 --a------ C:\WINDOWS\system32\drivers\fsndis5.sys
2008-01-31 21:30 . 2008-01-31 21:30 29 --a------ C:\WINDOWS\system32\iidaffuq.tmp
2008-01-31 21:29 . 2008-01-31 21:29 61,952 --a------ C:\54C.tmp
2008-01-31 21:29 . 2008-01-31 21:29 0 --a------ C:\54E.tmp
2008-01-05 14:40 . 2008-01-05 14:40 <DIR> d-------- C:\Program Files\Microsoft Silverlight

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-01 19:53 23,524 ----a-w C:\WINDOWS\system32\drivers\GVTDrv.sys
2008-02-01 19:35 --------- d-----w C:\Program Files\XPLite Pro
2008-02-01 19:32 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-02-01 19:29 --------- d-----w C:\Program Files\Gigabyte
2008-02-01 19:26 --------- d-----w C:\Program Files\Java
2008-02-01 19:20 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-01 18:47 --------- d-----w C:\Documents and Settings\Alex\Application Data\uTorrent
2008-02-01 18:01 --------- d-----w C:\Program Files\Trend Micro
2008-02-01 16:41 --------- d-----w C:\Program Files\QuickTime
2008-02-01 16:41 --------- d-----w C:\Program Files\Privoxy
2008-02-01 16:41 --------- d-----w C:\Program Files\Opera
2008-02-01 16:40 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-02-01 16:40 --------- d-----w C:\Program Files\MagicISO
2008-02-01 16:40 --------- d-----w C:\Program Files\Last.fm
2008-02-01 16:37 --------- d-----w C:\Program Files\Invisible Secrets 4
2008-02-01 14:13 --------- d-----w C:\Program Files\Spyware Doctor
2008-02-01 13:34 --------- d-----w C:\Program Files\BSplayer_WhenUSave_Installer
2008-01-31 20:49 --------- d-----w C:\Program Files\F-Secure
2008-01-31 20:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\fssg
2008-01-31 20:04 --------- d-----w C:\Documents and Settings\Alex\Application Data\Skype
2008-01-31 19:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\BitDefender
2006-03-30 11:36 552 -c--a-w C:\Program Files\INSTALL.LOG
2006-03-24 19:01 17,144 ----a-w C:\Documents and Settings\Alex\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"STYLEXP"="C:\Program Files\TGTSoft\StyleXP\StyleXP.exe" [2006-04-04 19:01 1368064]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 18:23 102400]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 13:39 1289000]
"Spyware Doctor"="C:\PROGRA~1\SPYWAR~1\swdoctor.exe" [2006-07-25 16:46 2083040]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVRTCLK"="C:\WINDOWS\system32\NVRTCLK\NVRTClk.exe" [2003-12-30 11:44 24576]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 06:56 33280 C:\WINDOWS\system32\rundll32.exe]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-04 06:56 33280 C:\WINDOWS\system32\rundll32.exe]
"VGAUtil"="C:\Program Files\GigaByte\VGA Utility Manager\G-VGA.exe" [2004-09-17 13:32 552960]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2006-07-19 11:03 94208 C:\WINDOWS\KHALMNPR.Exe]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2007-03-21 12:10 208952]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2001-08-23 14:00 44032]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-03 23:31 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-03 23:32 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-03 23:32 455168]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-03-08 19:18 98304]
"F-Secure Manager"="C:\Program Files\F-Secure\Common\FSM32.exe" [2007-05-25 15:12 183208]
"F-Secure TNB"="C:\Program Files\F-Secure\FSGUI\TNBUtil.exe" [2007-05-25 15:11 740208]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2006-03-08 00:16:08 25214]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2006-10-18 21:49:34 671744]
PGPtray.exe.lnk - C:\WINDOWS\Installer\{524273E4-09FA-4DC4-8ACF-9C4F74E00FD3}\Icon6560581611.exe [2006-06-23 12:15:32 55296]
Privoxy.lnk - C:\Program Files\Privoxy\privoxy.exe [2004-03-05 12:47:30 212480]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoFavoritesMenu"= 0 (0x0)
"NoSMMyPictures"= 0 (0x0)
"NoStartMenuMyMusic"= 0 (0x0)
"NoRecentDocsNetHood"= 0 (0x0)
"NoInstrumentation"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoFavoritesMenu"= 0 (0x0)
"NoSMMyPictures"= 0 (0x0)
"NoStartMenuMyMusic"= 0 (0x0)
"NoRecentDocsNetHood"= 0 (0x0)
"NoUserNameInStartMenu"= 0 (0x0)
"NoInstrumentation"= 0 (0x0)
"NoStartMenuPinnedList"= 0 (0x0)
"NoAutoUpdate"= 1 (0x1)

[HKLM\~\startupfolder\C:^Documents and Settings^Alex^Start Menu^Programs^Startup^Last.fm Helper.lnk]
path=C:\Documents and Settings\Alex\Start Menu\Programs\Startup\Last.fm Helper.lnk
backup=C:\WINDOWS\pss\Last.fm Helper.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^gwum.lnk]
backup=C:\WINDOWS\pss\gwum.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
backup=C:\WINDOWS\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
--a------ 2006-01-12 19:52 483328 C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
--a------ 2004-03-19 02:33 24576 C:\WINDOWS\system32\CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Device Detector]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
--a------ 2006-11-13 13:39 1289000 C:\Program Files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 15:40 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-03-08 19:18 98304 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2005-01-12 03:01 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
-ra------ 2005-10-26 15:17 159744 C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2006-03-09 19:40 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
--a------ 2006-03-30 15:45 313472 C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2006-11-30 21:49 4662776 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

R0 FSFW;F-Secure Firewall Driver;C:\WINDOWS\system32\drivers\fsdfw.sys [2007-05-25 15:09]
R0 PGPwded;PGPwded Storage Filter Service;C:\WINDOWS\system32\drivers\PGPwded.sys [2006-02-03 14:57]
R1 F-Secure HIPS;F-Secure HIPS;C:\Program Files\F-Secure\HIPS\fshs.sys [2007-05-25 15:12]
R2 LBeepKE;LBeepKE;C:\WINDOWS\system32\Drivers\LBeepKE.sys [2006-09-01 11:32]
R2 PGPdisk;PGPdisk;C:\WINDOWS\system32\drivers\PGPdisk.sys [2006-02-03 15:01]
R2 PGPsdkDriver;PGPsdkDriver;C:\WINDOWS\system32\Drivers\PGPsdk.sys [2006-02-03 14:57]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;C:\Program Files\F-Secure\Anti-Virus\minifilter\fsgk.sys [2007-05-25 15:08]
R3 GVCplDrv;GVCplDrv;C:\WINDOWS\system32\drivers\GVCplDrv.sys [2004-05-02 10:47]
R3 GVTDrv;GVTDrv;C:\WINDOWS\system32\drivers\GVTDrv.sys [2008-02-01 21:53]
R3 KeyScrambler;KeyScrambler;C:\WINDOWS\system32\drivers\keyscrambler.sys [2007-03-13 06:24]
S3 GPCIDrv;GPCIDrv;C:\WINDOWS\GPCIDrv.sys [2006-03-07 20:56]
S3 k600bus;Sony Ericsson 600i driver (WDM);C:\WINDOWS\system32\DRIVERS\k600bus.sys [2005-03-04 19:08]
S3 k600mdfl;Sony Ericsson 600i USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\k600mdfl.sys [2005-03-04 19:11]
S3 k600mdm;Sony Ericsson 600i USB WMC Modem Drivers;C:\WINDOWS\system32\DRIVERS\k600mdm.sys [2005-03-04 19:11]
S3 k600mgmt;Sony Ericsson 600i USB WMC Device Management Drivers;C:\WINDOWS\system32\DRIVERS\k600mgmt.sys [2005-03-04 19:13]
S3 k600obex;Sony Ericsson 600i USB WMC OBEX Interface Drivers;C:\WINDOWS\system32\DRIVERS\k600obex.sys [2005-03-04 19:15]
S4 F-Secure Filter;F-Secure File System Filter;C:\Program Files\F-Secure\Anti-Virus\Win2K\FSfilter.sys [2007-05-25 15:09]
S4 F-Secure Recognizer;F-Secure File System Recognizer;C:\Program Files\F-Secure\Anti-Virus\Win2K\FSrec.sys [2007-05-25 15:09]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ab845f02-28bd-11dc-a03f-000fea4681bb}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL ladybird.exe

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-01 21:53:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure\Common\FSMA32.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\F-Secure\Common\FSMB32.EXE
C:\WINDOWS\system32\PGPserv.exe
C:\WINDOWS\system32\locator.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\F-Secure\Common\FCH32.EXE
C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
C:\Program Files\F-Secure\Anti-Virus\fsqh.exe
C:\Program Files\F-Secure\FSAUA\program\fsaua.exe
C:\Program Files\F-Secure\Common\FAMEH32.EXE
C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
C:\Program Files\F-Secure\FSAUA\program\fsus.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\GigaByte\VGA Utility Manager\G-VGA.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\F-Secure\Common\FSM32.EXE
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\SPYWAR~1\swdoctor.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\F-Secure\FSGUI\fsguidll.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\PGP Corporation\PGP Desktop\PGPtray.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\Privoxy\privoxy.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
.
**************************************************************************
.
Completion time: 2008-02-01 21:55:00 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-01 19:54:56

and Hijack This log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:07:22, on 2/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure\Common\FSMA32.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\F-Secure\Common\FSMB32.EXE
C:\WINDOWS\system32\PGPserv.exe
C:\WINDOWS\system32\locator.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\F-Secure\Common\FCH32.EXE
C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\F-Secure\Anti-Virus\fsqh.exe
C:\Program Files\F-Secure\FSAUA\program\fsaua.exe
C:\Program Files\F-Secure\Common\FAMEH32.EXE
C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
C:\Program Files\F-Secure\FSAUA\program\fsus.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\GigaByte\VGA Utility Manager\G-VGA.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\F-Secure\Common\FSM32.EXE
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\SPYWAR~1\swdoctor.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\F-Secure\FSGUI\fsguidll.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\PGP Corporation\PGP Desktop\PGPtray.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\Privoxy\privoxy.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: CoTGT_BHO Class - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NVRTCLK] C:\WINDOWS\system32\NVRTCLK\NVRTClk.exe
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [VGAUtil] C:\Program Files\GigaByte\VGA Utility Manager\G-VGA.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [Spyware Doctor] C:\PROGRA~1\SPYWAR~1\swdoctor.exe /Q
O4 - Startup: Hush Messenger.lnk = ?
O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: PGPtray.exe.lnk = ?
O4 - Global Startup: Privoxy.lnk = C:\Program Files\Privoxy\privoxy.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-sec...m/ols/fscax.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C35F2585-292B-4E38-AD7D-0AAE8392F709}: NameServer = 82.76.253.115 82.76.253.125
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\F-Secure\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PGPserv - PGP Corporation - C:\WINDOWS\system32\PGPserv.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe

--
End of file - 9371 bytes
  • 0

#4
Essexboy
Posted 01 February 2008 - 03:16 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
OK there is no sign of a keylogger that I can see, and that sweep did not look too bad :)

I also found "Java™ 6 Update 3", of 133mb, similar in size and name with the ones you told me to remove. I removed it too.

Ahh that was the last but one version. Never mind I will give you the link for the latest version at the end

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\iidaffuq.tmp
C:\54C.tmp
C:\54E.tmp

Folder::
C:\Program Files\BSplayer_WhenUSave_Installer

3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

THEN

To ensure that all has gone

Download WinPFind3u.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.
  • Close ALL OTHER PROGRAMS.
  • Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Use the Add Reply button and attach the log. I will review it when it comes in.
  • 0

#5
JadeAsp
Posted 02 February 2008 - 03:03 AM

JadeAsp

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Here are the Combofix:

ComboFix 08-02.01.6 - Alex 2008-02-02 10:38:08.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.651 [GMT 2:00]
Running from: C:\Documents and Settings\Alex\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Alex\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\54C.tmp
C:\54E.tmp
C:\WINDOWS\system32\iidaffuq.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\54C.tmp
C:\54E.tmp
C:\Program Files\BSplayer_WhenUSave_Installer
C:\WINDOWS\system32\iidaffuq.tmp

.
((((((((((((((((((((((((( Files Created from 2008-01-02 to 2008-02-02 )))))))))))))))))))))))))))))))
.

2008-02-01 18:08 . 2008-02-01 18:08 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-01 18:08 . 2008-02-01 18:08 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-02-01 12:56 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-02-01 12:56 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-02-01 12:56 . 2007-12-10 14:53 41,864 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-02-01 12:56 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-01-31 22:45 . 2008-01-31 22:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\F-Secure
2008-01-31 22:45 . 2007-05-25 15:09 58,128 --a------ C:\WINDOWS\system32\drivers\fsdfw.sys
2008-01-31 22:45 . 2007-05-25 15:09 37,008 --a------ C:\WINDOWS\system32\drivers\fsndis5.sys
2008-01-05 14:40 . 2008-01-05 14:40 <DIR> d-------- C:\Program Files\Microsoft Silverlight

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-02 08:03 23,524 ----a-w C:\WINDOWS\system32\drivers\GVTDrv.sys
2008-02-01 19:53 --------- d-----w C:\Documents and Settings\Alex\Application Data\uTorrent
2008-02-01 19:35 --------- d-----w C:\Program Files\XPLite Pro
2008-02-01 19:32 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-02-01 19:29 --------- d-----w C:\Program Files\Gigabyte
2008-02-01 19:26 --------- d-----w C:\Program Files\Java
2008-02-01 19:20 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-01 18:01 --------- d-----w C:\Program Files\Trend Micro
2008-02-01 16:41 --------- d-----w C:\Program Files\QuickTime
2008-02-01 16:41 --------- d-----w C:\Program Files\Privoxy
2008-02-01 16:41 --------- d-----w C:\Program Files\Opera
2008-02-01 16:40 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-02-01 16:40 --------- d-----w C:\Program Files\MagicISO
2008-02-01 16:40 --------- d-----w C:\Program Files\Last.fm
2008-02-01 16:37 --------- d-----w C:\Program Files\Invisible Secrets 4
2008-02-01 14:13 --------- d-----w C:\Program Files\Spyware Doctor
2008-01-31 20:49 --------- d-----w C:\Program Files\F-Secure
2008-01-31 20:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\fssg
2008-01-31 20:04 --------- d-----w C:\Documents and Settings\Alex\Application Data\Skype
2008-01-31 19:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\BitDefender
2008-01-31 19:50 81,984 ----a-w C:\WINDOWS\system32\bdod.bin
2008-01-31 19:29 14,336 ----a-w C:\WINDOWS\system32\svchost.exe
2007-12-15 21:05 52,338 ----a-w C:\WINDOWS\system32\RadLightOggUninstall.exe
2006-03-30 11:36 552 -c--a-w C:\Program Files\INSTALL.LOG
2006-03-24 19:01 17,144 ----a-w C:\Documents and Settings\Alex\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"STYLEXP"="C:\Program Files\TGTSoft\StyleXP\StyleXP.exe" [2006-04-04 19:01 1368064]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 18:23 102400]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 13:39 1289000]
"Spyware Doctor"="C:\PROGRA~1\SPYWAR~1\swdoctor.exe" [2006-07-25 16:46 2083040]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVRTCLK"="C:\WINDOWS\system32\NVRTCLK\NVRTClk.exe" [2003-12-30 11:44 24576]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 06:56 33280 C:\WINDOWS\system32\rundll32.exe]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-04 06:56 33280 C:\WINDOWS\system32\rundll32.exe]
"VGAUtil"="C:\Program Files\GigaByte\VGA Utility Manager\G-VGA.exe" [2004-09-17 13:32 552960]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2006-07-19 11:03 94208 C:\WINDOWS\KHALMNPR.Exe]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2007-03-21 12:10 208952]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [2001-08-23 14:00 44032]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-03 23:31 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-03 23:32 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-03 23:32 455168]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-03-08 19:18 98304]
"F-Secure Manager"="C:\Program Files\F-Secure\Common\FSM32.exe" [2007-05-25 15:12 183208]
"F-Secure TNB"="C:\Program Files\F-Secure\FSGUI\TNBUtil.exe" [2007-05-25 15:11 740208]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2006-03-08 00:16:08 25214]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2006-10-18 21:49:34 671744]
PGPtray.exe.lnk - C:\WINDOWS\Installer\{524273E4-09FA-4DC4-8ACF-9C4F74E00FD3}\Icon6560581611.exe [2006-06-23 12:15:32 55296]
Privoxy.lnk - C:\Program Files\Privoxy\privoxy.exe [2004-03-05 12:47:30 212480]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoFavoritesMenu"= 0 (0x0)
"NoSMMyPictures"= 0 (0x0)
"NoStartMenuMyMusic"= 0 (0x0)
"NoRecentDocsNetHood"= 0 (0x0)
"NoInstrumentation"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoFavoritesMenu"= 0 (0x0)
"NoSMMyPictures"= 0 (0x0)
"NoStartMenuMyMusic"= 0 (0x0)
"NoRecentDocsNetHood"= 0 (0x0)
"NoUserNameInStartMenu"= 0 (0x0)
"NoInstrumentation"= 0 (0x0)
"NoStartMenuPinnedList"= 0 (0x0)
"NoAutoUpdate"= 1 (0x1)

[HKLM\~\startupfolder\C:^Documents and Settings^Alex^Start Menu^Programs^Startup^Last.fm Helper.lnk]
path=C:\Documents and Settings\Alex\Start Menu\Programs\Startup\Last.fm Helper.lnk
backup=C:\WINDOWS\pss\Last.fm Helper.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^gwum.lnk]
backup=C:\WINDOWS\pss\gwum.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
backup=C:\WINDOWS\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
--a------ 2006-01-12 19:52 483328 C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
--a------ 2004-03-19 02:33 24576 C:\WINDOWS\system32\CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Device Detector]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
--a------ 2006-11-13 13:39 1289000 C:\Program Files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 15:40 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-03-08 19:18 98304 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2005-01-12 03:01 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
-ra------ 2005-10-26 15:17 159744 C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2006-03-09 19:40 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
--a------ 2006-03-30 15:45 313472 C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2006-11-30 21:49 4662776 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

R0 FSFW;F-Secure Firewall Driver;C:\WINDOWS\system32\drivers\fsdfw.sys [2007-05-25 15:09]
R0 PGPwded;PGPwded Storage Filter Service;C:\WINDOWS\system32\drivers\PGPwded.sys [2006-02-03 14:57]
R1 F-Secure HIPS;F-Secure HIPS;C:\Program Files\F-Secure\HIPS\fshs.sys [2007-05-25 15:12]
R2 LBeepKE;LBeepKE;C:\WINDOWS\system32\Drivers\LBeepKE.sys [2006-09-01 11:32]
R2 PGPdisk;PGPdisk;C:\WINDOWS\system32\drivers\PGPdisk.sys [2006-02-03 15:01]
R2 PGPsdkDriver;PGPsdkDriver;C:\WINDOWS\system32\Drivers\PGPsdk.sys [2006-02-03 14:57]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;C:\Program Files\F-Secure\Anti-Virus\minifilter\fsgk.sys [2007-05-25 15:08]
R3 GVCplDrv;GVCplDrv;C:\WINDOWS\system32\drivers\GVCplDrv.sys [2004-05-02 10:47]
R3 GVTDrv;GVTDrv;C:\WINDOWS\system32\drivers\GVTDrv.sys [2008-02-02 10:03]
R3 KeyScrambler;KeyScrambler;C:\WINDOWS\system32\drivers\keyscrambler.sys [2007-03-13 06:24]
S3 GPCIDrv;GPCIDrv;C:\WINDOWS\GPCIDrv.sys [2006-03-07 20:56]
S3 k600bus;Sony Ericsson 600i driver (WDM);C:\WINDOWS\system32\DRIVERS\k600bus.sys [2005-03-04 19:08]
S3 k600mdfl;Sony Ericsson 600i USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\k600mdfl.sys [2005-03-04 19:11]
S3 k600mdm;Sony Ericsson 600i USB WMC Modem Drivers;C:\WINDOWS\system32\DRIVERS\k600mdm.sys [2005-03-04 19:11]
S3 k600mgmt;Sony Ericsson 600i USB WMC Device Management Drivers;C:\WINDOWS\system32\DRIVERS\k600mgmt.sys [2005-03-04 19:13]
S3 k600obex;Sony Ericsson 600i USB WMC OBEX Interface Drivers;C:\WINDOWS\system32\DRIVERS\k600obex.sys [2005-03-04 19:15]
S4 F-Secure Filter;F-Secure File System Filter;C:\Program Files\F-Secure\Anti-Virus\Win2K\FSfilter.sys [2007-05-25 15:09]
S4 F-Secure Recognizer;F-Secure File System Recognizer;C:\Program Files\F-Secure\Anti-Virus\Win2K\FSrec.sys [2007-05-25 15:09]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ab845f02-28bd-11dc-a03f-000fea4681bb}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL ladybird.exe

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-02 10:39:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-02 10:39:54
ComboFix-quarantined-files.txt 2008-02-02 08:39:52
ComboFix2.txt 2008-02-01 19:55:00

Hijack This:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:42:08, on 2/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure\Common\FSMA32.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\F-Secure\Common\FSMB32.EXE
C:\WINDOWS\system32\PGPserv.exe
C:\WINDOWS\system32\locator.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\F-Secure\Common\FCH32.EXE
C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\F-Secure\Common\FAMEH32.EXE
C:\Program Files\F-Secure\Anti-Virus\fsqh.exe
C:\Program Files\F-Secure\FSAUA\program\fsaua.exe
C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
C:\Program Files\F-Secure\FSAUA\program\fsus.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\GigaByte\VGA Utility Manager\G-VGA.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\F-Secure\Common\FSM32.EXE
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\SPYWAR~1\swdoctor.exe
C:\Program Files\F-Secure\FSGUI\fsguidll.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\PGP Corporation\PGP Desktop\PGPtray.exe
C:\Program Files\Privoxy\privoxy.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: CoTGT_BHO Class - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NVRTCLK] C:\WINDOWS\system32\NVRTCLK\NVRTClk.exe
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [VGAUtil] C:\Program Files\GigaByte\VGA Utility Manager\G-VGA.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [Spyware Doctor] C:\PROGRA~1\SPYWAR~1\swdoctor.exe /Q
O4 - Startup: Hush Messenger.lnk = ?
O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: PGPtray.exe.lnk = ?
O4 - Global Startup: Privoxy.lnk = C:\Program Files\Privoxy\privoxy.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-sec...m/ols/fscax.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C35F2585-292B-4E38-AD7D-0AAE8392F709}: NameServer = 82.76.253.115 82.76.253.125
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\F-Secure\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PGPserv - PGP Corporation - C:\WINDOWS\system32\PGPserv.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe

--
End of file - 9370 bytes

and WinPFind 3 log:

WinPFind3 logfile created on: 2/2/2008 10:46:47
WinPFind3U by OldTimer - Version 1.0.44 Folder = C:\Documents and Settings\Alex\Desktop\WinPFind3u\
Microsoft Windows XP Service Pack 2 (Version = 5.1.2600)
Internet Explorer (Version = 6.0.2900.2180)

1023,48 Mb Total Physical Memory | 646,99 Mb Available Physical Memory | 63,21% Memory free
2,41 Gb Paging File | 1,95 Gb Available in Paging File | 81,01% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 11,69 Gb Total Space | 1,75 Gb Free Space | 15,00% Space Free
Drive D: | 100,09 Gb Total Space | 2,44 Gb Free Space | 2,44% Space Free
Drive E: | 611,61 Mb Total Space | 0,00 Mb Free Space | 0,00% Space Free
F: Drive not present or media not loaded

Computer Name: XERXES
Current User Name: Alex
Logged in as Administrator.
Current Boot Mode: Normal


[Processes - Non-Microsoft Only]
ctdetect.exe -> %ProgramFiles%\Creative\MediaSource\Detector\CTDetect.exe -> Creative Technology Ltd [Ver = 3.0.2.0 | Size = 102400 bytes | Modified Date = 12/2/2004 18:23:34 | Attr = ]
ctsvccda.exe -> %System32%\CTSVCCDA.EXE -> Creative Technology Ltd [Ver = 1.0.1.0 | Size = 44032 bytes | Modified Date = 12/12/1999 19:01:00 | Attr = ]
fameh32.exe -> %ProgramFiles%\F-Secure\Common\FAMEH32.EXE -> F-Secure Corporation [Ver = 7.50.10035 | Size = 392048 bytes | Modified Date = 5/25/2007 15:12:36 | Attr = ]
fch32.exe -> %ProgramFiles%\F-Secure\Common\FCH32.EXE -> F-Secure Corporation [Ver = 7.50.10035 | Size = 125864 bytes | Modified Date = 5/25/2007 15:12:38 | Attr = ]
fsaua.exe -> %ProgramFiles%\F-Secure\FSAUA\program\fsaua.exe -> F-Secure Corporation [Ver = 8.21.1923 | Size = 457584 bytes | Modified Date = 5/25/2007 15:07:06 | Attr = ]
fsav32.exe -> %ProgramFiles%\F-Secure\Anti-Virus\fsav32.exe -> F-Secure Corporation [Ver = 7.50.13130 | Size = 319856 bytes | Modified Date = 5/25/2007 15:07:58 | Attr = ]
fsdfwd.exe -> %ProgramFiles%\F-Secure\FWES\program\fsdfwd.exe -> F-Secure Corporation [Ver = 6.16.61 | Size = 453488 bytes | Modified Date = 5/25/2007 15:10:08 | Attr = ]
fsgk32.exe -> %ProgramFiles%\F-Secure\Anti-Virus\fsgk32.exe -> F-Secure Corp. [Ver = 7.50.13130.10133 | Size = 357744 bytes | Modified Date = 5/25/2007 15:08:16 | Attr = ]
fsgk32st.exe -> %ProgramFiles%\F-Secure\Anti-Virus\fsgk32st.exe -> F-Secure Corporation [Ver = 7.30.13110 | Size = 48072 bytes | Modified Date = 5/25/2007 15:08:20 | Attr = ]
fsguidll.exe -> %ProgramFiles%\F-Secure\FSGUI\fsguidll.exe -> F-Secure Corporation [Ver = 6, 80, 2610, 0 | Size = 465776 bytes | Modified Date = 5/25/2007 15:11:08 | Attr = ]
fsm32.exe -> %ProgramFiles%\F-Secure\Common\FSM32.EXE -> F-Secure Corporation [Ver = 7.50.10035 | Size = 183208 bytes | Modified Date = 5/25/2007 15:12:52 | Attr = ]
fsma32.exe -> %ProgramFiles%\F-Secure\Common\FSMA32.EXE -> F-Secure Corporation [Ver = 7.50.10035 | Size = 113576 bytes | Modified Date = 5/25/2007 15:12:54 | Attr = ]
fsmb32.exe -> %ProgramFiles%\F-Secure\Common\FSMB32.EXE -> F-Secure Corporation [Ver = 7.50.10035 | Size = 232360 bytes | Modified Date = 5/25/2007 15:13:04 | Attr = ]
fsqh.exe -> %ProgramFiles%\F-Secure\Anti-Virus\fsqh.exe -> F-Secure Corporation [Ver = 6.00.100 | Size = 43952 bytes | Modified Date = 5/25/2007 15:08:28 | Attr = ]
fssm32.exe -> %ProgramFiles%\F-Secure\Anti-Virus\fssm32.exe -> F-Secure Corp. [Ver = 7.50.13130.10133 | Size = 413552 bytes | Modified Date = 5/25/2007 15:08:30 | Attr = ]
fsus.exe -> %ProgramFiles%\F-Secure\FSAUA\program\fsus.exe -> F-Secure Corporation [Ver = 8.21.1923 | Size = 174960 bytes | Modified Date = 6/19/2007 19:36:56 | Attr = ]
g-vga.exe -> %ProgramFiles%\Gigabyte\VGA Utility Manager\G-vga.exe -> [Ver = 1, 0, 0, 1 | Size = 552960 bytes | Modified Date = 9/17/2004 13:32:38 | Attr = ]
khalmnpr.exe -> %CommonProgramFiles%\Logitech\KhalShared\KHALMNPR.exe -> Logitech Inc. [Ver = 3.1.82 | Size = 94208 bytes | Modified Date = 7/19/2006 11:03:56 | Attr = ]
lastfmhelper.exe -> %ProgramFiles%\Last.fm\LastFMHelper.exe -> Last.fm [Ver = 1.4.2.58376 | Size = 106496 bytes | Modified Date = 12/19/2007 12:04:34 | Attr = ]
nvsvc32.exe -> %System32%\nvsvc32.exe -> NVIDIA Corporation [Ver = 6.14.10.7772 | Size = 127043 bytes | Modified Date = 6/15/2005 17:20:00 | Attr = ]
pgpserv.exe -> %System32%\PGPserv.exe -> PGP Corporation [Ver = 3.5.5 | Size = 73728 bytes | Modified Date = 2/3/2006 14:50:22 | Attr = ]
pgptray.exe -> %ProgramFiles%\PGP Corporation\PGP Desktop\PGPtray.exe -> PGP Corporation [Ver = 9.0.5 (Build 5050) | Size = 855552 bytes | Modified Date = 6/23/2006 12:20:58 | Attr = ]
privoxy.exe -> %ProgramFiles%\Privoxy\privoxy.exe -> The Privoxy team - www.privoxy.org [Ver = 3.0.3 | Size = 212480 bytes | Modified Date = 3/5/2004 12:47:30 | Attr = ]
qttask.exe -> %ProgramFiles%\QuickTime\qttask.exe -> Apple Computer, Inc. [Ver = 6.5.1 | Size = 98304 bytes | Modified Date = 3/8/2006 19:18:46 | Attr = ]
setpoint.exe -> %ProgramFiles%\Logitech\SetPoint\SetPoint.exe -> Logitech Inc. [Ver = 3.1.116 | Size = 671744 bytes | Modified Date = 9/1/2006 10:01:42 | Attr = ]
swdoctor.exe -> %ProgramFiles%\Spyware Doctor\swdoctor.exe -> PC Tools Research Pty Ltd [Ver = 4.0.0.2602 | Size = 2083040 bytes | Modified Date = 7/25/2006 16:46:04 | Attr = ]
winpfind3u.exe -> %UserDesktop%\WinPFind3u\WinPFind3U.exe -> OldTimer Tools [Ver = 1.0.44.0 | Size = 371200 bytes | Modified Date = 11/21/2007 9:19:46 | Attr = ]

[Win32 Services - Non-Microsoft Only]
(Creative Service for CDROM Access) Creative Service for CDROM Access [Win32_Own | Auto | Running] -> %System32%\CTSVCCDA.EXE -> Creative Technology Ltd [Ver = 1.0.1.0 | Size = 44032 bytes | Modified Date = 12/12/1999 19:01:00 | Attr = ]
(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped] -> %System32%\dmadmin.exe -> Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 224768 bytes | Modified Date = 8/4/2004 6:56:50 | Attr = ]
(F-Secure Gatekeeper Handler Starter) FSGKHS [Win32_Own | Auto | Running] -> %ProgramFiles%\F-Secure\Anti-Virus\fsgk32st.exe -> F-Secure Corporation [Ver = 7.30.13110 | Size = 48072 bytes | Modified Date = 5/25/2007 15:08:20 | Attr = ]
(FSAUA) F-Secure Automatic Update Agent [Win32_Own | On_Demand | Running] -> %ProgramFiles%\F-Secure\FSAUA\program\fsaua.exe -> F-Secure Corporation [Ver = 8.21.1923 | Size = 457584 bytes | Modified Date = 5/25/2007 15:07:06 | Attr = ]
(FSDFWD) F-Secure Anti-Virus Firewall Daemon [Win32_Own | On_Demand | Running] -> %ProgramFiles%\F-Secure\FWES\program\fsdfwd.exe -> F-Secure Corporation [Ver = 6.16.61 | Size = 453488 bytes | Modified Date = 5/25/2007 15:10:08 | Attr = ]
(FSMA) F-Secure Management Agent [Win32_Own | Auto | Running] -> %ProgramFiles%\F-Secure\Common\FSMA32.EXE -> F-Secure Corporation [Ver = 7.50.10035 | Size = 113576 bytes | Modified Date = 5/25/2007 15:12:54 | Attr = ]
(NVSvc) NVIDIA Display Driver Service [Win32_Own | Auto | Running] -> %System32%\nvsvc32.exe -> NVIDIA Corporation [Ver = 6.14.10.7772 | Size = 127043 bytes | Modified Date = 6/15/2005 17:20:00 | Attr = ]
(PGPserv) PGPserv [Win32_Own | Auto | Running] -> %System32%\PGPserv.exe -> PGP Corporation [Ver = 3.5.5 | Size = 73728 bytes | Modified Date = 2/3/2006 14:50:22 | Attr = ]
(sdAuxService) PC Tools Auxiliary Service [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Spyware Doctor\pctsAuxs.exe -> PC Tools [Ver = 5.5.0.37 | Size = 747912 bytes | Modified Date = 12/10/2007 14:53:44 | Attr = ]
(sdCoreService) PC Tools Security Service [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Spyware Doctor\pctsSvc.exe -> PC Tools [Ver = 5.5.0.68 | Size = 946568 bytes | Modified Date = 12/10/2007 14:53:46 | Attr = ]
(StyleXPService) StyleXPService [Win32_Own | Auto | Stopped] -> %ProgramFiles%\TGTSoft\StyleXP\StyleXPService.exe -> [Ver = 0, 20, 0, 3000 | Size = 372736 bytes | Modified Date = 4/4/2006 19:02:12 | Attr = ]

[Registry - Non-Microsoft Only]
< Run [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
F-Secure Manager -> %ProgramFiles%\F-Secure\Common\FSM32.EXE -> F-Secure Corporation [Ver = 7.50.10035 | Size = 183208 bytes | Modified Date = 5/25/2007 15:12:52 | Attr = ]
F-Secure TNB -> %ProgramFiles%\F-Secure\FSGUI\tnbutil.exe -> F-Secure Corporation [Ver = 1.09.5230 | Size = 740208 bytes | Modified Date = 5/25/2007 15:11:44 | Attr = ]
Logitech Hardware Abstraction Layer -> %SystemRoot%\KHALMNPR.Exe -> Logitech Inc. [Ver = 3.1.82 | Size = 94208 bytes | Modified Date = 7/19/2006 11:03:56 | Attr = ]
MSPY2002 -> %System32%\IME\PINTLGNT\IMSCINST.EXE -> [Ver = | Size = 59392 bytes | Modified Date = 8/3/2004 23:31:50 | Attr = ]
NvCplDaemon -> %System32%\nvcpl.dll ["RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup] -> NVIDIA Corporation [Ver = 6.14.10.7772 | Size = 6803456 bytes | Modified Date = 6/15/2005 17:20:00 | Attr = ]
NvMediaCenter -> %System32%\nvmctray.dll ["RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit] -> NVIDIA Corporation [Ver = 6.14.10.7772 | Size = 86016 bytes | Modified Date = 6/15/2005 17:20:00 | Attr = ]
NVRTCLK -> %System32%\NVRTClk\NVRTClk.exe -> [Ver = 1, 0, 0, 1 | Size = 24576 bytes | Modified Date = 12/30/2003 11:44:24 | Attr = R ]
QuickTime Task -> %ProgramFiles%\QuickTime\qttask.exe -> Apple Computer, Inc. [Ver = 6.5.1 | Size = 98304 bytes | Modified Date = 3/8/2006 19:18:46 | Attr = ]
VGAUtil -> %ProgramFiles%\Gigabyte\VGA Utility Manager\G-vga.exe -> [Ver = 1, 0, 0, 1 | Size = 552960 bytes | Modified Date = 9/17/2004 13:32:38 | Attr = ]
< OptionalComponents [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\ ->
IMAIL -> Installed = 1 ->
MAPI -> Installed = 1 ->
MSFS -> Installed = 1 ->
< Run [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
Creative Detector -> %ProgramFiles%\Creative\MediaSource\Detector\CTDetect.exe -> Creative Technology Ltd [Ver = 3.0.2.0 | Size = 102400 bytes | Modified Date = 12/2/2004 18:23:34 | Attr = ]
Spyware Doctor -> %ProgramFiles%\Spyware Doctor\swdoctor.exe -> PC Tools Research Pty Ltd [Ver = 4.0.0.2602 | Size = 2083040 bytes | Modified Date = 7/25/2006 16:46:04 | Attr = ]
STYLEXP -> %ProgramFiles%\TGTSoft\StyleXP\StyleXP.exe -> [Ver = 0, 30, 18, 0 | Size = 1368064 bytes | Modified Date = 4/4/2006 19:01:12 | Attr = ]
< Common Startup > -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup ->
%AllUsersStartup%\Adobe Acrobat Speed Launcher.lnk -> %SystemRoot%\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe -> [Ver = | Size = 25214 bytes | Modified Date = 5/28/2007 14:53:02 | Attr = R ]
%AllUsersStartup%\Logitech SetPoint.lnk -> %ProgramFiles%\Logitech\SetPoint\SetPoint.exe -> Logitech Inc. [Ver = 3.1.116 | Size = 671744 bytes | Modified Date = 9/1/2006 10:01:42 | Attr = ]
%AllUsersStartup%\PGPtray.exe.lnk -> %SystemRoot%\Installer\{524273E4-09FA-4DC4-8ACF-9C4F74E00FD3}\Icon6560581611.exe -> [Ver = | Size = 55296 bytes | Modified Date = 6/23/2006 12:15:34 | Attr = R ]
%AllUsersStartup%\Privoxy.lnk -> %ProgramFiles%\Privoxy\privoxy.exe -> The Privoxy team - www.privoxy.org [Ver = 3.0.3 | Size = 212480 bytes | Modified Date = 3/5/2004 12:47:30 | Attr = ]
< User Startup > -> C:\Documents and Settings\Alex\Start Menu\Programs\Startup ->
%UserStartup%\Hush Messenger.lnk -> %System32%\javaw.exe -> File not found
%UserStartup%\Last.fm Helper.lnk -> %ProgramFiles%\Last.fm\LastFMHelper.exe -> Last.fm [Ver = 1.4.2.58376 | Size = 106496 bytes | Modified Date = 12/19/2007 12:04:34 | Attr = ]
< SecurityProviders [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders ->
< Winlogon settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
< Winlogon settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
< Winlogon\Notify settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ ->
WRNotifier -> WRLogonNTF.dll -> File not found
< CurrentVersion Policy Settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoRecentDocsMenu -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoFavoritesMenu -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoSMMyDocs -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoSMMyPictures -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoStartMenuMyMusic -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoRecentDocsHistory -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoRecentDocsNetHood -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoInstrumentation -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 255 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveAutoRun -> 67108863 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} -> 1073741857 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} -> 32 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\dontdisplaylastusername -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticecaption -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticetext -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\shutdownwithoutlogon -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\undockwithoutlogon -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Uninstall\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\WindowsUpdate\ -> ->
< CurrentVersion Policy Settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 181 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoRecentDocsMenu -> 1000000 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoFavoritesMenu -> 0 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoSMMyDocs -> 0 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoSMMyPictures -> 0 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoStartMenuMyMusic -> 0 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoRecentDocsHistory] -> 0 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\ClearRecentDocsOnExit -> 0 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoRecentDocsNetHood -> 0 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoUserNameInStartMenu -> 0 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoInstrumentation -> 0 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoStartMenuPinnedList -> 0 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoSharedDocuments -> 0 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoAutoUpdate -> 1 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoCDBurning -> 1 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoRecentDocsHistory ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Network\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Network\\NoFileSharing -> 0 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Network\\NoFileSharingControl -> 0 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Network\\NoPrintSharing -> 0 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\WindowsUpdate\ -> ->
< HOSTS File > (27 bytes) -> C:\WINDOWS\System32\drivers\etc\Hosts ->
127.0.0.1 localhost -> ->
< Internet Explorer Settings > -> ->
HKLM: Default_Page_URL -> http://www.yahoo.com/ ->
HKLM: Main\\Default_Search_URL -> http://us.rd.yahoo.c...//www.yahoo.com ->
HKLM: Local Page -> %SystemRoot%\system32\blank.htm ->
HKLM: Search Bar -> http://us.rd.yahoo.c...rch/search.html ->
HKLM: Search Page -> http://us.rd.yahoo.c...//www.yahoo.com ->
HKLM: Start Page -> http://www.yahoo.com/ ->
HKLM: CustomizeSearch -> http://ie.search.msn...st/srchcust.htm ->
HKLM: SearchAssistant -> http://ie.search.msn...st/srchasst.htm ->
HKCU: Local Page -> C:\WINDOWS\system32\blank.htm ->
HKCU: Search Page -> http://www.microsoft...amp;ar=iesearch ->
HKCU: Start Page -> http://www.yahoo.com/ ->
HKCU: URLSearchHooks\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} [HKLM] -> Reg Data - Key not found [Yahoo! Toolbar] -> File not found
HKCU: ProxyEnable -> 0 ->
< Trusted Sites > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
msn.com [ - ] -> ->
< BHO's > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ ->
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKLM] -> %ProgramFiles%\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [Adobe PDF Reader Link Helper] -> Adobe Systems Incorporated [Ver = 7.0.9.2006121800 | Size = 59032 bytes | Modified Date = 12/18/2006 3:16:42 | Attr = ]
{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} [HKLM] -> %ProgramFiles%\Spyware Doctor\tools\iesdsg.dll [PCTools Site Guard] -> PC Tools [Ver = 3.6.0.2069 | Size = 803048 bytes | Modified Date = 5/5/2006 13:55:04 | Attr = ]
{AE7CD045-E861-484f-8273-0445EE161910} [HKLM] -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [Adobe PDF Conversion Toolbar Helper] -> Adobe Systems Incorporated [Ver = 7.0.9.2006121800 | Size = 231160 bytes | Modified Date = 12/18/2006 3:18:14 | Attr = ]
{B56A7D7D-6927-48C8-A975-17DF180C71AC} [HKLM] -> %ProgramFiles%\Spyware Doctor\tools\iesdpb.dll [PCTools Browser Monitor] -> PC Tools [Ver = 3.6.0.2283 | Size = 850104 bytes | Modified Date = 1/12/2007 17:34:36 | Attr = ]
{C333CF63-767F-4831-94AC-E683D962C63C} [HKLM] -> %ProgramFiles%\TGTSoft\StyleXP\TGT_BHO.dll [CoTGT_BHO Class] -> [Ver = | Size = 65536 bytes | Modified Date = 11/30/2005 4:35:44 | Attr = ]
< Internet Explorer Bars [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\ ->
{182EC0BE-5110-49C8-A062-BEB1D02A220B} [HKLM] -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [Adobe PDF] -> Adobe Systems Incorporated [Ver = 7.0.9.2006121800 | Size = 231160 bytes | Modified Date = 12/18/2006 3:18:14 | Attr = ]
< Internet Explorer ToolBars [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar ->
{327C2873-E90D-4c37-AA9D-10AC9BABA46C} [HKLM] -> %ProgramFiles%\Canon\Easy-WebPrint\Toolband.dll [Easy-WebPrint] -> [Ver = 2, 5, 1, 6 | Size = 405504 bytes | Modified Date = 8/26/2004 11:27:32 | Attr = ]
{47833539-D0C5-4125-9FA8-0819E2EAAC93} [HKLM] -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [Adobe PDF] -> Adobe Systems Incorporated [Ver = 7.0.9.2006121800 | Size = 231160 bytes | Modified Date = 12/18/2006 3:18:14 | Attr = ]
< Internet Explorer ToolBars [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ ->
ShellBrowser\\{47833539-D0C5-4125-9FA8-0819E2EAAC93} [HKLM] -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [Adobe PDF] -> Adobe Systems Incorporated [Ver = 7.0.9.2006121800 | Size = 231160 bytes | Modified Date = 12/18/2006 3:18:14 | Attr = ]
ShellBrowser\\{C4069E3A-68F1-403E-B40E-20066696354B} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found
WebBrowser\\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found
WebBrowser\\{47833539-D0C5-4125-9FA8-0819E2EAAC93} [HKLM] -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [Adobe PDF] -> Adobe Systems Incorporated [Ver = 7.0.9.2006121800 | Size = 231160 bytes | Modified Date = 12/18/2006 3:18:14 | Attr = ]
WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} [HKLM] -> Reg Data - Key not found [Yahoo! Toolbar] -> File not found
< Internet Explorer Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ ->
{2D663D1A-8670-49D9-A1A5-4C56B4E14E84} -> Reg Data - Value does not exist [ButtonText: Spyware Doctor] -> File not found
< Internet Explorer Menu Extensions [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\ ->
Convert link target to Adobe PDF -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll\AcroIECapture.htm -> File not found
Convert link target to existing PDF -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll\AcroIEAppend.htm -> File not found
Convert selected links to Adobe PDF -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll\AcroIECaptureSelLinks.htm -> File not found
Convert selected links to existing PDF -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll\AcroIEAppendSelLinks.htm -> File not found
Convert selection to Adobe PDF -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll\AcroIECapture.htm -> File not found
Convert selection to existing PDF -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll\AcroIEAppend.htm -> File not found
Convert to Adobe PDF -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll\AcroIECapture.htm -> File not found
Convert to existing PDF -> %ProgramFiles%\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll\AcroIEAppend.htm -> File not found
E&xport to Microsoft Excel -> -> File not found
Easy-WebPrint Add To Print List -> %ProgramFiles%\Canon\Easy-WebPrint\Resource.dll\RC_AddToList.htm -> File not found
Easy-WebPrint High Speed Print -> %ProgramFiles%\Canon\Easy-WebPrint\Resource.dll\RC_HSPrint.htm -> File not found
Easy-WebPrint Preview -> %ProgramFiles%\Canon\Easy-WebPrint\Resource.dll\RC_Preview.htm -> File not found
Easy-WebPrint Print -> %ProgramFiles%\Canon\Easy-WebPrint\Resource.dll\RC_Print.htm -> File not found
< User Agent Post Platform [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform ->
SV1 -> ->
< DNS Name Servers [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ ->
{32DADBD6-4FED-4DFB-9AF4-64797B921FEA} -> (Broadcom NetXtreme Gigabit Ethernet) ->
{9DBC8AF6-972E-4801-BAD9-4C32133FCD2A} -> (Windows Mobile-based Device) ->
< Winsock2 Catalogs [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\ ->
Protocol_Catalog9\Catalog_Entries\000000000001 -> %ProgramFiles%\F-Secure\FSPS\program\fslsp.dll -> F-Secure Corporation [Ver = 2.00.240 | Size = 207728 bytes | Modified Date = 5/25/2007 15:14:14 | Attr = ]
Protocol_Catalog9\Catalog_Entries\000000000002 -> %ProgramFiles%\F-Secure\FSPS\program\fslsp.dll -> F-Secure Corporation [Ver = 2.00.240 | Size = 207728 bytes | Modified Date = 5/25/2007 15:14:14 | Attr = ]
Protocol_Catalog9\Catalog_Entries\000000000003 -> %ProgramFiles%\F-Secure\FSPS\program\fslsp.dll -> F-Secure Corporation [Ver = 2.00.240 | Size = 207728 bytes | Modified Date = 5/25/2007 15:14:14 | Attr = ]
Protocol_Catalog9\Catalog_Entries\000000000004 -> %ProgramFiles%\F-Secure\FSPS\program\fslsp.dll -> F-Secure Corporation [Ver = 2.00.240 | Size = 207728 bytes | Modified Date = 5/25/2007 15:14:14 | Attr = ]
Protocol_Catalog9\Catalog_Entries\000000000005 -> %ProgramFiles%\F-Secure\FSPS\program\fslsp.dll -> F-Secure Corporation [Ver = 2.00.240 | Size = 207728 bytes | Modified Date = 5/25/2007 15:14:14 | Attr = ]
Protocol_Catalog9\Catalog_Entries\000000000006 -> %ProgramFiles%\F-Secure\FSPS\program\fslsp.dll -> F-Secure Corporation [Ver = 2.00.240 | Size = 207728 bytes | Modified Date = 5/25/2007 15:14:14 | Attr = ]
Protocol_Catalog9\Catalog_Entries\000000000007 -> %ProgramFiles%\F-Secure\FSPS\program\fslsp.dll -> F-Secure Corporation [Ver = 2.00.240 | Size = 207728 bytes | Modified Date = 5/25/2007 15:14:14 | Attr = ]
Protocol_Catalog9\Catalog_Entries\000000000008 -> %ProgramFiles%\F-Secure\FSPS\program\fslsp.dll -> F-Secure Corporation [Ver = 2.00.240 | Size = 207728 bytes | Modified Date = 5/25/2007 15:14:14 | Attr = ]
Protocol_Catalog9\Catalog_Entries\000000000009 -> %ProgramFiles%\F-Secure\FSPS\program\fslsp.dll -> F-Secure Corporation [Ver = 2.00.240 | Size = 207728 bytes | Modified Date = 5/25/2007 15:14:14 | Attr = ]
Protocol_Catalog9\Catalog_Entries\000000000010 -> %ProgramFiles%\F-Secure\FSPS\program\fslsp.dll -> F-Secure Corporation [Ver = 2.00.240 | Size = 207728 bytes | Modified Date = 5/25/2007 15:14:14 | Attr = ]
Protocol_Catalog9\Catalog_Entries\000000000011 -> %ProgramFiles%\F-Secure\FSPS\program\fslsp.dll -> F-Secure Corporation [Ver = 2.00.240 | Size = 207728 bytes | Modified Date = 5/25/2007 15:14:14 | Attr = ]
Protocol_Catalog9\Catalog_Entries\000000000012 -> %ProgramFiles%\F-Secure\FSPS\program\fslsp.dll -> F-Secure Corporation [Ver = 2.00.240 | Size = 207728 bytes | Modified Date = 5/25/2007 15:14:14 | Attr = ]
Protocol_Catalog9\Catalog_Entries\000000000013 -> %ProgramFiles%\F-Secure\FSPS\program\fslsp.dll -> F-Secure Corporation [Ver = 2.00.240 | Size = 207728 bytes | Modified Date = 5/25/2007 15:14:14 | Attr = ]
Protocol_Catalog9\Catalog_Entries\000000000014 -> %ProgramFiles%\F-Secure\FSPS\program\fslsp.dll -> F-Secure Corporation [Ver = 2.00.240 | Size = 207728 bytes | Modified Date = 5/25/2007 15:14:14 | Attr = ]
Protocol_Catalog9\Catalog_Entries\000000000015 -> %ProgramFiles%\F-Secure\FSPS\program\fslsp.dll -> F-Secure Corporation [Ver = 2.00.240 | Size = 207728 bytes | Modified Date = 5/25/2007 15:14:14 | Attr = ]
Protocol_Catalog9\Catalog_Entries\000000000016 -> %System32%\PGPlsp.dll -> PGP Corporation [Ver = 9.0.5 (Build 5050) | Size = 49664 bytes | Modified Date = 2/3/2006 14:57:16 | Attr = ]
Protocol_Catalog9\Catalog_Entries\000000000022 -> %System32%\PGPlsp.dll -> PGP Corporation [Ver = 9.0.5 (Build 5050) | Size = 49664 bytes | Modified Date = 2/3/2006 14:57:16 | Attr = ]
Protocol_Catalog9\Catalog_Entries\000000000035 -> %ProgramFiles%\F-Secure\FSPS\program\fslsp.dll -> F-Secure Corporation [Ver = 2.00.240 | Size = 207728 bytes | Modified Date = 5/25/2007 15:14:14 | Attr = ]
< Default Protocols [HKLM] - Select to Repair > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults ->
about -> 4 = Restricted sites (Not a Default Protocol) ->
about: -> 4 = Restricted sites (Not a Default Protocol) ->
mhtml -> 4 = Restricted sites (Not a Default Pr
  • 0

#6
Essexboy
Posted 02 February 2008 - 05:10 AM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Hi Jade I did not get the full report. However I had sufficient to think that one more run should do it :)

Start WinPFind3U. Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Unregister Dlls]
[Registry - Non-Microsoft Only]
< Internet Explorer ToolBars [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
YN -> ShellBrowser\\{C4069E3A-68F1-403E-B40E-20066696354B} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found]
YN -> WebBrowser\\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found]
[Empty Temp Folders]


The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. CLick the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new Hijackthis log.

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

NEXT

To clear the orphan registry entries and files

Download and then run SuperAntispyware
  • On the first page select Check for Updates
  • On completion select SCAN YOUR COMPUTER
  • On the next page select COMPLETE SCAN and tick ALL your drives
  • The next stage will take a while as your entire drive(s), memory and registry are scanned
  • When it has completed click NEXT
  • The next screen shows the problems found click OK
  • On the next screen place a tick against all items and select NEXT
  • Now to get the log Go to the PREFERENCES button on the right bottom
  • Select the STATISTICS/LOG tab
  • Highlight the scan just completed and click VIEW LOG
  • This will open a notepad text file copy and paste this to your next reply

Logs required : Winpfind report, Superantispyware logand Hijackthis log. plus how is your computer running now ?
  • 0

#7
JadeAsp
Posted 02 February 2008 - 09:23 AM

JadeAsp

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
[Registry - Non-Microsoft Only]
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{C4069E3A-68F1-403E-B40E-20066696354B} deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} deleted successfully.
[Empty Temp Folders]
C:\DOCUME~1\Alex\LOCALS~1\Temp\ -> emptied.
C:\Documents and Settings\Alex\Local Settings\Temporary Internet Files\Content.IE5\ -> emptied
RecycleBin -> emptied.
< End of log >
Created on 02/02/2008 16:19:21


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/02/2008 at 05:15 PM

Application Version : 3.9.1008

Core Rules Database Version : 3394
Trace Rules Database Version: 1386

Scan type : Complete Scan
Total Scan Time : 00:38:45

Memory items scanned : 562
Memory threats detected : 0
Registry items scanned : 5658
Registry threats detected : 0
File items scanned : 46606
File threats detected : 1

Adware.Tracking Cookie
C:\Documents and Settings\Alex\Cookies\[email protected]
  • 0

#8
JadeAsp
Posted 02 February 2008 - 09:33 AM

JadeAsp

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:20:52, on 2/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure\Common\FSMA32.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\F-Secure\Common\FSMB32.EXE
C:\WINDOWS\system32\PGPserv.exe
C:\WINDOWS\system32\locator.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\F-Secure\Common\FCH32.EXE
C:\Program Files\F-Secure\Common\FAMEH32.EXE
C:\Program Files\F-Secure\Anti-Virus\fsqh.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\GigaByte\VGA Utility Manager\G-VGA.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\F-Secure\Common\FSM32.EXE
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\F-Secure\FSGUI\fsguidll.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\PGP Corporation\PGP Desktop\PGPtray.exe
C:\Program Files\Privoxy\privoxy.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\F-Secure\FSAUA\program\fsaua.exe
C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\F-Secure\FSAUA\program\fsus.exe
C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Opera\Opera.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Spyware Doctor\pctsGui.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - blank (file missing)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - (no file)
O2 - BHO: CoTGT_BHO Class - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NVRTCLK] C:\WINDOWS\system32\NVRTCLK\NVRTClk.exe
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [VGAUtil] C:\Program Files\GigaByte\VGA Utility Manager\G-VGA.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: PGPtray.exe.lnk = ?
O4 - Global Startup: Privoxy.lnk = C:\Program Files\Privoxy\privoxy.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\system32\shdocvw.dll
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-sec...m/ols/fscax.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C35F2585-292B-4E38-AD7D-0AAE8392F709}: NameServer = 82.76.253.115 82.76.253.125
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\F-Secure\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PGPserv - PGP Corporation - C:\WINDOWS\system32\PGPserv.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe

--
End of file - 9697 bytes


The computer is working fine now. Prior to your last post I had also scanned it with Spyware Doctor 5.5. It found 2 trojans and it reported them cleaned:

2/2/2008 2:16:20 PM:546 Infection cleaned
Threat Name - Trojan-PWS.Tanspy
Type - Registry Key
Risk Level - High
Infection - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\load


2/2/2008 2:16:20 PM:703 Infection cleaned
Threat Name - Trojan.Generic
Type - Registry Key
Risk Level - Medium
Infection - HKEY_USERS\S-1-5-21-1644491937-1637723038-725345543-1003\Software\Wget

Please also tell me what might be the consequences of these infections. Can they have leaked passwords or e-mail / messenger communications? Can I be sure that they were removed? What can I do to prevent infection with keyloggers and rootkits from occurring in the future?
I currently have F-Secure 2008 and Spyware Doctor 5.5 installed. Do you recommend something else? Are there specialized anti-keylogger programs?

Thank you very much!
Alex
  • 0

#9
Essexboy
Posted 02 February 2008 - 10:49 AM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
The spyware doctor locations were just orphan registry entries with no files attached :)

Please also tell me what might be the consequences of these infections. Can they have leaked passwords or e-mail / messenger communications? Can I be sure that they were removed? What can I do to prevent infection with keyloggers and rootkits from occurring in the future?
I currently have F-Secure 2008 and Spyware Doctor 5.5 installed. Do you recommend something else? Are there specialized anti-keylogger programs?

You had trojan downloader which is just used as a conduit of other infections. I saw no indication of a keylogger. There is a keyscrambler free located here http://www.qfxsoftwa...om/Download.htm I have never used it my self but I have seen it recommended elsewhere

As promised the latest version of Java

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 4 and save it to your desktop.
  • Scroll down to where it says "JJava Runtime Environment (JRE) 6 Update 4...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Read the License Agreement and then check the box that says: "Accept License Agreement". The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u4-windows-i586-p.exe to install the newest version.

Now the best part of the day ----- Your log now appears clean :)

Double click OTMoveIt once again and you should see a CleanUp! button, press that button, you may get prompted by your firewall that OTMoveIt wants to contact the internet, allow this, a cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes. This will delete all the tools you have downloaded plus itself



Now to get you off to a good start we will re-set your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your your restore point but this is my method:

1. Select Start > All Programs > Accessories > System tools > System Restore.
2. On the dialogue box that appears select Create a Restore Point
3. Click NEXT
4. Enter a name e.g. Clean
5. Click CREATE

You now have a clean restore point, to get rid of the bad ones:

1. Select Start > All Programs > Accessories > System tools > Disk Cleanup.
2. In the Drop down box that appears select your main drive e.g. C
3. Click OK
4. The System will do some calculation and the display a dialogue box with TABS
5. Select the More Options Tab.
6. At the bottom will be a system restore box with a CLEANUP button click this
7. Accept the Warning and select OK again, the program will close and you are done



Now that you are clean, to help protect your computer in the future I recommend that you get the following free program:
  • SpywareBlaster to help prevent spyware from installing in the first place.
It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit

To learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?


Keep safe :)
  • 0

#10
Essexboy
Posted 03 February 2008 - 06:06 AM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP