Hidden popup??
- Thread starter xxarlokxx
- Start date
ceewi1
VIP Member
Your log reveals a your system has been infected with multiple keyloggers, one of which still remains. These can severely compromise personal information which could lead to identity theft.
I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or it if it contains any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.
Please read this for more information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
Do NOT mouse-click ComboFix's window while it is running. That may cause it to stall.
Also, please do NOT adjust your time format while ComboFix is running.
I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or it if it contains any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.
Please read this for more information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
- Open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
Code:File:: C:\Program Files\Internet Explorer\PLUGINS\UnixSys08.Sys Registry:: [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{25FD6584-698F-BCD2-602C-698745210352}] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3D698451-2015-6358-9871-2015987452D3}] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{47AC9076-C898-B098-D098-A18319080974}] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{52023698-6984-8541-9654-698745012525}] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{64FAE856-AD58-20CB-A025-CD4895FA6E46}] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{74381DEC-D78B-43E4-BA5D-5244F669EBE4}] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7FD45A54-9875-698F-E56E-65102358FDF7}] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{87FD640A-158F-48AC-FD14-1597F14A9778}] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B490415F-65F8-B5C5-D8BA-9405FB12054B}] [HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run] "initnyuser"=- [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{B490415F-65F8-B5C5-D8BA-9405FB12054B}"=- "{7FD45A54-9875-698F-E56E-65102358FDF7}"=- "{3D698451-2015-6358-9871-2015987452D3}"=- "{74381DEC-D78B-43E4-BA5D-5244F669EBE4}"=- "{5E907A48-400E-4EA8-9792-FFAE052D59E9}"=- "{4F4F0064-71E0-4f0d-0003-708476C7815F}"=- "{25FD6584-698F-BCD2-602C-698745210352}"=- "{87FD640A-158F-48AC-FD14-1597F14A9778}"=- "{C0595A7E-2E2F-4B34-A83A-019270A0A464}"=- "{64FAE856-AD58-20CB-A025-CD4895FA6E46}"=- "{81AF1CF6-D1C9-4C6A-AC01-EDE54E71945B}"=- "{47AC9076-C898-B098-D098-A18319080974}"=- "{52023698-6984-8541-9654-698745012525}"=- "{00010001-0001-0001-0001-00010001BB15}"=- "{00030003-0003-0003-0003-00030003BB15}"=- "{00050005-0005-0005-0005-00050005BB15}"=- "{00040004-0004-0004-0004-00040004BB15}"=- "{00120012-0012-0012-0012-00120012BB15}"=- "{00330033-0033-0033-0033-00330033BB15}"=- "{00170017-0017-0017-0017-00170017BB15}"=- "{4F4F0064-71E0-4f0d-0021-708476C7815F}"=- "{B29583D8-033A-4B9F-8553-7C5458F3FB8E}"=- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] "midimapgj"=- "cliconfgzx.dll"=- "catsrvwl.dll"=- "kbdswjr.dll"=- "tscfgwmijxsj.dll"=- "msobjstl.dll"=- "adsntzt.dll"=- "bootvidgj.dll"=- "midimappt"=- [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"="" [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options] Driver:: hjjku3xohj tfj4g0kc8q - Save this as CFScript.txt and change the Save as type to All Files and place it on your desktop.
- Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
- ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
- When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply, along with a new HijackThis log.
Do NOT mouse-click ComboFix's window while it is running. That may cause it to stall.
Also, please do NOT adjust your time format while ComboFix is running.
Vfind.exe was end-tasked...
ComboFix 08-07-05.1 - Steven C 2008-07-07 5:53:09.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.179 [GMT -4:00]
Running from: C:\Documents and Settings\Steven C\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Steven C\Desktop\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\Program Files\Internet Explorer\PLUGINS\UnixSys08.Sys
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Program Files\Internet Explorer\PLUGINS\UnixSys08.Sys
C:\WINDOWS\system32\ijsgajba.sys
C:\WINDOWS\system32\toqnabib.sys
C:\WINDOWS\system32\wymxajkl.sys
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_hjjku3xohj
-------\Service_tfj4g0kc8q
((((((((((((((((((((((((( Files Created from 2008-06-07 to 2008-07-07 )))))))))))))))))))))))))))))))
.
2008-07-06 13:38 . 2008-07-06 13:38 <DIR> d-------- C:\VundoFix Backups
2008-07-06 11:30 . 2008-07-06 13:24 77 --a------ C:\WINDOWS\system32\mywfhit.ini
2008-07-03 05:30 . 2008-07-06 13:25 <DIR> d-------- C:\WINDOWS\system32\inf
2008-06-28 02:21 . 2008-06-28 02:21 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-25 14:56 . 2008-06-25 14:56 127 --a------ C:\WINDOWS\system32\MRT.INI
2008-06-25 14:49 . 2008-06-25 14:49 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-06-25 06:11 . 2008-06-13 09:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-25 04:38 . 2007-07-09 09:09 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-06-25 03:59 . 2008-07-03 02:12 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-25 03:59 . 2008-07-03 02:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-25 03:33 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-06-25 02:09 . 2008-06-25 13:31 30,968 --a------ C:\Documents and Settings\Steven C\setupg.exe
2008-06-24 12:46 . 2008-01-05 16:53 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-06-24 08:14 . 2008-06-24 00:10 31,048 --------- C:\Documents and Settings\Steven C\setupd.exe
2008-06-24 06:47 . 2008-06-24 06:47 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-06-24 06:04 . 2008-06-28 01:39 49,152 --a------ C:\WINDOWS\system32\5A634FAC.DLL
2008-06-24 01:15 . 2008-06-24 01:16 <DIR> d-------- C:\Program Files\QuickTime
2008-06-24 01:13 . 2008-06-24 01:13 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-06-22 04:15 . 2008-06-22 04:15 <DIR> d-------- C:\Downloads
2008-06-22 04:15 . 2008-06-22 04:15 2,560 --a------ C:\WINDOWS\system32\bitcometres.dll
2008-06-22 04:14 . 2008-06-22 04:20 <DIR> d-------- C:\Program Files\BitComet
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-07 06:03 --------- d-----w C:\Program Files\Warcraft III
2008-07-06 15:23 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-06 11:23 --------- d-----w C:\Program Files\Steam
2008-06-24 05:18 --------- d-----w C:\Documents and Settings\Steven C\Application Data\Apple Computer
2008-06-24 05:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-06-22 08:02 --------- d-----w C:\Documents and Settings\Steven C\Application Data\uTorrent
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-21 16:47 --------- d-----w C:\Documents and Settings\Steven C\Application Data\Samsung
2008-05-21 06:11 --------- d-----w C:\Program Files\Samsung
2008-05-18 09:46 --------- d-----w C:\Program Files\Tales of Pirates Online
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-08 03:02 --------- d-----w C:\Program Files\SopCast
.
((((((((((((((((((((((((((((( snapshot@2008-06-28_ 2.52.24.35 )))))))))))))))))))))))))))))))))))))))))
.
+ 2001-08-17 17:52:30 18,688 -c--a-w C:\WINDOWS\system32\dllcache\cdaudio.sys
- 2001-08-23 12:00:00 18,688 ----a-w C:\WINDOWS\system32\drivers\cdaudio.sys
+ 2001-08-17 17:52:30 18,688 ----a-w C:\WINDOWS\system32\drivers\cdaudio.sys
- 2005-08-26 22:07:28 81,920 ----a-w C:\WINDOWS\system32\Samsung_USB_Drivers\1\SS_Uninstall.exe
+ 2007-05-02 15:11:12 72,968 ----a-w C:\WINDOWS\system32\Samsung_USB_Drivers\1\SS_Uninstall.exe
- 2005-08-30 05:46:16 81,920 ----a-w C:\WINDOWS\system32\Samsung_USB_Drivers\2\SSM_Uninstall.exe
+ 2007-05-02 15:12:28 72,968 ----a-w C:\WINDOWS\system32\Samsung_USB_Drivers\2\SSM_Uninstall.exe
- 2005-12-22 16:24:52 65,536 ----a-w C:\WINDOWS\system32\Samsung_USB_Drivers\3\SSCDUninstall.exe
+ 2007-07-03 20:53:24 70,824 ----a-w C:\WINDOWS\system32\Samsung_USB_Drivers\3\SSCDUninstall.exe
+ 2006-03-17 00:38:01 28,672 ------w C:\WINDOWS\system32\verclsid.exe
- 2008-05-25 10:10:05 87,397 ----a-w C:\WINDOWS\War3Unin.dat
+ 2008-07-01 03:18:34 88,451 ----a-w C:\WINDOWS\War3Unin.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-16 20:04 139264]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 13:54 5674352]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PHIME2002ASync"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-28 17:39 455168]
"PHIME2002A"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-28 17:39 455168]
"ANIWZCS2Service"="C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2004-12-16 18:49 49152]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" [2006-12-15 04:23 75520]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-11-04 22:24 185896]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2006-11-12 06:48 157592]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40 155648]
"EPSON Stylus CX1500 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4V1.EXE" [2004-03-22 13:00 99840]
"EPSON Stylus CX1500 Series (Copy 1)"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4V1.EXE" [2004-03-22 13:00 99840]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 23:32 208952]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-05-27 10:50 413696]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 13:24 28672 C:\WINDOWS\system32\Ati2mdxx.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 15:01 88209 C:\WINDOWS\AGRSMMSG.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 01:56 15360]
C:\Documents and Settings\Steven C\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 20:16:50 113664]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 10:50 413696 C:\Program Files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-03-31 01:42 1271032 C:\Program Files\Steam\Steam.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"C:\\Program Files\\Starcraft\\StarCraft.exe"=
"C:\\Program Files\\Java\\jre1.5.0_06\\bin\\javaws.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"C:\\Program Files\\Steam\\Steam.exe"=
"C:\\Program Files\\Steam\\steamapps\\[email protected]\\counter-strike\\hl.exe"=
"C:\\WINDOWS\\system32\\dpnsvr.exe"=
"C:\\Program Files\\Steam\\steamapps\\[email protected]\\day of defeat\\hl.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\DC++\\DCPlusPlus.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\SopCast\\SopCast.exe"=
"C:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"C:\\Program Files\\BitComet\\BitComet.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1700:TCP"= 1700:TCP:Utor1
"1720:TCP"= 1720:TCP:utorrent
"1720:UDP"= 1720:UDP:utorrent1
"12535:TCP"= 12535:TCP:BitComet 12535 TCP
"12535:UDP"= 12535:UDP:BitComet 12535 UDP
S3 epflt15;epflt15;C:\WINDOWS\system32\DRIVERS\epflt15.SYS [2004-10-09 16:10]
S3 esflt15;esflt15;C:\WINDOWS\system32\DRIVERS\esflt15.SYS [2004-11-16 19:52]
S3 sssdbus;SAMSUNG WMC Composite Device driver (WDM);C:\WINDOWS\system32\DRIVERS\sssdbus.sys [2007-07-05 12:37]
S3 sssdmdfl;SAMSUNG Modem Filter;C:\WINDOWS\system32\DRIVERS\sssdmdfl.sys [2007-07-05 12:37]
S3 sssdmdm;SAMSUNG Modem Driver;C:\WINDOWS\system32\DRIVERS\sssdmdm.sys [2007-07-05 12:37]
S3 sssdmgmt;SAMSUNG AT command Port Drivers (WDM);C:\WINDOWS\system32\DRIVERS\sssdmgmt.sys [2007-07-05 12:37]
S3 sssdobex;SAMSUNG OBEX Port Drivers (WDM);C:\WINDOWS\system32\DRIVERS\sssdobex.sys [2007-07-05 12:37]
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-07 06:01:56
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\MSN Messenger\usnsvc.exe
.
**************************************************************************
.
Completion time: 2008-07-07 6:08:23 - machine was rebooted [Steven C]
ComboFix-quarantined-files.txt 2008-07-07 10:07:57
ComboFix2.txt 2008-07-06 10:06:56
ComboFix3.txt 2008-06-28 06:53:27
Pre-Run: 31,936,430,080 bytes free
Post-Run: 31,956,258,816 bytes free
178 --- E O F --- 2008-07-06 18:29:00
ComboFix 08-07-05.1 - Steven C 2008-07-07 5:53:09.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.179 [GMT -4:00]
Running from: C:\Documents and Settings\Steven C\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Steven C\Desktop\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\Program Files\Internet Explorer\PLUGINS\UnixSys08.Sys
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Program Files\Internet Explorer\PLUGINS\UnixSys08.Sys
C:\WINDOWS\system32\ijsgajba.sys
C:\WINDOWS\system32\toqnabib.sys
C:\WINDOWS\system32\wymxajkl.sys
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_hjjku3xohj
-------\Service_tfj4g0kc8q
((((((((((((((((((((((((( Files Created from 2008-06-07 to 2008-07-07 )))))))))))))))))))))))))))))))
.
2008-07-06 13:38 . 2008-07-06 13:38 <DIR> d-------- C:\VundoFix Backups
2008-07-06 11:30 . 2008-07-06 13:24 77 --a------ C:\WINDOWS\system32\mywfhit.ini
2008-07-03 05:30 . 2008-07-06 13:25 <DIR> d-------- C:\WINDOWS\system32\inf
2008-06-28 02:21 . 2008-06-28 02:21 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-25 14:56 . 2008-06-25 14:56 127 --a------ C:\WINDOWS\system32\MRT.INI
2008-06-25 14:49 . 2008-06-25 14:49 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-06-25 06:11 . 2008-06-13 09:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-25 04:38 . 2007-07-09 09:09 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-06-25 03:59 . 2008-07-03 02:12 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-25 03:59 . 2008-07-03 02:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-25 03:33 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-06-25 02:09 . 2008-06-25 13:31 30,968 --a------ C:\Documents and Settings\Steven C\setupg.exe
2008-06-24 12:46 . 2008-01-05 16:53 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-06-24 08:14 . 2008-06-24 00:10 31,048 --------- C:\Documents and Settings\Steven C\setupd.exe
2008-06-24 06:47 . 2008-06-24 06:47 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-06-24 06:04 . 2008-06-28 01:39 49,152 --a------ C:\WINDOWS\system32\5A634FAC.DLL
2008-06-24 01:15 . 2008-06-24 01:16 <DIR> d-------- C:\Program Files\QuickTime
2008-06-24 01:13 . 2008-06-24 01:13 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-06-22 04:15 . 2008-06-22 04:15 <DIR> d-------- C:\Downloads
2008-06-22 04:15 . 2008-06-22 04:15 2,560 --a------ C:\WINDOWS\system32\bitcometres.dll
2008-06-22 04:14 . 2008-06-22 04:20 <DIR> d-------- C:\Program Files\BitComet
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-07 06:03 --------- d-----w C:\Program Files\Warcraft III
2008-07-06 15:23 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-06 11:23 --------- d-----w C:\Program Files\Steam
2008-06-24 05:18 --------- d-----w C:\Documents and Settings\Steven C\Application Data\Apple Computer
2008-06-24 05:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-06-22 08:02 --------- d-----w C:\Documents and Settings\Steven C\Application Data\uTorrent
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-21 16:47 --------- d-----w C:\Documents and Settings\Steven C\Application Data\Samsung
2008-05-21 06:11 --------- d-----w C:\Program Files\Samsung
2008-05-18 09:46 --------- d-----w C:\Program Files\Tales of Pirates Online
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-08 03:02 --------- d-----w C:\Program Files\SopCast
.
((((((((((((((((((((((((((((( snapshot@2008-06-28_ 2.52.24.35 )))))))))))))))))))))))))))))))))))))))))
.
+ 2001-08-17 17:52:30 18,688 -c--a-w C:\WINDOWS\system32\dllcache\cdaudio.sys
- 2001-08-23 12:00:00 18,688 ----a-w C:\WINDOWS\system32\drivers\cdaudio.sys
+ 2001-08-17 17:52:30 18,688 ----a-w C:\WINDOWS\system32\drivers\cdaudio.sys
- 2005-08-26 22:07:28 81,920 ----a-w C:\WINDOWS\system32\Samsung_USB_Drivers\1\SS_Uninstall.exe
+ 2007-05-02 15:11:12 72,968 ----a-w C:\WINDOWS\system32\Samsung_USB_Drivers\1\SS_Uninstall.exe
- 2005-08-30 05:46:16 81,920 ----a-w C:\WINDOWS\system32\Samsung_USB_Drivers\2\SSM_Uninstall.exe
+ 2007-05-02 15:12:28 72,968 ----a-w C:\WINDOWS\system32\Samsung_USB_Drivers\2\SSM_Uninstall.exe
- 2005-12-22 16:24:52 65,536 ----a-w C:\WINDOWS\system32\Samsung_USB_Drivers\3\SSCDUninstall.exe
+ 2007-07-03 20:53:24 70,824 ----a-w C:\WINDOWS\system32\Samsung_USB_Drivers\3\SSCDUninstall.exe
+ 2006-03-17 00:38:01 28,672 ------w C:\WINDOWS\system32\verclsid.exe
- 2008-05-25 10:10:05 87,397 ----a-w C:\WINDOWS\War3Unin.dat
+ 2008-07-01 03:18:34 88,451 ----a-w C:\WINDOWS\War3Unin.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-16 20:04 139264]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 13:54 5674352]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PHIME2002ASync"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-28 17:39 455168]
"PHIME2002A"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-28 17:39 455168]
"ANIWZCS2Service"="C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2004-12-16 18:49 49152]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" [2006-12-15 04:23 75520]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-11-04 22:24 185896]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2006-11-12 06:48 157592]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40 155648]
"EPSON Stylus CX1500 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4V1.EXE" [2004-03-22 13:00 99840]
"EPSON Stylus CX1500 Series (Copy 1)"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4V1.EXE" [2004-03-22 13:00 99840]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 23:32 208952]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-05-27 10:50 413696]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 13:24 28672 C:\WINDOWS\system32\Ati2mdxx.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 15:01 88209 C:\WINDOWS\AGRSMMSG.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 01:56 15360]
C:\Documents and Settings\Steven C\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 20:16:50 113664]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 10:50 413696 C:\Program Files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-03-31 01:42 1271032 C:\Program Files\Steam\Steam.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"C:\\Program Files\\Starcraft\\StarCraft.exe"=
"C:\\Program Files\\Java\\jre1.5.0_06\\bin\\javaws.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"C:\\Program Files\\Steam\\Steam.exe"=
"C:\\Program Files\\Steam\\steamapps\\[email protected]\\counter-strike\\hl.exe"=
"C:\\WINDOWS\\system32\\dpnsvr.exe"=
"C:\\Program Files\\Steam\\steamapps\\[email protected]\\day of defeat\\hl.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\DC++\\DCPlusPlus.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\SopCast\\SopCast.exe"=
"C:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"C:\\Program Files\\BitComet\\BitComet.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1700:TCP"= 1700:TCP:Utor1
"1720:TCP"= 1720:TCP:utorrent
"1720:UDP"= 1720:UDP:utorrent1
"12535:TCP"= 12535:TCP:BitComet 12535 TCP
"12535:UDP"= 12535:UDP:BitComet 12535 UDP
S3 epflt15;epflt15;C:\WINDOWS\system32\DRIVERS\epflt15.SYS [2004-10-09 16:10]
S3 esflt15;esflt15;C:\WINDOWS\system32\DRIVERS\esflt15.SYS [2004-11-16 19:52]
S3 sssdbus;SAMSUNG WMC Composite Device driver (WDM);C:\WINDOWS\system32\DRIVERS\sssdbus.sys [2007-07-05 12:37]
S3 sssdmdfl;SAMSUNG Modem Filter;C:\WINDOWS\system32\DRIVERS\sssdmdfl.sys [2007-07-05 12:37]
S3 sssdmdm;SAMSUNG Modem Driver;C:\WINDOWS\system32\DRIVERS\sssdmdm.sys [2007-07-05 12:37]
S3 sssdmgmt;SAMSUNG AT command Port Drivers (WDM);C:\WINDOWS\system32\DRIVERS\sssdmgmt.sys [2007-07-05 12:37]
S3 sssdobex;SAMSUNG OBEX Port Drivers (WDM);C:\WINDOWS\system32\DRIVERS\sssdobex.sys [2007-07-05 12:37]
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-07 06:01:56
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\MSN Messenger\usnsvc.exe
.
**************************************************************************
.
Completion time: 2008-07-07 6:08:23 - machine was rebooted [Steven C]
ComboFix-quarantined-files.txt 2008-07-07 10:07:57
ComboFix2.txt 2008-07-06 10:06:56
ComboFix3.txt 2008-06-28 06:53:27
Pre-Run: 31,936,430,080 bytes free
Post-Run: 31,956,258,816 bytes free
178 --- E O F --- 2008-07-06 18:29:00
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:09:45 AM, on 7/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4V1.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4V1.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus CX1500 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4V1.EXE /P26 "EPSON Stylus CX1500 Series" /O5 "LPT1:" /M "Stylus CX1500"
O4 - HKLM\..\Run: [EPSON Stylus CX1500 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4V1.EXE /P35 "EPSON Stylus CX1500 Series (Copy 1)" /O6 "USB001" /M "Stylus CX1500"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://stevenching28.spaces.live.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-CA/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1214379191747
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1162425286125
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{45ABDAA6-9586-4E5E-A01E-2E395570E348}: NameServer = 203.198.23.208 205.252.144.126
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
--
End of file - 7653 bytes
Scan saved at 6:09:45 AM, on 7/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4V1.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4V1.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus CX1500 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4V1.EXE /P26 "EPSON Stylus CX1500 Series" /O5 "LPT1:" /M "Stylus CX1500"
O4 - HKLM\..\Run: [EPSON Stylus CX1500 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4V1.EXE /P35 "EPSON Stylus CX1500 Series (Copy 1)" /O6 "USB001" /M "Stylus CX1500"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://stevenching28.spaces.live.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-CA/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1214379191747
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1162425286125
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{45ABDAA6-9586-4E5E-A01E-2E395570E348}: NameServer = 203.198.23.208 205.252.144.126
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
--
End of file - 7653 bytes
ceewi1
VIP Member
Almost done now, just a few final leftovers.
Please delete the following files:
C:\WINDOWS\system32\mywfhit.ini
C:\Documents and Settings\Steven C\setupg.exe
C:\Documents and Settings\Steven C\setupd.exe
Please go to http://www.virustotal.com/, click on Browse, and upload the following file for analysis:
C:\WINDOWS\system32\5A634FAC.DLL
Then click Send File. Allow the file to be scanned, and then please copy and paste the results here for me to see.
If that scanner is busy, please use this one: http://virusscan.jotti.org
Please delete the following files:
C:\WINDOWS\system32\mywfhit.ini
C:\Documents and Settings\Steven C\setupg.exe
C:\Documents and Settings\Steven C\setupd.exe
Please go to http://www.virustotal.com/, click on Browse, and upload the following file for analysis:
C:\WINDOWS\system32\5A634FAC.DLL
Then click Send File. Allow the file to be scanned, and then please copy and paste the results here for me to see.
If that scanner is busy, please use this one: http://virusscan.jotti.org
ceewi1
VIP Member
Those logs appear to be clean, but given the severity of the infection I would like to see the results of an online scan.
Please do a scan with Kaspersky Online Scanner
Click on the Accept button and install any components it needs.
Please do a scan with Kaspersky Online Scanner
Click on the Accept button and install any components it needs.
- The program will install and then begin downloading the latest definition files.
- After the files have been downloaded on the left side of the page in the Scan section select My Computer.
- This will start the program and scan your system.
- The scan will take a while, so be patient and let it run.
- Once the scan is complete, click on View scan report
- Now, click on the Save Report as button.
- In the drop down box labeled Files of type change the type to Text file.
- Save the file to your desktop.
- Copy and paste that information in your next post.
Here is the hijackthis log....i'll do the online scan now
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:43:05 AM, on 7/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4V1.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4V1.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus CX1500 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4V1.EXE /P26 "EPSON Stylus CX1500 Series" /O5 "LPT1:" /M "Stylus CX1500"
O4 - HKLM\..\Run: [EPSON Stylus CX1500 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4V1.EXE /P35 "EPSON Stylus CX1500 Series (Copy 1)" /O6 "USB001" /M "Stylus CX1500"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://stevenching28.spaces.live.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-CA/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1214379191747
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1162425286125
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{45ABDAA6-9586-4E5E-A01E-2E395570E348}: NameServer = 203.198.23.208 205.252.144.126
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
--
End of file - 7710 bytes
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:43:05 AM, on 7/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4V1.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4V1.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus CX1500 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4V1.EXE /P26 "EPSON Stylus CX1500 Series" /O5 "LPT1:" /M "Stylus CX1500"
O4 - HKLM\..\Run: [EPSON Stylus CX1500 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4V1.EXE /P35 "EPSON Stylus CX1500 Series (Copy 1)" /O6 "USB001" /M "Stylus CX1500"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://stevenching28.spaces.live.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-CA/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1214379191747
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1162425286125
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{45ABDAA6-9586-4E5E-A01E-2E395570E348}: NameServer = 203.198.23.208 205.252.144.126
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
--
End of file - 7710 bytes
cohen
New Member
but if you read it, it says it was a virus / malware, and then people have comments below saying, it is a virus.
here is the report....seems like alot got infected...0.o...=\=\
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, July 8, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, July 08, 2008 04:32:20
Records in database: 924835
--------------------------------------------------------------------------------
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
C:\
D:\
E:\
F:\
Scan statistics:
Files scanned: 78677
Threat name: 57
Infected objects: 63
Suspicious objects: 0
Duration of the scan: 02:36:44
File name / Threat name / Threats count
C:\Documents and Settings\Steven C\.housecall6.6\Quarantine\ad[2].js.bac_a05644 Infected: not-a-virus:AdWare.Win32.BHO.aai 1
C:\Documents and Settings\Steven C\.housecall6.6\Quarantine\msupx1.aux.bac_a05644 Infected: Trojan-Downloader.Win32.Tiny.bfz 1
C:\Documents and Settings\Steven C\.housecall6.6\Quarantine\__wmisog1.log.bac_a05644 Infected: not-a-virus:AdWare.Win32.BHO.aai 1
C:\Program Files\Trend Micro\HijackThis\backups\backup-20080629-065926-506.dll Infected: Trojan-PSW.Win32.QQPass.chg 1
C:\QooBox\Quarantine\C\Documents and Settings\All Users\Application Data\Microsoft\PCTools\pctools.dll.vir Infected: not-a-virus:AdWare.Win32.Cinmus.kif 1
C:\QooBox\Quarantine\C\Program Files\Internet Explorer\IEXPLORE32.Dat.vir Infected: Trojan-Spy.Win32.Delf.cwy 1
C:\QooBox\Quarantine\C\Program Files\Internet Explorer\IEXPLORE32.Sys.vir Infected: Trojan-Spy.Win32.Delf.cwx 1
C:\QooBox\Quarantine\C\Program Files\Internet Explorer\IEXPLORE32.win.vir Infected: Trojan-Spy.Win32.Delf.cwz 1
C:\QooBox\Quarantine\C\Program Files\Internet Explorer\PLUGINS\UnixSys08.Sys.vir Infected: Trojan-PSW.Win32.QQPass.clp 1
C:\QooBox\Quarantine\C\Program Files\Microsoft Office\SYSTEM\apcdli.sys.vir Infected: not-a-virus:AdWare.Win32.Cinmus.hpc 1
C:\QooBox\Quarantine\C\WINDOWS\system32\aitlasys.exe.vir Infected: Trojan-PSW.Win32.OnLineGames.apms 1
C:\QooBox\Quarantine\C\WINDOWS\system32\axmsawin.exe.vir Infected: Trojan-GameThief.Win32.OnLineGames.rxxj 1
C:\QooBox\Quarantine\C\WINDOWS\system32\azzxaime.exe.vir Infected: Trojan-PSW.Win32.OnLineGames.apil 1
C:\QooBox\Quarantine\C\WINDOWS\system32\cedafb.dll.vir Infected: Trojan-GameThief.Win32.OnLineGames.rzop 1
C:\QooBox\Quarantine\C\WINDOWS\system32\ddserh.dll.vir Infected: Trojan-GameThief.Win32.OnLineGames.ryop 1
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\acpidisk.sys.vir Infected: Trojan-Dropper.Win32.Delf.boe 1
C:\QooBox\Quarantine\C\WINDOWS\system32\etshabty.exe.vir Infected: Trojan-GameThief.Win32.OnLineGames.rxwy 1
C:\QooBox\Quarantine\C\WINDOWS\system32\F411997C.EXE.vir Infected: Backdoor.Win32.Popwin.bfu 1
C:\QooBox\Quarantine\C\WINDOWS\system32\ghwxattb.exe.vir Infected: Trojan-PSW.Win32.OnLineGames.aphm 1
C:\QooBox\Quarantine\C\WINDOWS\system32\hdf453d.dll.vir Infected: Trojan-GameThief.Win32.OnLineGames.rxxu 1
C:\QooBox\Quarantine\C\WINDOWS\system32\hhrdxd.dll.vir Infected: Trojan-PSW.Win32.OnLineGames.rxnx 1
C:\QooBox\Quarantine\C\WINDOWS\system32\isdsasrv.exe.vir Infected: Trojan-GameThief.Win32.OnLineGames.rxwy 1
C:\QooBox\Quarantine\C\WINDOWS\system32\ismhasrv.exe.vir Infected: Trojan-GameThief.Win32.OnLineGames.saev 1
C:\QooBox\Quarantine\C\WINDOWS\system32\jbhxabyt.exe.vir Infected: Trojan-PSW.Win32.OnLineGames.apnd 1
C:\QooBox\Quarantine\C\WINDOWS\system32\jfrwdh.dll.vir Infected: Trojan-GameThief.Win32.OnLineGames.rxvu 1
C:\QooBox\Quarantine\C\WINDOWS\system32\jkhxaklo.dll.vir Infected: Trojan-PSW.Win32.OnLineGames.aqem 1
C:\QooBox\Quarantine\C\WINDOWS\system32\kcoin32.dll.vir Infected: Trojan-GameThief.Win32.OnLineGames.asft 1
C:\QooBox\Quarantine\C\WINDOWS\system32\kcoin32.exe.vir Infected: Trojan-PSW.Win32.OnLineGames.arum 1
C:\QooBox\Quarantine\C\WINDOWS\system32\lofsdjbo.dll.vir Infected: Trojan-GameThief.Win32.OnLineGames.rxva 1
C:\QooBox\Quarantine\C\WINDOWS\system32\lojxadwd.exe.vir Infected: Trojan-GameThief.Win32.OnLineGames.rxxa 1
C:\QooBox\Quarantine\C\WINDOWS\system32\lpsgajba.exe.vir Infected: Trojan-GameThief.Win32.OnLineGames.rxxp 1
C:\QooBox\Quarantine\C\WINDOWS\system32\mfdesy.dll.vir Infected: Trojan-PSW.Win32.OnLineGames.aruv 1
C:\QooBox\Quarantine\C\WINDOWS\system32\MMHADPQG1097.dll.vir Infected: Trojan-GameThief.Win32.OnLineGames.aqik 1
C:\QooBox\Quarantine\C\WINDOWS\system32\MMHADPQG1100.dll.vir Infected: Trojan-GameThief.Win32.OnLineGames.rzux 1
C:\QooBox\Quarantine\C\WINDOWS\system32\MMHADPQG1101.dll.vir Infected: Trojan-GameThief.Win32.OnLineGames.saqa 1
C:\QooBox\Quarantine\C\WINDOWS\system32\mnmhgsrv.dll.vir Infected: Trojan-GameThief.Win32.OnLineGames.rxxl 1
C:\QooBox\Quarantine\C\WINDOWS\system32\mpwdeapi.dll.vir Infected: Trojan-PSW.Win32.OnLineGames.aprv 1
C:\QooBox\Quarantine\C\WINDOWS\system32\mtewdh.dll.vir Infected: Trojan-GameThief.Win32.OnLineGames.sbvy 1
C:\QooBox\Quarantine\C\WINDOWS\system32\oohxdbyt.dll.vir Infected: Trojan-PSW.Win32.OnLineGames.apkv 1
C:\QooBox\Quarantine\C\WINDOWS\system32\opshcbty.dll.vir Infected: Trojan-GameThief.Win32.OnLineGames.rzcp 1
C:\QooBox\Quarantine\C\WINDOWS\system32\oswxdttb.dll.vir Infected: Trojan-PSW.Win32.OnLineGames.aqba 1
C:\QooBox\Quarantine\C\WINDOWS\system32\ozfyebyt.dll.vir Infected: Trojan-PSW.Win32.OnLineGames.aqex 1
C:\QooBox\Quarantine\C\WINDOWS\system32\pjjxedwd.dll.vir Infected: Trojan-GameThief.Win32.OnLineGames.rxzj 1
C:\QooBox\Quarantine\C\WINDOWS\system32\pldhadwd.exe.vir Infected: Trojan-PSW.Win32.OnLineGames.aqfs 1
C:\QooBox\Quarantine\C\WINDOWS\system32\posqatyu.exe.vir Infected: Trojan-PSW.Win32.OnLineGames.aqgp 1
C:\QooBox\Quarantine\C\WINDOWS\system32\ptjhehlp.dll.vir Infected: Trojan-PSW.Win32.OnLineGames.apke 1
C:\QooBox\Quarantine\C\WINDOWS\system32\rfdswc.dll.vir Infected: Trojan-GameThief.Win32.OnLineGames.sakh 1
C:\QooBox\Quarantine\C\WINDOWS\system32\s2da2f323.dll.vir Infected: Trojan-GameThief.Win32.OnLineGames.ascd 1
C:\QooBox\Quarantine\C\WINDOWS\system32\simyaapi.exe.vir Infected: Trojan-GameThief.Win32.OnLineGames.rxxa 1
C:\QooBox\Quarantine\C\WINDOWS\system32\siwdaapi.exe.vir Infected: Trojan-PSW.Win32.OnLineGames.apms 1
C:\QooBox\Quarantine\C\WINDOWS\system32\spjhahlp.exe.vir Infected: Trojan-PSW.Win32.OnLineGames.apms 1
C:\QooBox\Quarantine\C\WINDOWS\system32\tdggrz.dll.vir Infected: Trojan-GameThief.Win32.OnLineGames.sadw 1
C:\QooBox\Quarantine\C\WINDOWS\system32\tisqatyu.dll.vir Infected: Trojan-PSW.Win32.OnLineGames.aqhb 1
C:\QooBox\Quarantine\C\WINDOWS\system32\wklsdd.dll.vir Infected: Trojan-GameThief.Win32.OnLineGames.sabp 1
C:\QooBox\Quarantine\C\WINDOWS\system32\yxcschlp.dll.vir Infected: Trojan-GameThief.Win32.OnLineGames.rxya 1
C:\QooBox\Quarantine\C\WINDOWS\system32\zaztamsn.exe.vir Infected: Trojan-GameThief.Win32.OnLineGames.asbu 1
C:\QooBox\Quarantine\C\WINDOWS\system32\zgrjdx.dll.vir Infected: Trojan-GameThief.Win32.OnLineGames.sahx 1
C:\QooBox\Quarantine\C\WINDOWS\system32\zptlcsys.dll.vir Infected: Trojan-PSW.Win32.OnLineGames.aplb 1
C:\QooBox\Quarantine\C\WINDOWS\system32\zxcsahlp.exe.vir Infected: Trojan-GameThief.Win32.OnLineGames.rxwy 1
C:\QooBox\Quarantine\C\WINDOWS\system32\zxmsdwin.dll.vir Infected: Trojan-GameThief.Win32.OnLineGames.rxxv 1
C:\QooBox\Quarantine\C\WINDOWS\system32\zycbdime.dll.vir Infected: Trojan-PSW.Win32.OnLineGames.apjc 1
C:\QooBox\Quarantine\C\WINDOWS\system32\zyzxjime.dll.vir Infected: Trojan-PSW.Win32.OnLineGames.apja 1
C:\WINDOWS\system32\drivers\hjjku3xohj.sys Infected: Trojan-Downloader.Win32.Hmir.doj 1
The selected area was scanned.
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, July 8, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, July 08, 2008 04:32:20
Records in database: 924835
--------------------------------------------------------------------------------
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
C:\
D:\
E:\
F:\
Scan statistics:
Files scanned: 78677
Threat name: 57
Infected objects: 63
Suspicious objects: 0
Duration of the scan: 02:36:44
File name / Threat name / Threats count
C:\Documents and Settings\Steven C\.housecall6.6\Quarantine\ad[2].js.bac_a05644 Infected: not-a-virus:AdWare.Win32.BHO.aai 1
C:\Documents and Settings\Steven C\.housecall6.6\Quarantine\msupx1.aux.bac_a05644 Infected: Trojan-Downloader.Win32.Tiny.bfz 1
C:\Documents and Settings\Steven C\.housecall6.6\Quarantine\__wmisog1.log.bac_a05644 Infected: not-a-virus:AdWare.Win32.BHO.aai 1
C:\Program Files\Trend Micro\HijackThis\backups\backup-20080629-065926-506.dll Infected: Trojan-PSW.Win32.QQPass.chg 1
C:\QooBox\Quarantine\C\Documents and Settings\All Users\Application Data\Microsoft\PCTools\pctools.dll.vir Infected: not-a-virus:AdWare.Win32.Cinmus.kif 1
C:\QooBox\Quarantine\C\Program Files\Internet Explorer\IEXPLORE32.Dat.vir Infected: Trojan-Spy.Win32.Delf.cwy 1
C:\QooBox\Quarantine\C\Program Files\Internet Explorer\IEXPLORE32.Sys.vir Infected: Trojan-Spy.Win32.Delf.cwx 1
C:\QooBox\Quarantine\C\Program Files\Internet Explorer\IEXPLORE32.win.vir Infected: Trojan-Spy.Win32.Delf.cwz 1
C:\QooBox\Quarantine\C\Program Files\Internet Explorer\PLUGINS\UnixSys08.Sys.vir Infected: Trojan-PSW.Win32.QQPass.clp 1
C:\QooBox\Quarantine\C\Program Files\Microsoft Office\SYSTEM\apcdli.sys.vir Infected: not-a-virus:AdWare.Win32.Cinmus.hpc 1
C:\QooBox\Quarantine\C\WINDOWS\system32\aitlasys.exe.vir Infected: Trojan-PSW.Win32.OnLineGames.apms 1
C:\QooBox\Quarantine\C\WINDOWS\system32\axmsawin.exe.vir Infected: Trojan-GameThief.Win32.OnLineGames.rxxj 1
C:\QooBox\Quarantine\C\WINDOWS\system32\azzxaime.exe.vir Infected: Trojan-PSW.Win32.OnLineGames.apil 1
C:\QooBox\Quarantine\C\WINDOWS\system32\cedafb.dll.vir Infected: Trojan-GameThief.Win32.OnLineGames.rzop 1
C:\QooBox\Quarantine\C\WINDOWS\system32\ddserh.dll.vir Infected: Trojan-GameThief.Win32.OnLineGames.ryop 1
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\acpidisk.sys.vir Infected: Trojan-Dropper.Win32.Delf.boe 1
C:\QooBox\Quarantine\C\WINDOWS\system32\etshabty.exe.vir Infected: Trojan-GameThief.Win32.OnLineGames.rxwy 1
C:\QooBox\Quarantine\C\WINDOWS\system32\F411997C.EXE.vir Infected: Backdoor.Win32.Popwin.bfu 1
C:\QooBox\Quarantine\C\WINDOWS\system32\ghwxattb.exe.vir Infected: Trojan-PSW.Win32.OnLineGames.aphm 1
C:\QooBox\Quarantine\C\WINDOWS\system32\hdf453d.dll.vir Infected: Trojan-GameThief.Win32.OnLineGames.rxxu 1
C:\QooBox\Quarantine\C\WINDOWS\system32\hhrdxd.dll.vir Infected: Trojan-PSW.Win32.OnLineGames.rxnx 1
C:\QooBox\Quarantine\C\WINDOWS\system32\isdsasrv.exe.vir Infected: Trojan-GameThief.Win32.OnLineGames.rxwy 1
C:\QooBox\Quarantine\C\WINDOWS\system32\ismhasrv.exe.vir Infected: Trojan-GameThief.Win32.OnLineGames.saev 1
C:\QooBox\Quarantine\C\WINDOWS\system32\jbhxabyt.exe.vir Infected: Trojan-PSW.Win32.OnLineGames.apnd 1
C:\QooBox\Quarantine\C\WINDOWS\system32\jfrwdh.dll.vir Infected: Trojan-GameThief.Win32.OnLineGames.rxvu 1
C:\QooBox\Quarantine\C\WINDOWS\system32\jkhxaklo.dll.vir Infected: Trojan-PSW.Win32.OnLineGames.aqem 1
C:\QooBox\Quarantine\C\WINDOWS\system32\kcoin32.dll.vir Infected: Trojan-GameThief.Win32.OnLineGames.asft 1
C:\QooBox\Quarantine\C\WINDOWS\system32\kcoin32.exe.vir Infected: Trojan-PSW.Win32.OnLineGames.arum 1
C:\QooBox\Quarantine\C\WINDOWS\system32\lofsdjbo.dll.vir Infected: Trojan-GameThief.Win32.OnLineGames.rxva 1
C:\QooBox\Quarantine\C\WINDOWS\system32\lojxadwd.exe.vir Infected: Trojan-GameThief.Win32.OnLineGames.rxxa 1
C:\QooBox\Quarantine\C\WINDOWS\system32\lpsgajba.exe.vir Infected: Trojan-GameThief.Win32.OnLineGames.rxxp 1
C:\QooBox\Quarantine\C\WINDOWS\system32\mfdesy.dll.vir Infected: Trojan-PSW.Win32.OnLineGames.aruv 1
C:\QooBox\Quarantine\C\WINDOWS\system32\MMHADPQG1097.dll.vir Infected: Trojan-GameThief.Win32.OnLineGames.aqik 1
C:\QooBox\Quarantine\C\WINDOWS\system32\MMHADPQG1100.dll.vir Infected: Trojan-GameThief.Win32.OnLineGames.rzux 1
C:\QooBox\Quarantine\C\WINDOWS\system32\MMHADPQG1101.dll.vir Infected: Trojan-GameThief.Win32.OnLineGames.saqa 1
C:\QooBox\Quarantine\C\WINDOWS\system32\mnmhgsrv.dll.vir Infected: Trojan-GameThief.Win32.OnLineGames.rxxl 1
C:\QooBox\Quarantine\C\WINDOWS\system32\mpwdeapi.dll.vir Infected: Trojan-PSW.Win32.OnLineGames.aprv 1
C:\QooBox\Quarantine\C\WINDOWS\system32\mtewdh.dll.vir Infected: Trojan-GameThief.Win32.OnLineGames.sbvy 1
C:\QooBox\Quarantine\C\WINDOWS\system32\oohxdbyt.dll.vir Infected: Trojan-PSW.Win32.OnLineGames.apkv 1
C:\QooBox\Quarantine\C\WINDOWS\system32\opshcbty.dll.vir Infected: Trojan-GameThief.Win32.OnLineGames.rzcp 1
C:\QooBox\Quarantine\C\WINDOWS\system32\oswxdttb.dll.vir Infected: Trojan-PSW.Win32.OnLineGames.aqba 1
C:\QooBox\Quarantine\C\WINDOWS\system32\ozfyebyt.dll.vir Infected: Trojan-PSW.Win32.OnLineGames.aqex 1
C:\QooBox\Quarantine\C\WINDOWS\system32\pjjxedwd.dll.vir Infected: Trojan-GameThief.Win32.OnLineGames.rxzj 1
C:\QooBox\Quarantine\C\WINDOWS\system32\pldhadwd.exe.vir Infected: Trojan-PSW.Win32.OnLineGames.aqfs 1
C:\QooBox\Quarantine\C\WINDOWS\system32\posqatyu.exe.vir Infected: Trojan-PSW.Win32.OnLineGames.aqgp 1
C:\QooBox\Quarantine\C\WINDOWS\system32\ptjhehlp.dll.vir Infected: Trojan-PSW.Win32.OnLineGames.apke 1
C:\QooBox\Quarantine\C\WINDOWS\system32\rfdswc.dll.vir Infected: Trojan-GameThief.Win32.OnLineGames.sakh 1
C:\QooBox\Quarantine\C\WINDOWS\system32\s2da2f323.dll.vir Infected: Trojan-GameThief.Win32.OnLineGames.ascd 1
C:\QooBox\Quarantine\C\WINDOWS\system32\simyaapi.exe.vir Infected: Trojan-GameThief.Win32.OnLineGames.rxxa 1
C:\QooBox\Quarantine\C\WINDOWS\system32\siwdaapi.exe.vir Infected: Trojan-PSW.Win32.OnLineGames.apms 1
C:\QooBox\Quarantine\C\WINDOWS\system32\spjhahlp.exe.vir Infected: Trojan-PSW.Win32.OnLineGames.apms 1
C:\QooBox\Quarantine\C\WINDOWS\system32\tdggrz.dll.vir Infected: Trojan-GameThief.Win32.OnLineGames.sadw 1
C:\QooBox\Quarantine\C\WINDOWS\system32\tisqatyu.dll.vir Infected: Trojan-PSW.Win32.OnLineGames.aqhb 1
C:\QooBox\Quarantine\C\WINDOWS\system32\wklsdd.dll.vir Infected: Trojan-GameThief.Win32.OnLineGames.sabp 1
C:\QooBox\Quarantine\C\WINDOWS\system32\yxcschlp.dll.vir Infected: Trojan-GameThief.Win32.OnLineGames.rxya 1
C:\QooBox\Quarantine\C\WINDOWS\system32\zaztamsn.exe.vir Infected: Trojan-GameThief.Win32.OnLineGames.asbu 1
C:\QooBox\Quarantine\C\WINDOWS\system32\zgrjdx.dll.vir Infected: Trojan-GameThief.Win32.OnLineGames.sahx 1
C:\QooBox\Quarantine\C\WINDOWS\system32\zptlcsys.dll.vir Infected: Trojan-PSW.Win32.OnLineGames.aplb 1
C:\QooBox\Quarantine\C\WINDOWS\system32\zxcsahlp.exe.vir Infected: Trojan-GameThief.Win32.OnLineGames.rxwy 1
C:\QooBox\Quarantine\C\WINDOWS\system32\zxmsdwin.dll.vir Infected: Trojan-GameThief.Win32.OnLineGames.rxxv 1
C:\QooBox\Quarantine\C\WINDOWS\system32\zycbdime.dll.vir Infected: Trojan-PSW.Win32.OnLineGames.apjc 1
C:\QooBox\Quarantine\C\WINDOWS\system32\zyzxjime.dll.vir Infected: Trojan-PSW.Win32.OnLineGames.apja 1
C:\WINDOWS\system32\drivers\hjjku3xohj.sys Infected: Trojan-Downloader.Win32.Hmir.doj 1
The selected area was scanned.
cohen
New Member
You bet!
cohen
New Member
what can i do??
is it hard to get it fixed??
well i'm have not learnt this part yet, i'm learning a few things, i can do the starting things, and i'm sure it won't be to hard to fix, wait for ceewi1 or punk or gamemaster, mostly likely it will be ceewi1 to come along.
nobbly niblets
New Member
Originally Posted by nobbly niblets
Heya xxarlokxx,
It will be hard to get fixed.
It will be a multifaceted process to repair your system. Unforunately this will require multiple scans and multiple log postings on your part.
It is not surprising that an infection of this magnitude has infected your system. You download torrents and there is no evidence of an antivirus program or firewall on your system.
Use a tool to directly target the trojan horses appearing on your system.
Download SDFix to your desktop.
http://downloads.andymanchesta.com/R...ools/SDFix.exe
Double click SDFix.exe on your desktop and it will extract the files to the root directory where your operating system resides.
Next boot your pc into "Safe mode" using the f8 key during start-up.
Please do not use msconfig method whenever booting into "Safe Mode" for malware removal as this can cause boot loop
IN SAFE MODE
1) Open the extracted SDFix folder and double click RunThis to start the script. This can be found in the root directory usually C:\SDFix.
2) Type Y to begin the cleanup process.
3) It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
4) Press any Key and it will restart the PC.
5) When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
6) Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
7) Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
Heya xxarlokxx,
It will be hard to get fixed.
It will be a multifaceted process to repair your system. Unforunately this will require multiple scans and multiple log postings on your part.
It is not surprising that an infection of this magnitude has infected your system. You download torrents and there is no evidence of an antivirus program or firewall on your system.
Use a tool to directly target the trojan horses appearing on your system.
Download SDFix to your desktop.
http://downloads.andymanchesta.com/R...ools/SDFix.exe
Double click SDFix.exe on your desktop and it will extract the files to the root directory where your operating system resides.
Next boot your pc into "Safe mode" using the f8 key during start-up.
Please do not use msconfig method whenever booting into "Safe Mode" for malware removal as this can cause boot loop
IN SAFE MODE
1) Open the extracted SDFix folder and double click RunThis to start the script. This can be found in the root directory usually C:\SDFix.
2) Type Y to begin the cleanup process.
3) It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
4) Press any Key and it will restart the PC.
5) When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
6) Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
7) Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
Last edited by a moderator: