A couple of minutes ago, I caught a Trojan Horse Explorit. It's currently in my AVG Virus Vault. Somehow, the virus in Tempoary Internet Files and My Documents. The "Heal" button in the toolbar isn't avalible. Does that mean it can't be healed or it already is healed? How can I get rid of this so it doesn't crash my computer?
Trojan Horse Explorit
- Thread starter SlyFly
- Start date
ceewi1
VIP Member
If it's moved it to the Vault, it's fine, but if it's still detecting it it's installed on your computer.
Post a HijackThis log, and we'll take it from there:
To do so, download the HijackThis installer from http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe.
Run the installer and choose Install, indicating that you accept the licence agreement. The installer will place a shortcut on your desktop and launch HijackThis.
Click Do a system scan and save a logfile
When the Notepad window opens choose Edit -> Select All to select the entire log, and copy and paste the log into a reply post.
Most of what it lists will be harmless or even essential, don't fix anything yet.
Post a HijackThis log, and we'll take it from there:
To do so, download the HijackThis installer from http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe.
Run the installer and choose Install, indicating that you accept the licence agreement. The installer will place a shortcut on your desktop and launch HijackThis.
Click Do a system scan and save a logfile
When the Notepad window opens choose Edit -> Select All to select the entire log, and copy and paste the log into a reply post.
Most of what it lists will be harmless or even essential, don't fix anything yet.
This is very strange. I start up my computer this morning and checked the Virus Vault. The trojans are no longer there, but now I have 3 tracking cookies? 2 TrackingCookie.2o7's and 1 TrackingCookie.Revsci. Very strange and as you requested, I ran that HijackThis program and here's what it came up with.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:11:32 PM, on 11/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
C:\WINDOWS\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\VIA\VIAudioi\EnvyADeck\EnMixCPL.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\WINDOWS\system32\divxsm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.blackle.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [EnvyHFCPL] C:\Program Files\VIA\VIAudioi\EnvyADeck\EnMixCPL.exe 1
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: Block Level Filtering Service - Unknown owner - C:\WINDOWS\svchost.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
--
End of file - 5283 bytes
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:11:32 PM, on 11/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
C:\WINDOWS\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\VIA\VIAudioi\EnvyADeck\EnMixCPL.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\WINDOWS\system32\divxsm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.blackle.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [EnvyHFCPL] C:\Program Files\VIA\VIAudioi\EnvyADeck\EnMixCPL.exe 1
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: Block Level Filtering Service - Unknown owner - C:\WINDOWS\svchost.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
--
End of file - 5283 bytes
ceewi1
VIP Member
It looks like you're still infected, and I'd like to get some more information about this infection before removing it.
Please go to http://virusscan.jotti.org , click on Browse, and upload the following file for analysis:
C:\WINDOWS\svchost.exe
Then click Submit. Allow the file to be scanned, and then please copy and paste the results here for me to see.
If that scanner is busy, please use this one: http://www.virustotal.com/
Please go to http://virusscan.jotti.org , click on Browse, and upload the following file for analysis:
C:\WINDOWS\svchost.exe
Then click Submit. Allow the file to be scanned, and then please copy and paste the results here for me to see.
If that scanner is busy, please use this one: http://www.virustotal.com/
I really appreciate you helping me. 
Antivirus Version Last Update Result
AhnLab-V3 2007.12.13.10 2007.12.12 -
AntiVir 7.6.0.40 2007.12.12 -
Authentium 4.93.8 2007.12.12 -
Avast 4.7.1098.0 2007.12.12 -
AVG 7.5.0.503 2007.12.12 -
BitDefender 7.2 2007.12.12 -
CAT-QuickHeal 9.00 2007.12.12 -
ClamAV 0.91.2 2007.12.12 -
DrWeb 4.44.0.09170 2007.12.12 -
eSafe 7.0.15.0 2007.12.12 -
eTrust-Vet 31.3.5372 2007.12.12 -
Ewido 4.0 2007.12.12 -
FileAdvisor 1 2007.12.13 -
Fortinet 3.14.0.0 2007.12.12 -
F-Prot 4.4.2.54 2007.12.12 -
F-Secure 6.70.13030.0 2007.12.12 -
Ikarus T3.1.1.12 2007.12.12 -
Kaspersky 7.0.0.125 2007.12.12 -
McAfee 5184 2007.12.12 -
Microsoft 1.3007 2007.12.12 -
NOD32v2 2720 2007.12.12 -
Norman 5.80.02 2007.12.12 -
Panda 9.0.0.4 2007.12.12 -
Prevx1 V2 2007.12.13 Trojan.SystemPoser
Rising 20.22.22.00 2007.12.12 -
Sophos 4.24.0 2007.12.12 -
Sunbelt 2.2.907.0 2007.12.12 -
Symantec 10 2007.12.12 -
TheHacker 6.2.9.157 2007.12.12 -
VBA32 3.12.2.5 2007.12.10 -
VirusBuster 4.3.26:9 2007.12.12 -
Webwasher-Gateway 6.6.2 2007.12.12 -
Additional information
File size: 204800 bytes
MD5: a67111eea12e982d27d23e9803e04c41
SHA1: 854930b1d66157cc442b27650e4ce9a708afb8f8
PEiD: Armadillo v1.71
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=CC7C3CD900DA307420C603A867B84D008817F4DE
Antivirus Version Last Update Result
AhnLab-V3 2007.12.13.10 2007.12.12 -
AntiVir 7.6.0.40 2007.12.12 -
Authentium 4.93.8 2007.12.12 -
Avast 4.7.1098.0 2007.12.12 -
AVG 7.5.0.503 2007.12.12 -
BitDefender 7.2 2007.12.12 -
CAT-QuickHeal 9.00 2007.12.12 -
ClamAV 0.91.2 2007.12.12 -
DrWeb 4.44.0.09170 2007.12.12 -
eSafe 7.0.15.0 2007.12.12 -
eTrust-Vet 31.3.5372 2007.12.12 -
Ewido 4.0 2007.12.12 -
FileAdvisor 1 2007.12.13 -
Fortinet 3.14.0.0 2007.12.12 -
F-Prot 4.4.2.54 2007.12.12 -
F-Secure 6.70.13030.0 2007.12.12 -
Ikarus T3.1.1.12 2007.12.12 -
Kaspersky 7.0.0.125 2007.12.12 -
McAfee 5184 2007.12.12 -
Microsoft 1.3007 2007.12.12 -
NOD32v2 2720 2007.12.12 -
Norman 5.80.02 2007.12.12 -
Panda 9.0.0.4 2007.12.12 -
Prevx1 V2 2007.12.13 Trojan.SystemPoser
Rising 20.22.22.00 2007.12.12 -
Sophos 4.24.0 2007.12.12 -
Sunbelt 2.2.907.0 2007.12.12 -
Symantec 10 2007.12.12 -
TheHacker 6.2.9.157 2007.12.12 -
VBA32 3.12.2.5 2007.12.10 -
VirusBuster 4.3.26:9 2007.12.12 -
Webwasher-Gateway 6.6.2 2007.12.12 -
Additional information
File size: 204800 bytes
MD5: a67111eea12e982d27d23e9803e04c41
SHA1: 854930b1d66157cc442b27650e4ce9a708afb8f8
PEiD: Armadillo v1.71
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=CC7C3CD900DA307420C603A867B84D008817F4DE
ceewi1
VIP Member
Glad to help. Please run HijackThis and choose Do a system scan only.
Place a check next to the following entry:
I'd like you to run another scan, since I'm a little suspicious of those results:
1. Please download this file - Combofix to your desktop
2. Double click ComboFix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply together with a new HijackThis log.
Note:
Do not mouseclick ComboFix's window whilst it's running. That may cause it to stall
Place a check next to the following entry:
- O23 - Service: Block Level Filtering Service - Unknown owner - C:\WINDOWS\svchost.exe
I'd like you to run another scan, since I'm a little suspicious of those results:
1. Please download this file - Combofix to your desktop
2. Double click ComboFix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply together with a new HijackThis log.
Note:
Do not mouseclick ComboFix's window whilst it's running. That may cause it to stall
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\svchost.exe
.
((((((((((((((((((((((((( Files Created from 2007-11-13 to 2007-12-13 )))))))))))))))))))))))))))))))
.
2007-12-12 19:39 . 2007-12-12 19:39 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Ashampoo
2007-12-12 19:36 . 2007-12-12 19:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ashampoo
2007-12-11 13:11 . 2007-12-11 13:11 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-11 11:03 . 2007-12-11 11:03 110,592 --a------ C:\WINDOWS\system32\avgfwafu.dll
2007-12-11 11:03 . 2007-12-11 11:03 9,216 --a------ C:\WINDOWS\system32\avgwlntf.dll
2007-12-11 00:16 . 2007-12-11 00:16 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-12-11 00:16 . 2007-12-13 00:00 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2007-12-11 00:15 . 2007-12-11 00:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-10 23:25 . 2007-12-11 11:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2007-12-09 15:34 . 2007-12-09 15:34 <DIR> d-------- C:\Program Files\DivX
2007-12-06 18:17 . 2007-12-06 18:17 <DIR> d-------- C:\Program Files\CCleaner
2007-12-05 23:43 . 2007-12-05 23:43 <DIR> d-------- C:\Program Files\Uniblue
2007-12-03 17:33 . 2007-12-03 17:33 823,296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-12-03 17:33 . 2007-12-03 17:33 823,296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-12-03 17:33 . 2007-12-03 17:33 802,816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-12-03 17:33 . 2007-12-03 17:33 682,496 --a------ C:\WINDOWS\system32\DivX.dll
2007-12-03 17:33 . 2007-12-03 17:33 630,784 --a------ C:\WINDOWS\system32\divxdec.ax
2007-12-03 15:25 . 2007-12-03 16:13 <DIR> d-------- C:\Program Files\SpacialAudio
2007-12-01 18:11 . 2007-12-01 18:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Insight Software Solutions
2007-12-01 18:11 . 2007-12-01 18:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Insight Software
2007-11-29 14:30 . 2007-11-29 14:30 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-11-29 14:30 . 2007-11-29 14:30 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-11-29 14:30 . 2007-11-29 14:30 4,816 --a------ C:\WINDOWS\system32\divxsm.tlb
2007-11-29 14:28 . 2007-11-29 14:28 196,608 --a------ C:\WINDOWS\system32\dtu100.dll
2007-11-29 14:28 . 2007-11-29 14:28 81,920 --a------ C:\WINDOWS\system32\dpl100.dll
2007-11-29 14:28 . 2007-11-29 14:28 416 --a------ C:\WINDOWS\system32\dtu100.dll.manifest
2007-11-29 14:28 . 2007-11-29 14:28 416 --a------ C:\WINDOWS\system32\dpl100.dll.manifest
2007-11-28 13:55 . 2007-11-28 13:55 156,992 --a------ C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-11-28 13:53 . 2007-11-28 13:53 593,920 --a------ C:\WINDOWS\system32\dpuGUI11.dll
2007-11-28 13:53 . 2007-11-28 13:53 352,401 --a------ C:\WINDOWS\system32\DivXMedia.ax
2007-11-28 13:53 . 2007-11-28 13:53 344,064 --a------ C:\WINDOWS\system32\dpus11.dll
2007-11-28 13:53 . 2007-11-28 13:53 294,912 --a------ C:\WINDOWS\system32\dpu11.dll
2007-11-28 13:53 . 2007-11-28 13:53 294,912 --a------ C:\WINDOWS\system32\dpu10.dll
2007-11-28 13:53 . 2007-11-28 13:53 57,344 --a------ C:\WINDOWS\system32\dpv11.dll
2007-11-28 13:53 . 2007-11-28 13:53 53,248 --a------ C:\WINDOWS\system32\dpuGUI10.dll
2007-11-28 13:52 . 2007-11-28 13:52 12,288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2007-11-22 08:42 . 2007-11-24 13:51 <DIR> d-------- C:\Fraps
2007-11-22 08:42 . 2007-12-12 21:20 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-21 10:23 . 2007-11-21 10:23 81,920 --a------ C:\WINDOWS\system32\frapsvid.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-11 08:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2007-12-11 08:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2007-12-11 02:22 --------- d-----w C:\Documents and Settings\Administrator\Application Data\LimeWire
2007-12-11 00:52 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Azureus
2007-12-08 00:08 --------- d-----w C:\Program Files\Azureus
2007-12-06 07:46 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-12-06 07:46 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Uniblue
2007-11-29 22:30 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2007-11-29 22:30 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-11-25 07:36 --------- d-----w C:\Documents and Settings\Administrator\Application Data\gtk-2.0
2007-11-13 10:25 20,480 ----a-r C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-13 06:38 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2007-11-13 06:33 --------- d-----w C:\Program Files\Windows Live
2007-11-13 06:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2007-11-05 03:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Uniblue
2007-11-05 00:05 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-05 00:03 --------- d-----w C:\Program Files\SlySoft
2007-11-05 00:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\SlySoft
2007-11-04 22:02 0 ----a-w C:\$RJ$.DAT
2007-11-01 19:44 --------- d-----w C:\Program Files\Java
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-28 01:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-25 00:52 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-10-25 00:44 --------- d-----w C:\Program Files\Rockstar Games
2007-10-24 20:31 --------- d--h--w C:\Documents and Settings\Administrator\Application Data\ijjigame
2007-10-18 23:36 --------- d-----w C:\Program Files\TryMedia
2007-10-18 19:31 51,224 ----a-w C:\WINDOWS\system32\sirenacm.dll
2007-10-17 19:19 --------- d-----w C:\Program Files\CyberLink
2007-10-17 19:16 --------- d-----w C:\Documents and Settings\LocalService\Application Data\CyberLink
2007-10-17 19:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\CyberLink
2007-10-17 19:14 --------- d-----w C:\Documents and Settings\Administrator\Application Data\CyberLink
2007-10-17 19:07 4,184 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2007-10-14 18:13 --------- d-----w C:\Documents and Settings\Administrator\Application Data\DAEMON Tools Pro
2007-10-14 18:10 685,816 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-10-14 06:15 --------- d-----w C:\Documents and Settings\Administrator\Application Data\InfraRecorder
2007-10-13 18:59 --------- d-----w C:\Program Files\LimeWire
2007-10-13 05:26 --------- d-----w C:\Program Files\AC3Filter
2007-10-13 04:09 --------- d-----w C:\Documents and Settings\Administrator\Application Data\IGN_DLM
2007-09-23 18:50 77,824 ----a-w C:\WINDOWS\system32\ws232.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 17:07]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-03 17:07 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2007-06-28 23:43 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-03 17:07 C:\WINDOWS\system32\rundll32.exe]
"EnvyHFCPL"="C:\Program Files\VIA\VIAudioi\EnvyADeck\EnMixCPL.exe" [2007-03-15 09:52]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-11 00:15]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-11 00:15]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
avgwlntf.dll 2007-12-11 11:03 9216 C:\WINDOWS\system32\avgwlntf.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe /background
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue SpyEraser]
C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe -m
R2 Block Level Filtering Service;Block Level Filtering Service;C:\WINDOWS\svchost.exe
R3 Envy24HFS;ICE Envy24 Family Audio Controller WDM;C:\WINDOWS\system32\drivers\Envy24HF.sys
*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
"2007-12-12 08:04:56 C:\WINDOWS\Tasks\Uniblue SpyEraser.job"
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
.
**************************************************************************
catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-13 11:44:54
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
EnvyHFCPL = C:\Program Files\VIA\VIAudioi\EnvyADeck\EnMixCPL.exe 1?????????????????????????????????????????????????????
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-12-13 11:45:14
.
2007-12-11 19:07:41 --- E O F ---
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\svchost.exe
.
((((((((((((((((((((((((( Files Created from 2007-11-13 to 2007-12-13 )))))))))))))))))))))))))))))))
.
2007-12-12 19:39 . 2007-12-12 19:39 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Ashampoo
2007-12-12 19:36 . 2007-12-12 19:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ashampoo
2007-12-11 13:11 . 2007-12-11 13:11 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-11 11:03 . 2007-12-11 11:03 110,592 --a------ C:\WINDOWS\system32\avgfwafu.dll
2007-12-11 11:03 . 2007-12-11 11:03 9,216 --a------ C:\WINDOWS\system32\avgwlntf.dll
2007-12-11 00:16 . 2007-12-11 00:16 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-12-11 00:16 . 2007-12-13 00:00 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2007-12-11 00:15 . 2007-12-11 00:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-10 23:25 . 2007-12-11 11:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2007-12-09 15:34 . 2007-12-09 15:34 <DIR> d-------- C:\Program Files\DivX
2007-12-06 18:17 . 2007-12-06 18:17 <DIR> d-------- C:\Program Files\CCleaner
2007-12-05 23:43 . 2007-12-05 23:43 <DIR> d-------- C:\Program Files\Uniblue
2007-12-03 17:33 . 2007-12-03 17:33 823,296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-12-03 17:33 . 2007-12-03 17:33 823,296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-12-03 17:33 . 2007-12-03 17:33 802,816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-12-03 17:33 . 2007-12-03 17:33 682,496 --a------ C:\WINDOWS\system32\DivX.dll
2007-12-03 17:33 . 2007-12-03 17:33 630,784 --a------ C:\WINDOWS\system32\divxdec.ax
2007-12-03 15:25 . 2007-12-03 16:13 <DIR> d-------- C:\Program Files\SpacialAudio
2007-12-01 18:11 . 2007-12-01 18:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Insight Software Solutions
2007-12-01 18:11 . 2007-12-01 18:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Insight Software
2007-11-29 14:30 . 2007-11-29 14:30 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-11-29 14:30 . 2007-11-29 14:30 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-11-29 14:30 . 2007-11-29 14:30 4,816 --a------ C:\WINDOWS\system32\divxsm.tlb
2007-11-29 14:28 . 2007-11-29 14:28 196,608 --a------ C:\WINDOWS\system32\dtu100.dll
2007-11-29 14:28 . 2007-11-29 14:28 81,920 --a------ C:\WINDOWS\system32\dpl100.dll
2007-11-29 14:28 . 2007-11-29 14:28 416 --a------ C:\WINDOWS\system32\dtu100.dll.manifest
2007-11-29 14:28 . 2007-11-29 14:28 416 --a------ C:\WINDOWS\system32\dpl100.dll.manifest
2007-11-28 13:55 . 2007-11-28 13:55 156,992 --a------ C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-11-28 13:53 . 2007-11-28 13:53 593,920 --a------ C:\WINDOWS\system32\dpuGUI11.dll
2007-11-28 13:53 . 2007-11-28 13:53 352,401 --a------ C:\WINDOWS\system32\DivXMedia.ax
2007-11-28 13:53 . 2007-11-28 13:53 344,064 --a------ C:\WINDOWS\system32\dpus11.dll
2007-11-28 13:53 . 2007-11-28 13:53 294,912 --a------ C:\WINDOWS\system32\dpu11.dll
2007-11-28 13:53 . 2007-11-28 13:53 294,912 --a------ C:\WINDOWS\system32\dpu10.dll
2007-11-28 13:53 . 2007-11-28 13:53 57,344 --a------ C:\WINDOWS\system32\dpv11.dll
2007-11-28 13:53 . 2007-11-28 13:53 53,248 --a------ C:\WINDOWS\system32\dpuGUI10.dll
2007-11-28 13:52 . 2007-11-28 13:52 12,288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2007-11-22 08:42 . 2007-11-24 13:51 <DIR> d-------- C:\Fraps
2007-11-22 08:42 . 2007-12-12 21:20 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-21 10:23 . 2007-11-21 10:23 81,920 --a------ C:\WINDOWS\system32\frapsvid.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-11 08:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2007-12-11 08:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2007-12-11 02:22 --------- d-----w C:\Documents and Settings\Administrator\Application Data\LimeWire
2007-12-11 00:52 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Azureus
2007-12-08 00:08 --------- d-----w C:\Program Files\Azureus
2007-12-06 07:46 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-12-06 07:46 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Uniblue
2007-11-29 22:30 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2007-11-29 22:30 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-11-25 07:36 --------- d-----w C:\Documents and Settings\Administrator\Application Data\gtk-2.0
2007-11-13 10:25 20,480 ----a-r C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-13 06:38 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2007-11-13 06:33 --------- d-----w C:\Program Files\Windows Live
2007-11-13 06:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2007-11-05 03:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Uniblue
2007-11-05 00:05 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-05 00:03 --------- d-----w C:\Program Files\SlySoft
2007-11-05 00:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\SlySoft
2007-11-04 22:02 0 ----a-w C:\$RJ$.DAT
2007-11-01 19:44 --------- d-----w C:\Program Files\Java
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-28 01:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-25 00:52 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-10-25 00:44 --------- d-----w C:\Program Files\Rockstar Games
2007-10-24 20:31 --------- d--h--w C:\Documents and Settings\Administrator\Application Data\ijjigame
2007-10-18 23:36 --------- d-----w C:\Program Files\TryMedia
2007-10-18 19:31 51,224 ----a-w C:\WINDOWS\system32\sirenacm.dll
2007-10-17 19:19 --------- d-----w C:\Program Files\CyberLink
2007-10-17 19:16 --------- d-----w C:\Documents and Settings\LocalService\Application Data\CyberLink
2007-10-17 19:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\CyberLink
2007-10-17 19:14 --------- d-----w C:\Documents and Settings\Administrator\Application Data\CyberLink
2007-10-17 19:07 4,184 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2007-10-14 18:13 --------- d-----w C:\Documents and Settings\Administrator\Application Data\DAEMON Tools Pro
2007-10-14 18:10 685,816 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-10-14 06:15 --------- d-----w C:\Documents and Settings\Administrator\Application Data\InfraRecorder
2007-10-13 18:59 --------- d-----w C:\Program Files\LimeWire
2007-10-13 05:26 --------- d-----w C:\Program Files\AC3Filter
2007-10-13 04:09 --------- d-----w C:\Documents and Settings\Administrator\Application Data\IGN_DLM
2007-09-23 18:50 77,824 ----a-w C:\WINDOWS\system32\ws232.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 17:07]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-03 17:07 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2007-06-28 23:43 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-03 17:07 C:\WINDOWS\system32\rundll32.exe]
"EnvyHFCPL"="C:\Program Files\VIA\VIAudioi\EnvyADeck\EnMixCPL.exe" [2007-03-15 09:52]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-11 00:15]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-11 00:15]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
avgwlntf.dll 2007-12-11 11:03 9216 C:\WINDOWS\system32\avgwlntf.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe /background
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue SpyEraser]
C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe -m
R2 Block Level Filtering Service;Block Level Filtering Service;C:\WINDOWS\svchost.exe
R3 Envy24HFS;ICE Envy24 Family Audio Controller WDM;C:\WINDOWS\system32\drivers\Envy24HF.sys
*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
"2007-12-12 08:04:56 C:\WINDOWS\Tasks\Uniblue SpyEraser.job"
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
.
**************************************************************************
catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-13 11:44:54
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
EnvyHFCPL = C:\Program Files\VIA\VIAudioi\EnvyADeck\EnMixCPL.exe 1?????????????????????????????????????????????????????
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-12-13 11:45:14
.
2007-12-11 19:07:41 --- E O F ---
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\VIA\VIAudioi\EnvyADeck\EnMixCPL.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.blackle.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [EnvyHFCPL] C:\Program Files\VIA\VIAudioi\EnvyADeck\EnMixCPL.exe 1
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
--
End of file - 5014 bytes
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\VIA\VIAudioi\EnvyADeck\EnMixCPL.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.blackle.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [EnvyHFCPL] C:\Program Files\VIA\VIAudioi\EnvyADeck\EnMixCPL.exe 1
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
--
End of file - 5014 bytes
ceewi1
VIP Member
Excellent, your logfile appears to be clean. A couple of entries that can be removed as cleanup though:
Please run HijackThis and choose Do a system scan only.
Place a check next to the following entries:
Below I have included some ideas on how to prevent future infections.
Please consider using these ideas to help secure your computer. While there is no way to guarantee safety when you use a computer, these steps will make it much less likely that you will need to endure another infection. While we really like to help people, we would rather help you protect yourself so that you won't need that help in the future.
Please navigate to http://windowsupdate.microsoft.com and download all the Critical Updates for Windows. These will patch many of the security holes through which attackers can gain access to your computer.
Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates or get into the habit of checking Windows Update regularly. They usually have security updates every month. You can set Windows to notify you of Updates so that you can choose, but only do this if you believe you are able to understand which ones are needed. This is a crucial security measuer.
As a minimum, you need at least an antivirus, firewall and some type of anti-spyware program.
Please consider installing and running some of the following programs; they are either free or have free versions of commercial programs:
Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's
Immunize and TeaTimer features if you don't have the resident part of another anti-spyware program running.
SpywareBlaster
A tutorial on using SpywareBlaster to prevent malware from ever installing on your computer may be found here.
SpywareGuard
A tutorial on using SpywareGuard for real-time protection against spyware and hijackers may be found here.
If you use Internet Explorer, it is a good idea to use IE-Spyad which provides protections against malicious websites.
Please keep these programs up-to-date and run them whenever you suspect a problem to prevent malware problems. A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall and scanning anti-spyware program at a time. Passive protectors, like SpywareBlaster and IE-Spyad can be run with any of them.
Note that there are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure are looking for anti-spyware programs, you can find out if it is a rogue here:
http://www.spywarewarrior.com/rogue_anti-spyware.htm
Please consider using an alternate browser. Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScripts, can make it even more secure. Opera is another good option.
If you are interested, Firefox may be downloaded from here
Opera is available here: http://www.opera.com/download/
Hopefully these steps will help to keep you error free. If you run into more difficulty, we will certainly do what we can to help.
Please run HijackThis and choose Do a system scan only.
Place a check next to the following entries:
- O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
- O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
Below I have included some ideas on how to prevent future infections.
Please consider using these ideas to help secure your computer. While there is no way to guarantee safety when you use a computer, these steps will make it much less likely that you will need to endure another infection. While we really like to help people, we would rather help you protect yourself so that you won't need that help in the future.
Please navigate to http://windowsupdate.microsoft.com and download all the Critical Updates for Windows. These will patch many of the security holes through which attackers can gain access to your computer.
Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates or get into the habit of checking Windows Update regularly. They usually have security updates every month. You can set Windows to notify you of Updates so that you can choose, but only do this if you believe you are able to understand which ones are needed. This is a crucial security measuer.
As a minimum, you need at least an antivirus, firewall and some type of anti-spyware program.
Please consider installing and running some of the following programs; they are either free or have free versions of commercial programs:
Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's
Immunize and TeaTimer features if you don't have the resident part of another anti-spyware program running.
SpywareBlaster
A tutorial on using SpywareBlaster to prevent malware from ever installing on your computer may be found here.
SpywareGuard
A tutorial on using SpywareGuard for real-time protection against spyware and hijackers may be found here.
If you use Internet Explorer, it is a good idea to use IE-Spyad which provides protections against malicious websites.
Please keep these programs up-to-date and run them whenever you suspect a problem to prevent malware problems. A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall and scanning anti-spyware program at a time. Passive protectors, like SpywareBlaster and IE-Spyad can be run with any of them.
Note that there are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure are looking for anti-spyware programs, you can find out if it is a rogue here:
http://www.spywarewarrior.com/rogue_anti-spyware.htm
Please consider using an alternate browser. Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScripts, can make it even more secure. Opera is another good option.
If you are interested, Firefox may be downloaded from here
Opera is available here: http://www.opera.com/download/
Hopefully these steps will help to keep you error free. If you run into more difficulty, we will certainly do what we can to help.