• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
diksi

Kryptik.abx - Help me to remove this trojan

14 posts in this topic

Please, help me to remove Kryptik.abx from my computer. This is the log file:

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 19:46:09, on 03.12.2009 г.

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0013)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\PowerISO\PWRISOVM.EXE

C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\system32\ASTSRV.EXE

C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe

C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Microsoft ActiveSync\wcescomm.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\PROGRA~1\MICROS~2\rapimgr.exe

c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Sygate\SPF\smc.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

C:\WINDOWS\System32\wbem\wmiprvse.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\Skype\Plugin Manager\skypePM.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\System32\wbem\wmiprvse.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.blogger.com/start

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R3 - URLSearchHook: (no name) - - (no file)

R3 - URLSearchHook: FlyOrDie Games Toolbar - {70a732af-f392-4ed8-823a-85fd644d4d92} - C:\Program Files\FlyOrDie_Games\tbFlyO.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.3.1.15.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: FlyOrDie Games Toolbar - {70a732af-f392-4ed8-823a-85fd644d4d92} - C:\Program Files\FlyOrDie_Games\tbFlyO.dll

O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: FlyOrDie Games Toolbar - {70a732af-f392-4ed8-823a-85fd644d4d92} - C:\Program Files\FlyOrDie_Games\tbFlyO.dll

O4 - HKLM\..\Run: [siSUSBRG] "C:\WINDOWS\SiSUSBrg.exe"

O4 - HKLM\..\Run: [Cmaudio] "C:\WINDOWS\system32\rundll32.exe" cmicnfg.dll,CMICtrlWnd

O4 - HKLM\..\Run: [smcService] "C:\PROGRA~1\Sygate\SPF\smc.exe" -startgui

O4 - HKLM\..\Run: [PWRISOVM.EXE] "C:\Program Files\PowerISO\PWRISOVM.EXE"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [Nikon Transfer Monitor] "C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe"

O4 - HKLM\..\Run: [uVS12 Preload] C:\Program Files\Corel\Corel VideoStudio 12\uvPL.exe

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [Regedit32] C:\WINDOWS\system32\regedit.exe

O4 - HKLM\..\RunServices: [hotefix] msnnmaneger.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"

O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [photo_id] C:\Documents and Settings\pc\photo_id.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [hotefix] msnnmaneger.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [hotefix] msnnmaneger.exe (User 'Default user')

O4 - Startup: algqeh32.exe

O4 - Startup: PowerReg Scheduler.exe

O8 - Extra context menu item: &Use webcow on this Page - C:\DOCUME~1\pc\LOCALS~1\Temp\Rar$EX00.086\wcie.iemenu.htm

O8 - Extra context menu item: &С&валяне &с BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm

O8 - Extra context menu item: &С&валяне на всички с BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm

O8 - Extra context menu item: &С&валяне на всичкото видео с BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm

O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm

O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm

O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm

O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Use webcow on this &Selection - C:\DOCUME~1\pc\LOCALS~1\Temp\Rar$EX00.086\wcie.iemenu2.htm

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL

O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.3.1.15.dll/206 (file missing)

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe

O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1201090713088

O16 - DPF: {A996E48C-D3DC-4244-89F7-AFA33EC60679} (Settings Class) - https://www.dskdirect.bg/com/capicom.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Nalpeiron Licensing Service (ASTSRV) - Nalpeiron Ltd. - C:\WINDOWS\system32\ASTSRV.EXE

O23 - Service: Autodata Limited License Service - Autodata Limited - C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe

O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe

O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe

O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe

O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: Network helper Service (MSDisk) - Unknown owner - C:\WINDOWS\System32\irdvxc.exe (file missing)

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

Share this post


Link to post
Share on other sites

Any ideas anyone??

 

EDIT: Our helpers are all volunteers and have lives offline to live... They work as quickly as they can to help as many people as they can, but a wait of 3 days or more is not unusual... If you have been waiting for 3 days, the SWI Bot will post a message about how to get attention... It does NOT help to bump your topic since our helpers don't rely on the list of recent posts to determine who to help... They typically help the people who have waited the longest and if you keep bumping your post, it will look like you haven't been waiting at all... Please have patience... Thank you...

Edited by Budfred

Share this post


Link to post
Share on other sites

Hi diksi,

 

Welcome to SWI. I am jimi, and I will be helping you.

 

Sorry it has taken so long to get to you, but the board has been very busy lately, and all the Helpers here are volunteers.

 

 

Please download TFC.exe - Temp File Cleaner by OldTimer:

  • Save it to your Desktop.
  • Close any open windows, save your work,
  • Double click the TFC icon to run the program,
  • TFC will close all open programs itself in order to run,
  • Click the Start button to begin the process,
  • Allow TFC to run uninterrupted,
  • The program should not take long to finish its job,
  • Once it's finished, click OK to reboot.

 

 

Please visit this webpage for download links, and instructions for running ComboFix.exe:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.

Please post the ComboFix report (C:\ComboFix.txt) along with a new HijackThis log.

 

 

 

Is your computer performing normally?

 

jimi.

Share this post


Link to post
Share on other sites

Hi, Jimi.

 

This is the log file. I think that the pc works better now.

 

ComboFix 09-12-05.03 - pc 12.2009 г. 10:58.1.1 - x86

Microsoft Windows XP Professional 5.1.2600.2.1251.359.1033.18.511.253 [GMT 2:00]

Running from: c:\documents and settings\pc\Desktop\ComboFix.exe

AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

FW: Sygate Personal Firewall Pro *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

SP: Spy Emergency *disabled* (Updated) {82117492-906E-4b02-A33A-84D42A2DD907}

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

c:\documents and settings\NetworkService\oashdihasidhasuidhiasdhiashdiuasdhasd

c:\documents and settings\pc\Application Data\inst.exe

c:\documents and settings\pc\oashdihasidhasuidhiasdhiashdiuasdhasd

c:\documents and settings\pc\Start Menu\Programs\Startup\algqeh32.exe

c:\windows\system32\_id.dat

c:\windows\system32\config\systemprofile\oashdihasidhasuidhiasdhiashdiuasdhasd

c:\windows\system32\drivers\downld

c:\windows\system32\hlvdd.dll

 

Infected copy of c:\windows\system32\Drivers\atapi.sys was found and disinfected

Restored copy from - c:\windows\ServicePackFiles\i386\atapi.sys

 

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

-------\Legacy_MSDISK

-------\Service_MSDisk

 

 

((((((((((((((((((((((((( Files Created from 2009-11-06 to 2009-12-06 )))))))))))))))))))))))))))))))

.

 

2009-12-03 17:45 . 2009-12-03 17:45 -------- d-----w- c:\program files\Trend Micro

2009-12-02 13:00 . 2009-12-02 13:11 -------- d-----w- c:\program files\Spybot - Search & Destroy

2009-11-28 15:28 . 2000-05-24 22:19 61440 ----a-w- c:\windows\system32\GkSui18.EXE

2009-11-28 15:28 . 2009-11-28 15:30 -------- d-----w- C:\AntoTut

2009-11-28 15:13 . 2009-11-28 15:13 -------- d-----w- C:\DIgSILENT

2009-11-27 12:56 . 2009-11-27 12:56 152576 ----a-w- c:\documents and settings\pc\Application Data\Sun\Java\jre1.6.0_17\lzma.dll

2009-11-27 12:56 . 2009-11-27 12:56 79488 ----a-w- c:\documents and settings\pc\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll

2009-11-16 19:33 . 2009-11-09 12:24 2214132 ----a-w- c:\documents and settings\pc\Application Data\WeatherPulse\wpdata.exe

2009-11-16 19:33 . 2009-11-16 19:36 -------- d-----w- c:\documents and settings\pc\Application Data\WeatherPulse

2009-11-16 19:31 . 2009-11-16 19:33 -------- d-----w- c:\program files\Weather Pulse 2.2.4.0

2009-11-14 16:08 . 2009-11-14 16:11 4856 ----a-w- c:\windows\system32\drivers\6D20A3BF.bin

2009-11-14 16:08 . 2009-11-14 16:08 259584 ----a-w- c:\windows\system32\drivers\XHASP.sys

2009-11-14 15:52 . 2009-11-14 15:54 -------- d-----w- c:\program files\EPLAN

2009-11-14 15:52 . 2009-11-14 15:54 -------- d-----w- c:\documents and settings\All Users\Application Data\EPLAN

2009-11-14 15:51 . 2006-11-22 08:01 693760 ----a-w- c:\windows\system32\drivers\hardlock.sys

2009-11-14 15:51 . 2006-12-20 08:00 671112 ----a-w- c:\windows\system32\hdinst_windows.dll

2009-11-14 15:51 . 2006-11-30 09:06 69632 ----a-w- c:\windows\system32\hasp_inst_help1.dll

2009-11-14 15:51 . 2003-06-13 18:35 28672 ----a-w- c:\windows\system32\hlduinst.exe

2009-11-14 15:51 . 2006-12-20 08:00 2511360 ----a-w- c:\windows\system32\haspds_windows.dll

2009-11-14 15:51 . 2003-06-13 18:34 3149312 ----a-w- c:\windows\system32\hinstd.dll

2009-11-14 15:51 . 2001-09-28 16:00 164864 ----a-w- c:\windows\system32\UNWISE.EXE

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-12-06 09:30 . 2008-01-23 12:07 -------- d-----w- c:\documents and settings\pc\Application Data\Skype

2009-12-06 06:57 . 2008-01-23 12:10 -------- d-----w- c:\documents and settings\pc\Application Data\skypePM

2009-12-04 20:27 . 2008-01-22 18:25 -------- d-----w- c:\program files\BitComet

2009-12-04 17:34 . 2009-04-11 08:25 -------- d-----w- c:\documents and settings\pc\Application Data\DC++

2009-12-02 15:21 . 2008-02-09 18:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-11-29 15:33 . 2009-11-29 15:33 12 ----a-w- c:\windows\system32\config\systemprofile\Application Data\cbqozg.dat

2009-11-29 15:33 . 2009-11-29 15:33 4 ----a-w- c:\documents and settings\pc\Application Data\avdrn.dat

2009-11-28 15:12 . 2009-11-28 15:12 0 ----a-w- c:\windows\system32\drivers\digcreate.dir

2009-11-28 07:41 . 2008-01-22 17:54 -------- d-----w- c:\program files\Opera

2009-11-27 12:58 . 2009-05-10 15:46 -------- d-----w- c:\program files\Java

2009-11-08 14:04 . 2008-12-18 19:42 20 ---h--w- c:\documents and settings\All Users\Application Data\PKP_DLdu.DAT

2009-11-01 12:03 . 2009-11-01 12:03 152576 ----a-w- c:\documents and settings\pc\Application Data\Sun\Java\jre1.6.0_16\lzma.dll

2009-11-01 11:55 . 2009-11-01 11:55 -------- d-----w- c:\program files\FlyOrDie_Games

2009-11-01 11:55 . 2009-11-01 11:55 -------- d-----w- c:\program files\Conduit

2009-11-01 10:13 . 2008-01-23 13:38 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2009-11-01 07:30 . 2009-10-31 15:01 -------- d-----w- c:\documents and settings\pc\Application Data\Free Download Manager

2009-10-31 19:34 . 2009-10-31 14:22 -------- d-----w- c:\program files\Panda Security

2009-10-31 16:17 . 2009-10-31 15:01 -------- d-----w- c:\program files\Free Download Manager

2009-10-18 08:37 . 2009-05-06 14:02 -------- d-----w- c:\program files\Common Files\LightScribe

2009-10-18 08:37 . 2009-10-18 08:37 -------- d-----w- c:\documents and settings\pc\Application Data\Ahead

2009-10-11 02:17 . 2009-11-01 12:04 411368 ----a-w- c:\windows\system32\deploytk.dll

2009-08-09 21:14 . 2009-08-09 21:14 49152 ----a-w- c:\program files\mozilla firefox\components\SuperSearchXPCOM.dll

.

 

------- Sigcheck -------

 

[-] 2008-01-28 . 3F89432724DC5D72689E16F3354BCCFC . 360064 . . [5.1.2600.3244] . . c:\windows\system32\drivers\TCPIP.SYS

[-] 2008-01-28 . 3F89432724DC5D72689E16F3354BCCFC . 360064 . . [5.1.2600.3244] . . c:\windows\system32\dllcache\TCPIP.SYS

[-] 2008-01-24 . 28F288E08A098DF3C0EB6AA813BB41FD . 359040 . . [5.1.2600.2180] . . c:\windows\ServicePackFiles\i386\TCPIP.SYS

[-] 2008-01-23 . 28F288E08A098DF3C0EB6AA813BB41FD . 359040 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB941644$\tcpip.sys

[7] 2007-10-30 . 64798ECFA43D78C7178375FCDD16D8C8 . 360832 . . [5.1.2600.3244] . . c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys

[7] 2006-04-20 . B2220C618B42A2212A59D91EBD6FC4B4 . 360576 . . [5.1.2600.2892] . . c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys

[-] 2001-08-23 . E7774698BB0D14B0710A9A31E209F9B6 . 327168 . . [5.1.2600.0] . . c:\windows\$NtServicePackUninstall$\tcpip.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{70a732af-f392-4ed8-823a-85fd644d4d92}"= "c:\program files\FlyOrDie_Games\tbFlyO.dll" [2009-10-27 2325528]

 

[HKEY_CLASSES_ROOT\clsid\{70a732af-f392-4ed8-823a-85fd644d4d92}]

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{70a732af-f392-4ed8-823a-85fd644d4d92}]

2009-10-27 09:45 2325528 ----a-w- c:\program files\FlyOrDie_Games\tbFlyO.dll

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{70a732af-f392-4ed8-823a-85fd644d4d92}"= "c:\program files\FlyOrDie_Games\tbFlyO.dll" [2009-10-27 2325528]

 

[HKEY_CLASSES_ROOT\clsid\{70a732af-f392-4ed8-823a-85fd644d4d92}]

 

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{70A732AF-F392-4ED8-823A-85FD644D4D92}"= "c:\program files\FlyOrDie_Games\tbFlyO.dll" [2009-10-27 2325528]

 

[HKEY_CLASSES_ROOT\clsid\{70a732af-f392-4ed8-823a-85fd644d4d92}]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]

"Skype"="c:\program files\Skype\\Phone\Skype.exe" [2009-04-16 24264488]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SiSUSBRG"="c:\windows\SiSUSBrg.exe" [2002-04-26 102400]

"SmcService"="c:\progra~1\Sygate\SPF\smc.exe" [2005-09-27 2635472]

"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2007-08-07 200704]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]

"nwiz"="nwiz.exe" [2006-10-22 1622016]

"Nikon Transfer Monitor"="c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe" [2008-09-30 485208]

"UVS12 Preload"="c:\program files\Corel\Corel VideoStudio 12\uvPL.exe" [2008-06-09 397456]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]

"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-04-09 2029640]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-04 15360]

 

c:\documents and settings\pc\Start Menu\Programs\Startup\

PowerReg Scheduler.exe [2009-8-16 256000]

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager

"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager

"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\eMule\\emule.exe"=

"c:\\Program Files\\DC++\\DCPlusPlus.exe"=

"c:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=

"c:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=

"c:\\Program Files\\Opera\\opera.exe"=

"c:\\Program Files\\River Past\\Windows Mobile Recorder\\WmRecorder.exe"=

"c:\\Program Files\\Windows Mobile 6 SDK\\Tools\\Cellular Emulator\\Cellular Emulator.exe"=

"c:\\Program Files\\ICQ6.5\\ICQ.exe"=

"c:\\Program Files\\EPLAN\\Electric P8\\1.9.5\\BIN\\W3u.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"15492:TCP"= 15492:TCP:BitComet 15492 TCP

"15492:UDP"= 15492:UDP:BitComet 15492 UDP

"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

 

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [09.4.2009 г. 15:18 107256]

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [21.12.2007 г. 08:21 94360]

R2 ASTSRV;Nalpeiron Licensing Service;c:\windows\system32\ASTSRV.EXE [16.8.2009 г. 17:20 57344]

R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [09.4.2009 г. 15:19 731840]

R3 tenCapture;tenCapture;c:\windows\system32\drivers\tenCapture.sys [21.4.2007 г. 16:15 9344]

R3 xpvcom;XPVCOM Port;c:\windows\system32\drivers\XPVCOM.sys [23.3.2007 г. 01:00 30032]

S3 ATE_PROCMON;ATE_PROCMON;\??\c:\program files\Anti Trojan Elite\ATEPMon.sys --> c:\program files\Anti Trojan Elite\ATEPMon.sys [?]

S3 esihdrv;esihdrv;\??\c:\docume~1\pc\LOCALS~1\Temp\esihdrv.sys --> c:\docume~1\pc\LOCALS~1\Temp\esihdrv.sys [?]

S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [10.4.2009 г. 07:41 138112]

S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [10.4.2009 г. 07:41 8320]

S3 RkPavproc1;RkPavproc1;c:\windows\system32\drivers\RkPavproc1.sys [31.10.2009 г. 16:34 16648]

S3 XHASP;XHASP;c:\windows\system32\drivers\XHASP.sys [14.11.2009 г. 18:08 259584]

.

------- Supplementary Scan -------

.

uStart Page = https://www.blogger.com/start

IE: &Use webcow on this Page - c:\docume~1\pc\LOCALS~1\Temp\Rar$EX00.086\wcie.iemenu.htm

IE: &С&валяне &с BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm

IE: &С&валяне на всички с BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm

IE: &С&валяне на всичкото видео с BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm

IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm

IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm

IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm

IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

IE: Use webcow on this &Selection - c:\docume~1\pc\LOCALS~1\Temp\Rar$EX00.086\wcie.iemenu2.htm

.

- - - - ORPHANS REMOVED - - - -

 

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)

HKLM-Run-Cmaudio - cmicnfg.dll

HKU-Default-Run-hotefix - msnnmaneger.exe

HKU-Default-RunOnce-hotefix - msnnmaneger.exe

AddRemove-ESET 3.x FiX 2.2 - c:\program files\ESET\ESET 3.x FiX\Uninstall.exe

AddRemove-Free Download Manager - c:\program files\Free Download Manager\uninst.exe

AddRemove-NVIDIA Drivers - c:\windows\system32\nvudisp.exe UninstallGUI

AddRemove-{7B63B2922B174135AFC0E1377DD81EC2} - c:\program files\DivX\DivXCodecUninstall.exe

AddRemove-{8ADFC4160D694100B5B8A22DE9DCABD9} - c:\program files\DivX\DivXPlayerUninstall.exe

 

 

 

**************************************************************************

 

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-12-06 11:27

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

 

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]

"ImagePath"=""

.

--------------------- LOCKED REGISTRY KEYS ---------------------

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]

"OODEFRAG11.00.00.01WORKSTATION"="72C06B4BF51B7F54094C33BF1E5F1422F2CD53474A2E5455F9D5D03067375264407F61D50E39B8886872DEA4EF30D22D4F33DFEEE0CA21ACD845D010E5347ED9499825E255A95CE0B2CB13060D68836FE7BE636FB5E1ED338FEEFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC79335D575E7D6A3B9808A6A0AC4980AC7933A2D97226D213B555D7F3B68E4D8C32CA7988484455BA94A1AABA2291587BB81770B4ADFD6C0FF2F6F7AB8318E6FC06566CF42DA8B397316E5069F7C1BFC4BED3EE9A550E6D1B3EF15858510718D0AFDD738312DE2EF15AF519B26AD2D7741FD144A77D3F2B11E7865093F00AF36D9E30C62AAFDA091D3BD93F0B3CA0B5EB5AA8CBEC106EAD7BEB60FA2B962492ACE82E629724E10E5F22D13F9A13D4747E998324305ECDFEDAE9BEB823D92C8FDA464D07287012087180A5DABFF9F130F025212EEA1A632EA3A6F82B3138CB8A391596B8F079DA4982EC361689DECC8B006E55904BDB084EBD88F3BABF9183A77D55A6BE390B7F253420743B3C948DAC5B078636339EE9F4049D2E91ED29A48D4F2BAF267CCE17759CF966D7D152B0BA2326B0CB36C10BBCC813371F0DA9D6694C61F63E6AD88F95C479A6BBF5B0876671A563439F88C146CD3FB397261E93E805E3D51CE61E26E62D4764FC892FB65F4F8641D46C1A36314C185AEF7077ABC000C339170877F04F45AB60F31F30B7DCBD6A82794E82E7A7EF3BF964DC8940A93535A24C1B235635F394F2BE027AD617AD1870EEA9B0A75159E7F0F40D8DC85D9212269B9EC19185941504BD2DB6B44C07FA6C381A789BDD1B023464579E909B77566EA846D7343273629396527545BDA4A1689A6B90BD003F114B39473FB5A93A24B85BF951A030D25632B2D42852B156BFEC2120155B6E3F4154BE9AD12B4EA2BF566155798F7768EE083E4D25F8725EAA941AEC0695E48E627D84C49EB6D46F912BA8A6030C82DFCD4E2B89A5A9CBF25E0E96BB45631F0E680C5DE954748D50A6B2E7F18275D556B8D32E884A298FC1F91EECAA9B8E63976B5861E601D2CCEA317815EF7181F3DD9B7AC07F150F15E6BF9AB88AB2B4F4F5274F6A4A9A94E758041EEC0BADB5E57B01B89FD5EA49B5F6176F55E09B47A1E9FAEF17D478D0BBA51AD970E3F76FB7AA9C98CCAA981ACD790A9A68E7498C3628ECCE4D7ED771A8D28EF263CCF5DDF959C5390CCB4A1340E7C832D48C121D0557221531F1D8B612D6A3494D4D3105C36973CBE740929F7232A5DA47EFB3E76514E8FDB00C7FB15E98BD4C7B21183C2BAFC4172DBDE87B4DBB9651ACE74B2EB2EEAE5A78E033C9FA76E5027C38F92FCC77FC74EC3328B63EDA3864B6FEDD864A6B898D7CB6433956C0C783A5368D5ECA7D8054FBC08C37385A"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

 

- - - - - - - > 'explorer.exe'(3244)

c:\windows\system32\SSSensor.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\WPDShServiceObj.dll

c:\program files\Nokia\Nokia PC Suite 7\phonebrowser.dll

c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL

c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_eng-us.nlr

c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr

c:\program files\Microsoft Virtual PC\VPCShExH.DLL

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe

c:\program files\Common Files\InterVideo\DeviceService\DevSvc.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe

c:\windows\system32\nvsvc32.exe

c:\program files\Sygate\SPF\smc.exe

c:\windows\system32\rundll32.exe

c:\program files\Skype\Phone\Skype.exe

c:\progra~1\MICROS~2\rapimgr.exe

c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

c:\windows\system32\wscntfy.exe

c:\program files\Skype\Plugin Manager\skypePM.exe

.

**************************************************************************

.

Completion time: 2009-12-06 11:40 - machine was rebooted

ComboFix-quarantined-files.txt 2009-12-06 09:40

 

Pre-Run: 1 063 624 704 bytes free

Post-Run: 905 138 176 bytes free

 

- - End Of File - - 09BF8F5957B5356C9E177AC61112C8F5

Share this post


Link to post
Share on other sites

Hi diksi,

 

I would like to know more about this file:

c:\windows\system32\drivers\TCPIP.SYS

Please go to VirusTotal and upload the file for analysis.


  • Click on Browse and locate the file to be uploaded.
  • Click Send File, then allow the file to be uploaded and scanned.
  • Post the results in your reply.

If VirusTotal is busy, please go to http://virusscan.jotti.org.

 

 

Do you have EPLAN (possibly electrical CAD software) on your computer?

If so, is this legitimately purchased software? I need to be sure because I suspect it may have come bundled with spyware.

 

Is C:\AntoTut a folder that you have created?

 

As well as the results from VirusTotal please could you post a new HijackThis log.

 

jimi.

Share this post


Link to post
Share on other sites

This is the answer from Virus Total:

 

File has already been analysed:MD5: 3c966f647bab332093cb0f92692b5cb8

First received: 2009.03.22 19:25:48 UTC

Date: 2009.10.25 17:48:43 UTC [>44D]

Results: 0/41

Permalink: analisis/0ed218a2bf330639f81e1c89ecd39df91d49df8ee3642133e28957d78291599b-1256492923

 

 

This is the information from the link:

 

Antivirus Version Last Update Result

a-squared 4.5.0.41 2009.10.25 -

AhnLab-V3 5.0.0.2 2009.10.23 -

AntiVir 7.9.1.44 2009.10.23 -

Antiy-AVL 2.0.3.7 2009.10.23 -

Authentium 5.1.2.4 2009.10.24 -

Avast 4.8.1351.0 2009.10.25 -

AVG 8.5.0.423 2009.10.25 -

BitDefender 7.2 2009.10.25 -

CAT-QuickHeal 10.00 2009.10.24 -

ClamAV 0.94.1 2009.10.25 -

Comodo 2728 2009.10.25 -

DrWeb 5.0.0.12182 2009.10.25 -

eSafe 7.0.17.0 2009.10.25 -

eTrust-Vet 35.1.7082 2009.10.23 -

F-Prot 4.5.1.85 2009.10.25 -

F-Secure 9.0.15370.0 2009.10.22 -

Fortinet 3.120.0.0 2009.10.25 -

GData 19 2009.10.25 -

Ikarus T3.1.1.72.0 2009.10.25 -

Jiangmin 11.0.800 2009.10.24 -

K7AntiVirus 7.10.879 2009.10.24 -

Kaspersky 7.0.0.125 2009.10.25 -

McAfee 5782 2009.10.25 -

McAfee+Artemis 5782 2009.10.25 -

McAfee-GW-Edition 6.8.5 2009.10.25 -

Microsoft 1.5202 2009.10.25 -

NOD32 4541 2009.10.25 -

Norman 6.03.02 2009.10.23 -

nProtect 2009.1.8.0 2009.10.25 -

Panda 10.0.2.2 2009.10.25 -

PCTools 4.4.2.0 2009.10.19 -

Prevx 3.0 2009.10.25 -

Rising 21.52.62.00 2009.10.25 -

Sophos 4.46.0 2009.10.25 -

Sunbelt 3.2.1858.2 2009.10.25 -

Symantec 1.4.4.12 2009.10.25 -

TheHacker 6.5.0.2.053 2009.10.24 -

TrendMicro 8.950.0.1094 2009.10.25 -

VBA32 3.12.10.11 2009.10.23 -

ViRobot 2009.10.23.2003 2009.10.23 -

VirusBuster 4.6.5.0 2009.10.25 -

Additional information

File size: 360320 bytes

MD5 : 3c966f647bab332093cb0f92692b5cb8

SHA1 : 16572e82b9cd570180748412c5821b500b297593

SHA256: 0ed218a2bf330639f81e1c89ecd39df91d49df8ee3642133e28957d78291599b

PEInfo: PE Structure information

 

( base data )

entrypointaddress.: 0x51626

timedatestamp.....: 0x485B8A36 (Fri Jun 20 12:45:10 2008)

machinetype.......: 0x14C (Intel I386)

 

( 10 sections )

name viradd virsiz rawdsiz ntrpy md5

.text 0x380 0x3ECB2 0x3ED00 6.60 5b9c80815f564a74f0f5c64dfa803bda

.rdata 0x3F080 0x57C 0x580 4.47 b488d9ef4d2a3578ab813a7f32f4942c

.data 0x3F600 0xA4A4 0xA500 0.06 63cbaad4701faecd4d3ce7ae9341bc92

PAGE 0x49B00 0x1F85 0x2000 6.37 c56251bf7fc7eb3705785639ac9df2c7

PAGELK 0x4BB00 0x6F2 0x700 6.20 1bee176b5a4f4e0968c8d94406adff29

PAGEIPMc 0x4C200 0x2781 0x2800 6.45 6792a2763176b917fb8ebf7ceac4b5db

.edata 0x4EA00 0x341 0x380 5.23 0c14056c30ce76c02ee254161feebbeb

INIT 0x4ED80 0x5846 0x5880 6.22 0e26188f0bcc3b4d11faf54d85792b61

.rsrc 0x54600 0x3F0 0x400 3.41 b6707a370be8166e0b9390815731e10f

.reloc 0x54A00 0x3558 0x3580 6.80 d9f2dd16ad4fca1da7dde33b49298001

 

( 4 imports )

 

> hal.dll: KfLowerIrql, KeRaiseIrqlToDpcLevel, KfReleaseSpinLock, KfAcquireSpinLock, KfRaiseIrql, KeGetCurrentIrql, KeQueryPerformanceCounter, ExAcquireFastMutex, ExReleaseFastMutex

> ndis.sys: NdisCloseAdapter, NdisCancelSendPackets, NdisFreePacket, NdisUnchainBufferAtFront, NdisCompletePnPEvent, NdisFreePacketPool, NdisRequest, NdisAllocatePacket, NdisFreeMemory, NdisQueryAdapterInstanceName, NdisGetDriverHandle, NdisOpenAdapter, NdisAllocatePacketPoolEx, NdisGetReceivedPacket, NdisRegisterProtocol, NdisAllocateBuffer, NdisSetPacketPoolProtocolId, NdisReturnPackets, NdisCopyBuffer, NdisAllocateBufferPool, NdisFreeBufferPool, NdisReEnumerateProtocolBindings, NdisCompleteBindAdapter

> ntoskrnl.exe: IoCreateDevice, _wcsicmp, wcscpy, wcsncpy, wcschr, ZwSetInformationThread, KeLeaveCriticalRegion, KeEnterCriticalRegion, KeQueryTimeIncrement, KeSetEvent, IoDeleteSymbolicLink, ExDeleteNPagedLookasideList, KeDelayExecutionThread, ZwOpenKey, KeSetTimerEx, KeInitializeTimer, KeInitializeDpc, ExInitializeNPagedLookasideList, MmLockPagableSectionByHandle, ZwQueryValueKey, ZwSetValueKey, InterlockedPopEntrySList, InterlockedPushEntrySList, ExIsProcessorFeaturePresent, RtlAddAccessAllowedAce, RtlCreateAcl, RtlLengthSid, SeExports, RtlMapGenericMask, IoGetFileObjectGenericMapping, ObReleaseObjectSecurity, SeSetSecurityDescriptorInfo, RtlLengthSecurityDescriptor, RtlSetDaclSecurityDescriptor, RtlCreateSecurityDescriptor, ObGetObjectSecurity, IofCallDriver, IoBuildDeviceIoControlRequest, IoGetDeviceObjectPointer, ObfDereferenceObject, RtlAddAce, RtlGetAce, IoCreateSymbolicLink, RtlInitializeSid, RtlLengthRequiredSid, ObSetSecurityObjectByPointer, RtlSelfRelativeToAbsoluteSD, RtlGetSaclSecurityDescriptor, RtlGetGroupSecurityDescriptor, RtlGetOwnerSecurityDescriptor, RtlGetDaclSecurityDescriptor, RtlVerifyVersionInfo, VerSetConditionMask, IoWMIRegistrationControl, IoGetCurrentProcess, KeInitializeTimerEx, RtlExtendedIntegerMultiply, KeQueryInterruptTime, _aulldiv, DbgBreakPoint, KeSetTargetProcessorDpc, RtlSetBit, SeUnlockSubjectContext, SeAccessCheck, SeLockSubjectContext, ObDereferenceSecurityDescriptor, PsGetCurrentProcessId, RtlWalkFrameChain, _aulldvrm, ExNotifyCallback, ExCreateCallback, ObReferenceObjectByHandle, MmUnlockPages, SeFreePrivileges, SeAppendPrivileges, ObLogSecurityDescriptor, SeAssignSecurity, IoFileObjectType, MmProbeAndLockPages, IoAllocateMdl, _except_handler3, ProbeForWrite, ObfReferenceObject, PsGetCurrentProcess, RtlPrefetchMemoryNonTemporal, KeInitializeMutex, MmIsThisAnNtAsSystem, KeWaitForSingleObject, KeReleaseMutex, KeReadStateEvent, IoDeleteDevice, ZwEnumerateValueKey, RtlUnicodeStringToInteger, RtlIpv4StringToAddressW, RtlTimeToTimeFields, ExLocalTimeToSystemTime, RtlExtendedMagicDivide, RtlAppendUnicodeToString, ZwClose, _allmul, MmQuerySystemSize, RtlCompareUnicodeString, RtlInitializeBitMap, RtlClearAllBits, RtlSetBits, wcslen, RtlAreBitsSet, RtlClearBits, RtlFindClearBitsAndSet, RtlFindClearRuns, DbgPrint, memmove, RtlCopyUnicodeString, RtlAppendUnicodeStringToString, ZwLoadDriver, KeResetEvent, IoAcquireCancelSpinLock, IoReleaseCancelSpinLock, IofCompleteRequest, ExfInterlockedAddUlong, MmMapLockedPagesSpecifyCache, IoFreeMdl, ExfInterlockedInsertTailList, RtlInitUnicodeString, MmMapLockedPages, KeNumberProcessors, RtlUnicodeStringToAnsiString, MmLockPagableDataSection, MmUnlockPagableImageSection, RtlCompareMemory, ExAllocatePoolWithTag, KeCancelTimer, KeClearEvent, RtlAnsiStringToUnicodeString, IoRaiseInformationalHardError, KeInitializeEvent, ExFreePoolWithTag, ExAllocatePoolWithTagPriority, KeInitializeSpinLock, _alldiv, KeQuerySystemTime, KefAcquireSpinLockAtDpcLevel, KefReleaseSpinLockFromDpcLevel, KeBugCheckEx, RtlSubAuthoritySid, KeTickCount, MmBuildMdlForNonPagedPool, ZwDeviceIoControlFile, ZwCreateFile

> tdi.sys: CTESystemUpTime, CTEBlock, CTELogEvent, CTESignal, CTEBlockWithTracker, CTEStartTimer, CTEInitEvent, CTEScheduleDelayedEvent, CTEInitTimer, TdiProviderReady, CTEInitialize, TdiDeregisterNetAddress, TdiRegisterNetAddress, TdiDeregisterDeviceObject, TdiRegisterDeviceObject, TdiDeregisterProvider, TdiRegisterProvider, TdiPnPPowerRequest, TdiCopyMdlChainToMdlChain, TdiInitialize, TdiDeregisterPnPHandlers, TdiRegisterPnPHandlers, CTEScheduleEvent, TdiCopyBufferToMdl, CTERemoveBlockTracker, CTEInsertBlockTracker, TdiMapUserRequest, TdiCopyBufferToMdlWithReservedMappingAtDpcLevel

 

( 1 exports )

 

> ARPRcv, ARPRcvPacket, FreeIprBuff, GetIFAndLink, IPAddInterface, IPAllocBuff, IPDelInterface, IPDelayedNdisReEnumerateBindings, IPDeregisterARP, IPDisableSniffer, IPEnableSniffer, IPFreeBuff, IPGetAddrType, IPGetBestInterface, IPGetInfo, IPInjectPkt, IPProxyNdisRequest, IPRcvComplete, IPRcvPacket, IPRegisterARP, IPRegisterProtocol, IPSetIPSecStatus, IPTransmit, LookupRoute, LookupRouteInformation, LookupRouteInformationWithBuffer, SendICMPErr, SetIPSecPtr, UnSetIPSecPtr, UnSetIPSecSendPtr, tcpxsum

TrID : File type identification

Win32 Executable Generic (68.0%)

Generic Win/DOS Executable (15.9%)

DOS Executable Generic (15.9%)

Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)

ssdeep: 6144:VcamciT9y1vHgbQrQZi4TQqSLgh6Ss8tkahEA8t/W/9OeyvO:Vcamcp1vHgW48qEezdhE0/9

PEiD : -

RDS : NSRL Reference Data Set

 

 

 

 

 

 

About C:\AntoTut folder: I have not created this folder manualy. This folder was created, when I installed an aplocation (somehing like html tutorial).

 

 

Thank you for the response!

Share this post


Link to post
Share on other sites

And this is the log file from HijackThis:

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 16:52:12, on 09.12.2009 г.

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16915)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\PowerISO\PWRISOVM.EXE

C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe

C:\WINDOWS\system32\ASTSRV.EXE

C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe

C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Microsoft ActiveSync\wcescomm.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\WINDOWS\system32\ctfmon.exe

C:\PROGRA~1\MICROS~2\rapimgr.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Sygate\SPF\smc.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Skype\Plugin Manager\skypePM.exe

C:\Program Files\Opera\opera.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.blogger.com/start

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R3 - URLSearchHook: (no name) - - (no file)

R3 - URLSearchHook: FlyOrDie Games Toolbar - {70a732af-f392-4ed8-823a-85fd644d4d92} - C:\Program Files\FlyOrDie_Games\tbFlyO.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.3.1.15.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: FlyOrDie Games Toolbar - {70a732af-f392-4ed8-823a-85fd644d4d92} - C:\Program Files\FlyOrDie_Games\tbFlyO.dll

O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: FlyOrDie Games Toolbar - {70a732af-f392-4ed8-823a-85fd644d4d92} - C:\Program Files\FlyOrDie_Games\tbFlyO.dll

O4 - HKLM\..\Run: [siSUSBRG] "C:\WINDOWS\SiSUSBrg.exe"

O4 - HKLM\..\Run: [smcService] "C:\PROGRA~1\Sygate\SPF\smc.exe" -startgui

O4 - HKLM\..\Run: [PWRISOVM.EXE] "C:\Program Files\PowerISO\PWRISOVM.EXE"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [Nikon Transfer Monitor] "C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe"

O4 - HKLM\..\Run: [uVS12 Preload] C:\Program Files\Corel\Corel VideoStudio 12\uvPL.exe

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"

O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O4 - Startup: PowerReg Scheduler.exe

O8 - Extra context menu item: &Use webcow on this Page - C:\DOCUME~1\pc\LOCALS~1\Temp\Rar$EX00.086\wcie.iemenu.htm

O8 - Extra context menu item: &С&валяне &с BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm

O8 - Extra context menu item: &С&валяне на всички с BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm

O8 - Extra context menu item: &С&валяне на всичкото видео с BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm

O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm

O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm

O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm

O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Use webcow on this &Selection - C:\DOCUME~1\pc\LOCALS~1\Temp\Rar$EX00.086\wcie.iemenu2.htm

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL

O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.3.1.15.dll/206 (file missing)

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe

O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1201090713088

O16 - DPF: {A996E48C-D3DC-4244-89F7-AFA33EC60679} (Settings Class) - https://www.dskdirect.bg/com/capicom.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Nalpeiron Licensing Service (ASTSRV) - Nalpeiron Ltd. - C:\WINDOWS\system32\ASTSRV.EXE

O23 - Service: Autodata Limited License Service - Autodata Limited - C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe

O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe

O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe

O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe

O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

 

--

End of file - 11385 bytes

Share this post


Link to post
Share on other sites

Hi diksi,

 

I notice that you have Spybot's TeaTimer running. While this is normally a wonderful tool to protect against hijackers, it can also interfere with HijackThis fixes. So please disable TeaTimer by doing the following:

1) Run Spybot-S&D.

2) Go to the Mode menu, and make sure Advanced Mode is selected.

3) On the left hand side, choose Tools -> Resident.

4) Uncheck Resident TeaTimer and OK any prompts.

You can re-enable TeaTimer once your system is clean.

 

 

Please download GMER from here

 

Unzip it to your Desktop.

 

Close any open programs/windows!

 

Open the program and click on the Rootkit/Malware tab.

 

Make sure all the boxes on the right of the screen are checked, apart from 'Show All'.

2wg8via.gif

 

Click on Scan (1).

jijosi.gif

 

When the scan has run click Copy (2) and paste the results (if any) into this thread.

 

 

Please run HijackThis and click "Do a system scan only". Place checks next to the following entries, if present:

 

R3 - URLSearchHook: (no name) - - (no file)

O4 - Startup: PowerReg Scheduler.exe

O8 - Extra context menu item: &Use webcow on this Page - C:\DOCUME~1\pc\LOCALS~1\Temp\Rar$EX00.086\wcie.iemenu.htm

O8 - Extra context menu item: Use webcow on this &Selection - C:\DOCUME~1\pc\LOCALS~1\Temp\Rar$EX00.086\wcie.iemenu2.htm

 

Close all browser and other windows except for HijackThis, and click "Fix checked" to have HijackThis fix the entries you checked.

 

Please restart your computer and post a new HijackThis log along with the GMER results.

 

 

I highly recommend that you uninstall your EPLAN software as I presume it is a “cracked” version. ComboFix has removed some malware that came bundled with it. The practice of using crack or keygen tools is not only illegal but it is a serious security risk.

 

Some of the worst types of malware infections can be contracted and spread by visiting crack, keygen, warez and other pirated software sites. Those who attempt to get software for free can end up with a computer system so badly damaged that recovery is not possible. When that happens there is nothing you can do besides reformatting and reinstalling the OS.

 

jimi.

Share this post


Link to post
Share on other sites

This is the log file from GMER:

 

GMER 1.0.15.15273 - http://www.gmer.net

Rootkit scan 2009-12-10 23:31:54

Windows 5.1.2600 Service Pack 2

Running: gmer.exe; Driver: C:\DOCUME~1\pc\LOCALS~1\Temp\kfxyypow.sys

 

 

---- System - GMER 1.0.15 ----

 

SSDT \??\C:\WINDOWS\System32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwAllocateVirtualMemory [0xF8707B30]

SSDT 81CDE8A0 ZwAssignProcessToJobObject

SSDT \??\C:\WINDOWS\System32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwCreateThread [0xF87076F0]

SSDT \??\C:\WINDOWS\System32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwMapViewOfSection [0xF8707470]

SSDT 81CDDCB0 ZwOpenProcess

SSDT 81CDE0D0 ZwOpenThread

SSDT \??\C:\WINDOWS\System32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwProtectVirtualMemory [0xF8707C50]

SSDT \??\C:\WINDOWS\System32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwShutdownSystem [0xF8707990]

SSDT 81CDE6D0 ZwSuspendProcess

SSDT 81CDE4F0 ZwSuspendThread

SSDT \??\C:\WINDOWS\System32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwTerminateProcess [0xF87078D0]

SSDT 81CDE310 ZwTerminateThread

SSDT \??\C:\WINDOWS\System32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwWriteVirtualMemory [0xF8707D60]

 

---- Kernel code sections - GMER 1.0.15 ----

 

.text ntoskrnl.exe!_abnormal_termination + 98 804E26F4 4 Bytes CALL AD02A8C6

.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF77A9360, 0x24BB1D, 0xE8000020]

.text tcpip.sys!IPTransmit + 10BC F60DCCFA 6 Bytes CALL F8360FB0 Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)

.text tcpip.sys!IPTransmit + 263D F60DE27B 6 Bytes CALL F8360FB0 Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)

.text tcpip.sys!ARPRcv + 521E F60E34BE 6 Bytes CALL F8360FB0 Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)

.text wanarp.sys F875A3FD 4 Bytes CALL F8361100 Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)

.text wanarp.sys F875A402 2 Bytes [90, 90] {NOP ; NOP }

.text C:\WINDOWS\system32\drivers\hardlock.sys section is writeable [0xB9E1A400, 0x87EE2, 0xE8000020]

.protectÿÿÿÿhardlockentry point in ".protectÿÿÿÿhardlockentry point in ".protectÿÿÿÿhardlockentry point in ".p" section [0xB9EBE620] C:\WINDOWS\system32\drivers\hardlock.sys entry point in ".protectÿÿÿÿhardlockentry point in ".protectÿÿÿÿhardlockentry point in ".p" section [0xB9EBE620]

.protectÿÿÿÿhardlockunknown last code section [0xB9EBE400, 0x5126, 0xE0000020] C:\WINDOWS\system32\drivers\hardlock.sys unknown last code section [0xB9EBE400, 0x5126, 0xE0000020]

 

---- User code sections - GMER 1.0.15 ----

 

.text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[484] kernel32.dll!SetUnhandledExceptionFilter 7C8447ED 4 Bytes [C2, 04, 00, 00]

 

---- Kernel IAT/EAT - GMER 1.0.15 ----

 

IAT \SystemRoot\system32\DRIVERS\VMNetSrv.sys[NDIS.SYS!NdisCloseAdapter] [F8361DF0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)

IAT \SystemRoot\system32\DRIVERS\VMNetSrv.sys[NDIS.SYS!NdisOpenAdapter] [F8361D50] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)

IAT \SystemRoot\system32\DRIVERS\VMNetSrv.sys[NDIS.SYS!NdisDeregisterProtocol] [F8361C90] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)

IAT \SystemRoot\system32\DRIVERS\VMNetSrv.sys[NDIS.SYS!NdisRegisterProtocol] [F8361A40] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)

IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisCloseAdapter] [F8361DF0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)

IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisOpenAdapter] [F8361D50] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)

IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisDeregisterProtocol] [F8361C90] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)

IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] [F8361A40] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)

IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [F8361A40] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)

IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [F8361D50] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)

IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [F8361DF0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)

IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [F8361C90] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)

IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [F8361C90] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)

IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [F8361A40] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)

IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [F8361D50] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)

IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [F8361DF0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)

IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [F8361A40] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)

IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [F8361DF0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)

IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [F8361D50] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)

IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [F8361C90] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)

IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [F8361DF0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)

IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [F8361D50] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)

IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [F8361A40] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)

IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [F8361C90] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)

IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [F8361A40] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)

IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [F8361D50] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)

IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [F8361DF0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)

IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [F8361A40] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)

IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [F8361C90] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)

IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [F8361DF0] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)

IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [F8361D50] Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)

 

---- Devices - GMER 1.0.15 ----

 

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)

 

Device \Driver\Tcpip \Device\Ip wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)

Device \Driver\Tcpip \Device\Tcp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)

 

AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys (ESET Antivirus Network Redirector/ESET)

 

Device \Driver\Tcpip \Device\Udp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)

Device \Driver\Tcpip \Device\RawIp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)

Device \Driver\Tcpip \Device\IPMULTICAST wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)

 

AttachedDevice \FileSystem\Fastfat \Fat eamon.sys (Amon monitor/ESET)

 

---- Threads - GMER 1.0.15 ----

 

Thread System [4:328] 81CDC930

 

---- Registry - GMER 1.0.15 ----

 

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OODEFRAG11.00.00.01WORKSTATION 72C06B4BF51B7F54094C33BF1E5F1422F2CD53474A2E5455F9D5D03067375264407F61D50E39B8886872DEA4EF30D22D4F33DFEEE0CA21ACD845D010E5347ED9499825E255A95CE0B2CB13060D68836FE7BE636FB5E1ED338FEEFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC79335D575E7D6A3B9808A6A0AC4980AC7933A2D97226D213B555D7F3B68E4D8C32CA7988484455BA94A1AABA2291587BB81770B4ADFD6C0FF2F6F7AB8318E6FC06566CF42DA8B397316E5069F7C1BFC4BED3EE9A550E6D1B3EF15858510718D0AFDD738312DE2EF15AF519B26AD2D7741FD144A77D3F2B11E7865093F00AF36D9E30C62AAFDA091D3BD93F0B3CA0B5EB5AA8CBEC106EAD7BEB60FA2B962492ACE82E629724E10E5F22D13F9A13D4747E998324305ECDFEDAE9BEB823D92C8FDA464D07287012087180A5DABFF9F130F025212EEA1A632EA3A6F82B3138CB8A391596B8F079DA4982EC361689DECC8B006E55904BDB084EBD88F3BABF9183A77D55A6BE390B7F253420743B3C948DAC5B078636339EE9F4049D2E91ED29A48D4F2BAF267CCE17759CF966D7D152B0BA2326B0CB36C10BBCC813371F0DA9D6694C61F63E6AD88F95C479A6BBF5B0876671A563439F88C146CD3FB397261E93E805E3D51CE61E26E62D4764FC892FB65F4

 

---- EOF - GMER 1.0.15 ----

Share this post


Link to post
Share on other sites

And now the HijackThis log:

 

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 23:43:38, on 10.12.2009 г.

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16915)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\PowerISO\PWRISOVM.EXE

C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Microsoft ActiveSync\wcescomm.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\ASTSRV.EXE

C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe

C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe

C:\PROGRA~1\MICROS~2\rapimgr.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Sygate\SPF\smc.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Skype\Plugin Manager\skypePM.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.blogger.com/start

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R3 - URLSearchHook: FlyOrDie Games Toolbar - {70a732af-f392-4ed8-823a-85fd644d4d92} - C:\Program Files\FlyOrDie_Games\tbFlyO.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.3.1.15.dll

O2 - BHO: FlyOrDie Games Toolbar - {70a732af-f392-4ed8-823a-85fd644d4d92} - C:\Program Files\FlyOrDie_Games\tbFlyO.dll

O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: FlyOrDie Games Toolbar - {70a732af-f392-4ed8-823a-85fd644d4d92} - C:\Program Files\FlyOrDie_Games\tbFlyO.dll

O4 - HKLM\..\Run: [siSUSBRG] "C:\WINDOWS\SiSUSBrg.exe"

O4 - HKLM\..\Run: [smcService] "C:\PROGRA~1\Sygate\SPF\smc.exe" -startgui

O4 - HKLM\..\Run: [PWRISOVM.EXE] "C:\Program Files\PowerISO\PWRISOVM.EXE"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [Nikon Transfer Monitor] "C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe"

O4 - HKLM\..\Run: [uVS12 Preload] C:\Program Files\Corel\Corel VideoStudio 12\uvPL.exe

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\\Phone\Skype.exe" /nosplash /minimized

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: &С&валяне &с BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm

O8 - Extra context menu item: &С&валяне на всички с BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm

O8 - Extra context menu item: &С&валяне на всичкото видео с BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm

O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm

O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm

O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm

O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL

O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.3.1.15.dll/206 (file missing)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe

O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1201090713088

O16 - DPF: {A996E48C-D3DC-4244-89F7-AFA33EC60679} (Settings Class) - https://www.dskdirect.bg/com/capicom.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Nalpeiron Licensing Service (ASTSRV) - Nalpeiron Ltd. - C:\WINDOWS\system32\ASTSRV.EXE

O23 - Service: Autodata Limited License Service - Autodata Limited - C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe

O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe

O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe

O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe

O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

 

--

End of file - 10500 bytes

Share this post


Link to post
Share on other sites

Hi diksi,

 

 

Please scan your computer with ESET OnlineScan

  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the esetOnline.png button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

    1. Click on esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the esetSmartInstallDesktopIcon.png icon on your desktop.

[*]Check esetAcceptTerms.png

[*]Click the esetStart.png button.

[*]Accept any security warnings from your browser.

[*]Check esetScanArchives.png

[*]Push the Start button.

[*]ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.

[*]When the scan completes, push esetListThreats.png

[*]Push esetExport.png, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.

[*]Push the esetBack.png button.

[*]Push esetFinish.png

 

 

Please download Security Check by screen317 from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

 

How is your computer performing now?

 

jimi.

Share this post


Link to post
Share on other sites

This is the content of the ESET`s report:

 

 

C:\Program Files\eMule\Incoming\Genuine Licence digsilent.zip Win32/Agent.QKL trojan deleted - quarantined

C:\Qoobox\Quarantine\C\Documents and Settings\pc\Start Menu\Programs\Startup\_algqeh32_.exe.zip a variant of Win32/Kryptik.BJK trojan deleted - quarantined

 

 

And from Security check:

 

 

Results of screen317's Security Check version 0.99.1

Windows XP Service Pack 2

Out of date service pack!!

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Enabled!

ESET NOD32 Antivirus

ESET Online Scanner v3

Sygate Personal Firewall Pro

Antivirus up to date!

``````````````````````````````

Anti-malware/Other Utilities Check:

HijackThis 2.0.2

Java 6 Update 17

Java 6 Update 7

Out of date Java installed!

Adobe Flash Player 10

Adobe Reader for Pocket PC 2.0

Adobe Reader for Pocket PC 2.0

Adobe Reader 8.1.2

Out of date Adobe Reader installed!

``````````````````````````````

Process Check:

objlist.exe by Laurent

``````````````````````````````

DNS Vulnerability Check:

POOR! (Vulnerable to DNS cache poisoning!!-- Consider OPENDNS)

 

`````````End of Log```````````

 

 

 

I think that the performance of my computer is normal now :rolleyes:

Share this post


Link to post
Share on other sites

Hi diksi,

 

Your logs appear to be clean now, but your computer will not remain clean if you continue to download cracked programs.

 

As I said before:

 

Some of the worst types of malware infections can be contracted and spread by visiting crack, keygen, warez and other pirated software sites. Those who attempt to get software for free can end up with a computer system so badly damaged that recovery is not possible. When that happens there is nothing you can do besides reformatting and reinstalling the OS.

 

To remain free of malware in the future, you should uninstall all file sharing programs: BitComet, DC++, eMule etc.

You should also remove all your cracked programs.

 

 

Now for some tidying up:

 

The following will implement some cleanup procedures as well as reset System Restore points:

 

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

 

ComboFix /Uninstall

 

 

Please could you delete the following files:

  • GMER.zip that you downloaded.
  • GMER.exe that you unzipped to your desktop.

 

 

Please update to XP Service Pack 3 (SP3) which includes many security patches.

This should be available via Windows Update or it can be downloaded from here.

 

 

Your version of Java is out of date which leaves you susceptible to future malware infections.

Updating Java:

  • Go here and download the latest version of Java [Java SE Runtime Environment (JRE)]:
    http://java.sun.com/javase/downloads/index.jsp
  • Go to Start > Control Panel > Add or Remove Programs.
  • Search in the list and remove any previously installed versions of Java. (J2SE Runtime Environment.... )
  • Then install the version you downloaded earlier.

 

 

You need to update Adobe Reader to fix security vulnerabilities that are being actively exploited.

Please either:

Open Adobe Reader, click Help > Check for Updates, and use the updater to install the update.

Or:

Go to Start -> Control Panel -> Programs and Features and uninstall Adobe Reader.

Download and install the current version from http://get.adobe.com/reader/.

 

 

Please let me know how installing Service Pack 3 went.

Is your computer still running normally?

 

jimi.

Share this post


Link to post
Share on other sites

Glad we could help. :)

 

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter.

 

Everyone else please begin a New Topic.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0