• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
    • Budfred

      PLEASE READ - Reversing upgrade   02/23/2017

      We have found that this new upgrade is somewhat of a disaster.  We are finding lots of glitches in being able to post and administer the forum.  Additionally, there are new costs associated with the upgrade that we simply cannot afford.  As a result, we have decided to reverse course and go back to the previous version of our software.  Since this will involve restoring it from a backup, we will lose posts that have been added since January 30 or possibly even some before that.    If you started a topic during that time, we urge you to make backups of your posts and you will need to start the topics over again after the change.  You can simply paste the copies of your posts that you created at that point.    If you joined the forum this month, you will need to re-register since your membership will be lost along with the posts.  Since you have a concealed password, we cannot simply restore your membership for you.   We are going to backup as much as we can so that it will reduce inconvenience for our members.  Unfortunately we cannot back everything up since much will be incompatible with the old version of our software.  We apologize for the confusion and regret the need to do this even though it is not viable to continue with this version of the software.   We plan to begin the process tomorrow evening and, if it goes smoothly, we shouldn't be offline for very long.  However, since we have not done this before, we are not sure how smoothly it will go.  We ask your patience as we proceed.   EDIT: I have asked our hosting service to do the restore at 9 PM Central time and it looks like it will go forward at that time.  Please prepare whatever you need to prepare so that we can restore your topics when the forum is stable again.
Sign in to follow this  
Followers 0
pyTor

Infected with "Win32/Rootkit.Agent.AE trojan"

9 posts in this topic

ok, so I ran an .exe file that I should have steered clear of, and now I've gotten a pesky little virus/trojan.

 

at first AVG popped op about the file Windows\system32\hpdriver.sys was infected with Win32/Rootkit.Agent.AE trojan

when deleting or reparing the file, it would pop up again a second after with the same message.

 

A complete scan in failsafe mode the problem didn't resolve, so I installed Eset's Nod32 and got the same pop up's - scanned in failsafe 3 threats found, but I still get the pop up when returning to normal windows..

 

 

Please help me, it doesn't appear malicious - but is extremely anoying.

I will be posting a hijackthis log momentarily.

Share this post


Link to post
Share on other sites

Logfile of HijackThis v1.99.1

Scan saved at 12:11:24, on 27-05-2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

D:\WINDOWS\System32\smss.exe

D:\WINDOWS\system32\winlogon.exe

D:\WINDOWS\system32\services.exe

D:\WINDOWS\system32\lsass.exe

D:\WINDOWS\system32\svchost.exe

D:\WINDOWS\System32\svchost.exe

D:\WINDOWS\system32\spoolsv.exe

D:\WINDOWS\Explorer.EXE

D:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

D:\WINDOWS\CTHELPER.EXE

D:\WINDOWS\system32\rundll32.exe

D:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

D:\WINDOWS\ATKKBService.exe

D:\WINDOWS\system32\RunDLL32.exe

D:\Program Files\Eset\nod32kui.exe

D:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe

D:\Program Files\ASUS\SmartDoctor\SmartDoctor.exe

D:\Program Files\Common Files\LightScribe\LSSrvc.exe

D:\Program Files\Logitech\SetPoint\SetPoint.exe

D:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE

D:\Program Files\Eset\nod32krn.exe

D:\WINDOWS\system32\nvsvc32.exe

D:\WINDOWS\system32\svchost.exe

D:\WINDOWS\system32\dllhost.exe

D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Rar$EX00.500\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.danskebank.dk/

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar3.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar3.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [iAAnotif] D:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM\..\Run: [sunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [sony Ericsson PC Suite] "D:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions

O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [nod32kui] "D:\Program Files\Eset\nod32kui.exe" /WAITSERVICE

O4 - HKCU\..\Run: [ASUS SmartDoctor] D:\Program Files\ASUS\SmartDoctor\SmartDoctor.exe /start

O4 - Global Startup: Logitech SetPoint.lnk = ?

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab

O16 - DPF: {029FDBA6-3547-11D7-AA4C-0050BF051A00} (Rawflow ICD Client) - http://downol.dr.dk/download/netradio/Rawflow.cab

O16 - DPF: {76805459-88F6-4BB1-8EC1-1A4DDC777CFD} (KMDWebSign.zskwsax) - http://logon.kmd.dk/program/zskwsax.CAB

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab

O16 - DPF: {D216644A-C6DB-49D9-BBCF-D38FE7991BF2} (Util Class) - https://udstedelse.certifikat.tdc.dk/csp/au...tdccsp-0506.exe

O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.danskebank.dk/html/activex/...B/e-Safekey.cab

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "D:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: WgaLogon - D:\WINDOWS\SYSTEM32\WgaLogon.dll

O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - D:\WINDOWS\ATKKBService.exe

O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - D:\Program Files\Canon\CAL\CALMAIN.exe

O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - D:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - D:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - D:\Program Files\Eset\nod32krn.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe

O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - D:\Program Files\SiSoftware\SiSoftware Sandra Lite XI.SP1a\Win32\RpcDataSrv.exe

O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - D:\Program Files\SiSoftware\SiSoftware Sandra Lite XI.SP1a\RpcSandraSrv.exe

O23 - Service: winconfig.exe - Unknown owner - D:\WINDOWS\msguard.exe

Share this post


Link to post
Share on other sites

Welcome to SWI. We apologize for the delay; our helpers have been very busy.

If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

 

Thank you for your patience.

 

[this is an automated reply]

Share this post


Link to post
Share on other sites

Hi pyTor,

 

Welcome to SpywareInfo! :wave:

 

I apologize for the delay getting to your log. The helpers here are all volunteers and we have been very busy here lately. If you are still having malware problems, I will be glad to help.

 

OK, here’s what we do first.

 

First of all, you didn't unzip/extract HijackThis. I strongly advise you to unzip/extract HijackThis because HijackThis will not be able to make backups when it is run from the zip folder.

 

How to unzip HijackThis:

  • Right-click on the HijackThis zip folder and choose "Extract All".
  • An extraction wizard window will now open. Click "Next".
  • In the "Files will be extracted to this directory:" field, type C:\HijackThis. Then click "Next".
  • Click "Finish" to show your unzipped/extracted HijackThis folder. Run HijackThis.exe from here, or add a shortcut to your desktop.

 

NEXT:

 

BEFORE BEGINNING, Please read completely through the instructions below. Please also print these instructions or copy them to Notepad (or another word processor), and save it for easier reference. This is because we will be in Safe Mode during the fix and you won’t be able to access the Internet to view these instructions.

 

Please download SDFix by AndyManchesta and save it to your desktop.

 

Double-click SDFix.exe and it will extract the files to %systemdrive%

(Drive that contains the Windows Directory, typically C:\SDFix).

 

Please then reboot your computer into Safe Mode by doing the following:

  • Restart your computer.
  • After hearing your computer beep once during startup, but just before the Windows icon appears, tap the F8 key continually.
  • Instead of Windows loading as normal, a menu with options should appear.
  • Select the first option, to run Windows in "Safe Mode", then press "Enter".
  • Choose your usual account.

Once in Safe Mode, please do the following:

  • Open the extracted folder and double-click RunThis.bat to start the script.
  • Type "Y" to begin the cleanup process.
  • It will remove any Trojan Services or Registry Entries found, then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process, then display "Finished", press any key to end the script and load your desktop icons.
  • Once the desktop icons load, the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally, copy and paste the contents of the results file Report.txt back onto the forum.

 

NEXT:

 

Please run HijackThis and click "Scan". Place a check (tick) next to the following entries (if present):

 

O23 - Service: winconfig.exe - Unknown owner - D:\WINDOWS\msguard.exe

 

 

Close ALL programs and browsers (including this one), leaving ONLY HijackThis open, then click "Fix checked".

 

Then please exit HijackThis.

 

 

NEXT:

 

Please go to Start -> Run and type (or copy and paste) the following lines in the "Open" field, ONE AT A TIME, then click "OK":

 

sc stop "winconfig.exe"

 

sc delete "winconfig.exe"

 

 

NEXT:

 

Using Windows Explorer (right-click your "Start" button and select "Explore"), please navigate to and delete the following FILES (if they exist):

 

D:\WINDOWS\msguard.exe

 

 

You may have to Show hidden files and folders first.

 

Please let me know if you encountered any problems finding or deleting the file.

 

 

NEXT:

 

Let's run some cleanup and diagnostic scans to make sure we're not leaving anything behind.

 

Please download CCleaner (freeware) and save it to your desktop:

  1. Run the CCleaner installer.
  2. During installation process, please UNCHECK "Add CCleaner Yahoo! Toolbar".
  3. Once installed, run CCleaner and click the "Windows" tab.
  4. Select the following:
    • Check everything under the "Internet Explorer" section.
    • Check everything under the "Windows Explorer" section.
    • Check everything under the "System" section.
    • Check ONLY "Old Prefetch data" under the "Advanced" section.

[*]Then, click the "Applications" tab:

  • UNCHECK everything there.

[*]Next, click the "Options" button in the left pane, then click the "Advanced" button:

  • UNCHECK : "Only delete files in Windows Temp folders older than 48 hours".

[*]Next, click the "Cleaner" button in the left pane, then click the "Run Cleaner" button (bottom right), click "OK" at the prompt.

[*]When done, please exit CCleaner.

CAUTION: Please do NOT use the "Issues" button in the left pane. This is a built-in registry cleaner. If you don’t know how to use it, you may cause irreparable damage to your system.

 

 

NEXT:

 

Please download ComboFix by sUBs:

 

NOTE: In the event you already have ComboFix, this is a new version that I need you to download.

  • Save it to your desktop.
  • Double-click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Please do NOT mouse-click ComboFix's window while it is running. That may cause it to stall. Also, please do NOT adjust your time format while ComboFix is running.

 

 

NEXT:

 

Please do an online scan with Kaspersky Online Scanner using Internet Explorer (this online scanner only works with IE):

  1. Click on "Kaspersky Online Scanner".
  2. You will be prompted to install an ActiveX component from Kaspersky, click "Yes".
  3. The program will launch and then begin downloading the latest definition files.
  4. Once the files have been downloaded click on "Next".
  5. Now click on "Scan Settings".
  6. In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
      Extended
    • Scan Options:
      Scan Archives
      Scan Mail Bases

[*]Click "OK".

[*]Now under select a target to scan:

  • Select "My Computer".

[*]This program will start and scan your system.

[*]The scan will take a while so be patient and let it run.

[*]Once the scan is complete it will display if your system has been infected.

  • Now click on the "Save Report As" button.
  • In the "File name:" field, type kavscan.
  • In the "Save as type:" field, select "Text file (*.txt)".

[*]Save the file to your desktop.

[*]Copy and paste that information in your next post.

Note for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.

 

 

NEXT:

 

Please REBOOT your computer normally into Windows and post these logs in your next reply:

  1. The log from the SDFix scan.
  2. The log from the ComboFix scan.
  3. The log from the Kaspersky scan.
  4. A new HijackThis log.

(You might have to paste the logs in multiple posts in the event they are too long and breach the post length restrictions of the forum software).

 

Also, please let me know how things are running now and if you encountered any problems while you were following the directions I posted.

Share this post


Link to post
Share on other sites

Alright the problem seems te have been fixed - a varm thank you from my side.

 

 

Here are the end logs:

 

 

 

 

 

 

SDFix: Version 1.85

 

Run by Administrator - 02-06-2007 - 8:38:22,17

 

Microsoft Windows XP [Version 5.1.2600]

 

Running From: D:\DOCUME~1\ADMINI~1\Desktop\SDfix\SDFix

 

Safe Mode:

Checking Services:

 

Name:

winconfig.exe

 

ImagePath:

"D:\WINDOWS\msguard.exe"

 

winconfig.exe - Deleted

 

 

 

Restoring Windows Registry Values

Restoring Windows Default Hosts File

 

Rebooting...

 

 

Normal Mode:

Checking Files:

 

Below files will be copied to Backups folder then removed:

 

D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\52a17e2d-1a1d-b171-519d-e6f2b451fb35.tmp.exe - Deleted

D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\a.exe - Deleted

 

 

 

Removing Temp Files...

 

ADS Check:

 

Checking if ADS is attached to system32 Folder

D:\WINDOWS\system32

No streams found.

 

Checking if ADS is attached to svchost.exe

D:\WINDOWS\system32\svchost.exe

No streams found.

 

 

 

Final Check:

 

Remaining Services:

------------------

 

 

 

Authorized Application Key Export:

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

"D:\\Program Files\\Google\\Google Talk\\googletalk.exe"="D:\\Program Files\\Google\\Google Talk\\googletalk.exe:*:Enabled:Google Talk"

"E:\\Spil\\Quake III Arena\\quake3.exe"="E:\\Spil\\Quake III Arena\\quake3.exe:*:Enabled:quake3"

"D:\\Program Files\\Mozilla Firefox\\firefox.exe"="D:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox"

"D:\\WINDOWS\\system32\\mmc.exe"="D:\\WINDOWS\\system32\\mmc.exe:*:Enabled:Microsoft Management Console"

"D:\\Program Files\\Gaim\\gaim.exe"="D:\\Program Files\\Gaim\\gaim.exe:*:Enabled:gaim"

"D:\\Program Files\\Last.fm\\LastFM.exe"="D:\\Program Files\\Last.fm\\LastFM.exe:*:Enabled:LastFM"

"D:\\Program Files\\MSN Messenger\\msncall.exe"="D:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"

"D:\\Documents and Settings\\Administrator\\Desktop\\Firefox Downs\\utorrent.exe"="D:\\Documents and Settings\\Administrator\\Desktop\\Firefox Downs\\utorrent.exe:*:Enabled:æTorrent"

"E:\\Spil\\Valve\\Steam\\SteamApps\\pfx\\counter-strike source\\hl2.exe"="E:\\Spil\\Valve\\Steam\\SteamApps\\pfx\\counter-strike source\\hl2.exe:*:Enabled:hl2"

"E:\\Spil\\Wolfenstein - Enemy Territory\\ET.exe"="E:\\Spil\\Wolfenstein - Enemy Territory\\ET.exe:*:Enabled:ET"

"E:\\Spil\\World of Warcraft\\WoW-2.0.3-enGB-downloader.exe"="E:\\Spil\\World of Warcraft\\WoW-2.0.3-enGB-downloader.exe:*:Enabled:Blizzard Downloader"

"E:\\Spil\\World of Warcraft\\WoW-2.0.3.6299-to-2.0.10.6448-enGB-downloader.exe"="E:\\Spil\\World of Warcraft\\WoW-2.0.3.6299-to-2.0.10.6448-enGB-downloader.exe:*:Enabled:Blizzard Downloader"

"D:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite XI.SP1a\\RpcSandraSrv.exe"="D:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite XI.SP1a\\RpcSandraSrv.exe:*:Enabled:SiSoftware Sandra Agent Service"

"D:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite XI.SP1a\\Win32\\RpcDataSrv.exe"="D:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite XI.SP1a\\Win32\\RpcDataSrv.exe:*:Enabled:SiSoftware Database Agent Service"

"D:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="D:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"

"D:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="D:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"

"D:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="D:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"

"E:\\Spil\\World of Warcraft\\WoW-2.0.10.6448-to-2.0.12.6546-enGB-downloader.exe"="E:\\Spil\\World of Warcraft\\WoW-2.0.10.6448-to-2.0.12.6546-enGB-downloader.exe:*:Enabled:Blizzard Downloader"

"D:\\WINDOWS\\system32\\sessmgr.exe"="D:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"

"E:\\Spil\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\XR_3DA.exe"="E:\\Spil\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\XR_3DA.exe:*:Enabled:S.T.A.L.K.E.R. - Shadow of Chernobyl (CLI)"

"E:\\Spil\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\dedicated\\XR_3DA.exe"="E:\\Spil\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\dedicated\\XR_3DA.exe:*:Enabled:S.T.A.L.K.E.R. - Shadow of Chernobyl (SRV)"

"E:\\Spil\\UT2004Demo\\System\\UT2004.exe"="E:\\Spil\\UT2004Demo\\System\\UT2004.exe:*:Enabled:UT2004"

"E:\\Spil\\Command & Conquer 3\\RetailExe\\1.0\\cnc3game.dat"="E:\\Spil\\Command & Conquer 3\\RetailExe\\1.0\\cnc3game.dat:*:Enabled:Command & Conquer 3 Tiberium Wars"

"E:\\Spil\\World of Warcraft\\Repair.exe"="E:\\Spil\\World of Warcraft\\Repair.exe:*:Enabled:Blizzard Repair Utility"

"D:\\Documents and Settings\\Administrator\\Desktop\\Firefox Downs\\Programmer\\utorrent.exe"="D:\\Documents and Settings\\Administrator\\Desktop\\Firefox Downs\\Programmer\\utorrent.exe:*:Enabled:æTorrent"

"D:\\Program Files\\MSN Messenger\\livecall.exe"="D:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

"D:\\Program Files\\Skype\\Phone\\Skype.exe"="D:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"

"D:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="D:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"

"D:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="D:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"

"E:\\Spil\\World of Warcraft\\BackgroundDownloader.exe"="E:\\Spil\\World of Warcraft\\BackgroundDownloader.exe:*:Enabled:Blizzard Downloader"

"D:\\Program Files\\MSN Messenger\\msnmsgr.exe"="D:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"

"D:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="D:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Enabled:Internet Explorer"

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"D:\\Program Files\\MSN Messenger\\msncall.exe"="D:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"

"D:\\Program Files\\MSN Messenger\\livecall.exe"="D:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

"D:\\Program Files\\MSN Messenger\\msnmsgr.exe"="D:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"

 

Remaining Files:

---------------

 

Backups Folder: - D:\DOCUME~1\ADMINI~1\Desktop\SDfix\SDFix\backups\backups.zip

 

Checking For Files with Hidden Attributes:

 

D:\WINDOWS\msguard.exe

 

Finished

 

 

 

-----------------------------------------------------------------------------------------------------------------------------

 

 

"Administrator" - 2007-06-02 11:34:37 Service Pack 2

ComboFix 07-05.27.BV - Running from: "D:\Program Files\Mozilla Firefox\"

 

 

((((((((((((((((((((((((((((((( Files Created from 2007-05-02 to 2007-06-02 ))))))))))))))))))))))))))))))))))

 

 

2007-06-02 11:28 <DIR> d-------- D:\Program Files\CCleaner

2007-06-02 05:44 83,536 --a------ D:\WINDOWS\system32\drivers\iksyssec.sys

2007-06-02 05:44 59,984 --a------ D:\WINDOWS\system32\drivers\iksysflt.sys

2007-06-02 05:44 52,304 --a------ D:\WINDOWS\system32\drivers\ikfilesec.sys

2007-06-02 05:44 39,248 --a------ D:\WINDOWS\system32\drivers\ikfileflt.sys

2007-06-02 05:44 26,064 --a------ D:\WINDOWS\system32\drivers\kcom.sys

2007-06-02 05:43 626,688 --a------ D:\WINDOWS\system32\msvcr80.dll

2007-06-02 05:43 <DIR> d-------- D:\Program Files\Spyware Doctor

2007-06-02 05:43 <DIR> d-------- D:\DOCUME~1\ADMINI~1\APPLIC~1\PC Tools

2007-05-27 03:14 502,368 --a------ D:\WINDOWS\system32\drivers\amon.sys

2007-05-27 03:14 274,432 --a------ D:\WINDOWS\system32\imon.dll

2007-05-27 02:13 <DIR> d-------- D:\WINDOWS\CSC

2007-05-25 18:04 888,832 --a------ D:\WINDOWS\PolarClock v2.scr

2007-05-25 18:04 495,104 --a------ D:\WINDOWS\PolarClock v2 FP7.exe

2007-05-25 18:04 <DIR> d-------- D:\WINDOWS\PolarClock v2 Uninstaller

2007-05-24 15:11 14,604 --a------ D:\WINDOWS\system32\drivers\pfc.sys

2007-05-23 18:10 <DIR> d-------- D:\DOCUME~1\ADMINI~1\APPLIC~1\Ventrilo

2007-05-23 18:08 <DIR> d-------- D:\Program Files\Ventrilo

2007-05-23 00:26 <DIR> d-------- D:\Program Files\MSN Messenger

2007-05-22 07:32 <DIR> d-------- D:\Program Files\Mp3tag

2007-05-22 07:32 <DIR> d-------- D:\DOCUME~1\ADMINI~1\APPLIC~1\Mp3tag

2007-05-21 07:41 <DIR> d-------- D:\DOCUME~1\LOCALS~1\Application DataPDFcreator

2007-05-19 11:15 12,928 --a------ D:\WINDOWS\system32\drivers\filedisk.sys

2007-05-19 10:39 520 --ahs---- D:\WINDOWS\system32\msjeto212.dat

2007-05-19 10:39 <DIR> d-------- D:\Program Files\sisagp

2007-05-19 10:38 338 --ahs---- D:\WINDOWS\system32\msjeto211.dat

2007-05-19 10:38 <DIR> d-------- D:\Program Files\SafeTweak XP

2007-05-19 10:34 <DIR> d-------- D:\Program Files\ASUS

2007-05-19 10:00 <DIR> d-------- D:\DOCUME~1\ADMINI~1\APPLIC~1\SystemRequirementsLab

2007-05-09 23:55 <DIR> d-------- D:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo!

2007-05-09 23:54 <DIR> d-------- D:\Program Files\Yahoo!

2007-05-08 20:39 <DIR> d-------- D:\Documents and Settings\ADMINI~1\awc_Pf8inch

2007-05-08 20:39 <DIR> d-------- D:\DOCUME~1\ADMINI~1\awc_Pf8inch

2007-05-04 15:42 <DIR> d-------- D:\WINDOWS\ShellNew

 

 

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

 

2007-06-02 09:35:18 -------- d-----w D:\DOCUME~1\ADMINI~1\APPLIC~1\.gaim

2007-06-02 06:29:37 -------- d-----w D:\DOCUME~1\ADMINI~1\APPLIC~1\uTorrent

2007-05-24 13:11:01 -------- d--h--w D:\Program Files\InstallShield Installation Information

2007-05-23 16:08:17 -------- d-----w D:\Program Files\Common Files\Wise Installation Wizard

2007-05-21 12:11:28 -------- d-----w D:\DOCUME~1\ADMINI~1\APPLIC~1\dvdcss

2007-05-19 09:36:21 -------- d-----w D:\Program Files\Winamp

2007-05-09 19:40:36 -------- d-----w D:\DOCUME~1\ADMINI~1\APPLIC~1\Skype

2007-05-05 08:58:47 -------- d-----w D:\DOCUME~1\ADMINI~1\APPLIC~1\OpenOffice.org2

2007-04-30 17:45:20 -------- d-----w D:\Program Files\OpenOffice.org 2.2

2007-04-27 15:25:06 -------- d-----w D:\DOCUME~1\ADMINI~1\APPLIC~1\MusicIP

2007-04-25 19:15:02 -------- d--h--r D:\DOCUME~1\ADMINI~1\APPLIC~1\SecuROM

2007-04-21 18:19:27 -------- d-----w D:\Program Files\Common Files\NSV

2007-04-17 05:39:26 -------- d-----w D:\Program Files\Disc2Phone

2007-04-17 05:37:36 -------- d-----w D:\DOCUME~1\ADMINI~1\APPLIC~1\Teleca

2007-04-17 05:37:09 -------- d-----w D:\DOCUME~1\ADMINI~1\APPLIC~1\Sony Ericsson

2007-04-17 05:35:58 -------- d-----w D:\Program Files\Common Files\Teleca Shared

2007-04-17 05:35:50 -------- d-----w D:\Program Files\Sony Ericsson

2007-04-14 22:41:46 -------- d-----w D:\Program Files\Anti-Blaxx

2007-04-13 21:51:22 -------- d-----w D:\Program Files\THQ

2007-04-13 21:50:04 108,144 ----a-w D:\WINDOWS\system32\CmdLineExt.dll

2007-03-17 13:45:03 292,864 ----a-w D:\WINDOWS\system32\winsrv.dll

2007-03-11 07:19:39 16 ----a-w D:\WINDOWS\popcinfot.dat

2007-03-08 15:48:36 578,048 ----a-w D:\WINDOWS\system32\user32.dll

2007-03-08 15:48:36 40,960 ----a-w D:\WINDOWS\system32\mf3216.dll

2007-03-08 15:48:36 282,112 ----a-w D:\WINDOWS\system32\gdi32.dll

2007-03-08 13:49:49 1,843,968 ----a-w D:\WINDOWS\system32\win32k.sys

2007-03-07 23:51:00 129,784 ------w D:\WINDOWS\system32\pxafs.dll

 

 

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

 

 

*Note* empty entries & legit default entries are not shown

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]

{AA58ED58-01DD-4d91-8333-CF10577473F7}=d:\program files\google\googletoolbar3.dll [2006-10-12 11:38]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"nwiz"="nwiz.exe" [2006-10-22 12:22 D:\WINDOWS\system32\nwiz.exe]

"IAAnotif"="D:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-10-12 12:30]

"CTHelper"="CTHELPER.EXE" []

"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" []

"NvMediaCenter"="NvMCTray.dll" [2006-10-22 12:22 D:\WINDOWS\system32\nvmctray.dll]

"nod32kui"="D:\Program Files\Eset\nod32kui.exe" [2006-05-31 02:13]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ASUS SmartDoctor"="D:\Program Files\ASUS\SmartDoctor\SmartDoctor.exe" [2006-08-18 18:58]

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]

"SetDefaultMIDI"=MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy'

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoLowDiskSpaceChecks"=1 (0x1)

"NoRecentDocsHistory"=1 (0x1)

"GreyMSIAds"=1 (0x1)

"NoUserNameInStartMenu"=1 (0x1)

"StartMenuLogOff"=1 (0x1)

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdauxservice]

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdcoreservice]

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WdfLoadGroup]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k

 

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*

UxTuneUp

 

 

********************************************************************

 

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net

Rootkit scan 2007-06-02 11:35:11

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

CTHelper = CTHELPER.EXE?

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

 

********************************************************************

 

Completion time: 2007-06-02 11:35:32

 

--- E O F ---

 

 

 

-----------------------------------------------------------------------------------------------------------------------------

 

 

 

-------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER REPORT

Saturday, June 02, 2007 2:01:46 PM

Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)

Kaspersky Online Scanner version: 5.0.83.0

Kaspersky Anti-Virus database last update: 2/06/2007

Kaspersky Anti-Virus database records: 336390

-------------------------------------------------------------------------------

 

Scan Settings:

Scan using the following antivirus database: extended

Scan Archives: true

Scan Mail Bases: true

 

Scan Target - My Computer:

C:\

D:\

E:\

F:\

G:\

H:\

J:\

K:\

L:\

M:\

N:\

 

Scan Statistics:

Total number of scanned objects: 188930

Number of viruses found: 3

Number of infected objects: 11 / 0

Number of suspicious objects: 0

Duration of the scan process: 01:32:47

 

Infected Object Name / Virus Name / Last Action

C:\System Volume Information\_restore{2A7000DC-2030-4106-96C1-E3BD189139F1}\RP220\change.log Object is locked skipped

D:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\gdmthl0h.default\cert8.db Object is locked skipped

D:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\gdmthl0h.default\history.dat Object is locked skipped

D:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\gdmthl0h.default\key3.db Object is locked skipped

D:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\gdmthl0h.default\parent.lock Object is locked skipped

D:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\gdmthl0h.default\search.sqlite Object is locked skipped

D:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\gdmthl0h.default\urlclassifier2.sqlite Object is locked skipped

D:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped

D:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

D:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

D:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\gdmthl0h.default\Cache\32B0BFF7d01 Object is locked skipped

D:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\gdmthl0h.default\Cache\_CACHE_001_ Object is locked skipped

D:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\gdmthl0h.default\Cache\_CACHE_002_ Object is locked skipped

D:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\gdmthl0h.default\Cache\_CACHE_003_ Object is locked skipped

D:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\gdmthl0h.default\Cache\_CACHE_MAP_ Object is locked skipped

D:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped

D:\Documents and Settings\Administrator\Local Settings\Temp\fla90E.tmp Object is locked skipped

D:\Documents and Settings\Administrator\Local Settings\Temp\fla944.tmp Object is locked skipped

D:\Documents and Settings\Administrator\Local Settings\Temp\fla949.tmp Object is locked skipped

D:\Documents and Settings\Administrator\Local Settings\Temp\IH948.tmp Object is locked skipped

D:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

D:\Documents and Settings\Administrator\NTUSER.DAT Object is locked skipped

D:\Documents and Settings\Administrator\NTUSER.DAT.LOG Object is locked skipped

D:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

D:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

D:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

D:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

D:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

D:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

D:\Documents and Settings\LocalService\NTUSER.DAT.LOG Object is locked skipped

D:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

D:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

D:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

D:\Documents and Settings\NetworkService\NTUSER.DAT.LOG Object is locked skipped

D:\Program Files\ESET\cache\CACHE.NDB Object is locked skipped

D:\Program Files\ESET\infected\31CRYRDA.NQF Infected: Rootkit.Win32.Agent.ab skipped

D:\Program Files\ESET\logs\virlog.dat Object is locked skipped

D:\Program Files\ESET\logs\warnlog.dat Object is locked skipped

D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

D:\System Volume Information\_restore{2A7000DC-2030-4106-96C1-E3BD189139F1}\RP220\A0039681.exe Infected: Backdoor.Win32.SdBot.aad skipped

D:\System Volume Information\_restore{2A7000DC-2030-4106-96C1-E3BD189139F1}\RP220\change.log Object is locked skipped

D:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

D:\WINDOWS\SchedLgU.Txt Object is locked skipped

D:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

D:\WINDOWS\Sti_Trace.log Object is locked skipped

D:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

D:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

D:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

D:\WINDOWS\system32\config\default Object is locked skipped

D:\WINDOWS\system32\config\default.LOG Object is locked skipped

D:\WINDOWS\system32\config\SAM Object is locked skipped

D:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

D:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

D:\WINDOWS\system32\config\SECURITY Object is locked skipped

D:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

D:\WINDOWS\system32\config\software Object is locked skipped

D:\WINDOWS\system32\config\software.LOG Object is locked skipped

D:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

D:\WINDOWS\system32\config\system Object is locked skipped

D:\WINDOWS\system32\config\system.LOG Object is locked skipped

D:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped

D:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

D:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

D:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

D:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

D:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

D:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

D:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

D:\WINDOWS\wiadebug.log Object is locked skipped

D:\WINDOWS\wiaservc.log Object is locked skipped

D:\WINDOWS\WindowsUpdate.log Object is locked skipped

D:\WINDOWS\{00000002-00000000-00000006-00001102-00000008-10011102}.CDF Object is locked skipped

E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

E:\System Volume Information\_restore{2A7000DC-2030-4106-96C1-E3BD189139F1}\RP220\change.log Object is locked skipped

E:\Tmp og diverse\Windows.Vista.Brute.Force.Keygen-ComputerUser\kg.rar/keyfinder.exe/data.rar/officekey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped

E:\Tmp og diverse\Windows.Vista.Brute.Force.Keygen-ComputerUser\kg.rar/keyfinder.exe/data.rar Infected: not-a-virus:PSWTool.Win32.RAS.a skipped

E:\Tmp og diverse\Windows.Vista.Brute.Force.Keygen-ComputerUser\kg.rar/keyfinder.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped

E:\Tmp og diverse\Windows.Vista.Brute.Force.Keygen-ComputerUser\kg.rar RAR: infected - 3 skipped

E:\Tmp og diverse\Windows.Vista.Brute.Force.Keygen-ComputerUser\wvbfgkgv.zip/kg.rar/keyfinder.exe/data.rar/officekey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped

E:\Tmp og diverse\Windows.Vista.Brute.Force.Keygen-ComputerUser\wvbfgkgv.zip/kg.rar/keyfinder.exe/data.rar Infected: not-a-virus:PSWTool.Win32.RAS.a skipped

E:\Tmp og diverse\Windows.Vista.Brute.Force.Keygen-ComputerUser\wvbfgkgv.zip/kg.rar/keyfinder.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped

E:\Tmp og diverse\Windows.Vista.Brute.Force.Keygen-ComputerUser\wvbfgkgv.zip/kg.rar Infected: not-a-virus:PSWTool.Win32.RAS.a skipped

E:\Tmp og diverse\Windows.Vista.Brute.Force.Keygen-ComputerUser\wvbfgkgv.zip ZIP: infected - 4 skipped

H:\hiberfil.sys Object is locked skipped

H:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\7d79b4eb553df59b5cd33bba2d238ba2_943c268b-16b8-46af-9b03-40ae3012d3e5 Object is locked skipped

H:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

H:\System Volume Information\_restore{2A7000DC-2030-4106-96C1-E3BD189139F1}\RP220\change.log Object is locked skipped

H:\Windows\CSC\v2.0.6\pq Object is locked skipped

H:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl Object is locked skipped

H:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl Object is locked skipped

H:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl Object is locked skipped

 

Scan process completed.

 

 

 

-----------------------------------------------------------------------------------------------------------------------------

 

 

Logfile of HijackThis v1.99.1

Scan saved at 14:08:34, on 02-06-2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

D:\WINDOWS\System32\smss.exe

D:\WINDOWS\system32\winlogon.exe

D:\WINDOWS\system32\services.exe

D:\WINDOWS\system32\lsass.exe

D:\WINDOWS\system32\svchost.exe

D:\WINDOWS\System32\svchost.exe

D:\WINDOWS\system32\spoolsv.exe

D:\WINDOWS\ATKKBService.exe

D:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe

D:\Program Files\Common Files\LightScribe\LSSrvc.exe

D:\Program Files\Eset\nod32krn.exe

D:\WINDOWS\system32\nvsvc32.exe

D:\WINDOWS\system32\svchost.exe

D:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

D:\WINDOWS\CTHELPER.EXE

D:\WINDOWS\system32\wuauclt.exe

D:\Program Files\Mozilla Firefox\firefox.exe

D:\Program Files\Gaim\gaim.exe

D:\WINDOWS\explorer.exe

D:\Program Files\MSN Messenger\msnmsgr.exe

D:\Documents and Settings\Administrator\Desktop\Firefox Downs\Programmer\utorrent.exe

D:\Documents and Settings\Administrator\Desktop\Firefox Downs\hijackthis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.danskebank.dk/

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar3.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar3.dll

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [iAAnotif] D:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [nod32kui] "D:\Program Files\Eset\nod32kui.exe" /WAITSERVICE

O4 - HKCU\..\Run: [ASUS SmartDoctor] D:\Program Files\ASUS\SmartDoctor\SmartDoctor.exe /start

O4 - Global Startup: Logitech SetPoint.lnk = ?

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab

O16 - DPF: {029FDBA6-3547-11D7-AA4C-0050BF051A00} (Rawflow ICD Client) - http://downol.dr.dk/download/netradio/Rawflow.cab

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab

O16 - DPF: {76805459-88F6-4BB1-8EC1-1A4DDC777CFD} (KMDWebSign.zskwsax) - http://logon.kmd.dk/program/zskwsax.CAB

O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab

O16 - DPF: {D216644A-C6DB-49D9-BBCF-D38FE7991BF2} (Util Class) - https://udstedelse.certifikat.tdc.dk/csp/au...tdccsp-0506.exe

O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.danskebank.dk/html/activex/...B/e-Safekey.cab

O20 - Winlogon Notify: WgaLogon - D:\WINDOWS\SYSTEM32\WgaLogon.dll

O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - D:\WINDOWS\ATKKBService.exe

O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - D:\Program Files\Canon\CAL\CALMAIN.exe

O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - D:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - D:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - D:\Program Files\Eset\nod32krn.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe

O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - D:\Program Files\SiSoftware\SiSoftware Sandra Lite XI.SP1a\Win32\RpcDataSrv.exe

O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - D:\Program Files\SiSoftware\SiSoftware Sandra Lite XI.SP1a\RpcSandraSrv.exe

O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - D:\Program Files\Spyware Doctor\svcntaux.exe

O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - D:\Program Files\Spyware Doctor\swdsvc.exe

Edited by pyTor

Share this post


Link to post
Share on other sites

Hi pyTor, :wave:

 

You’re most welcome, pyTor. :)

 

Just some leftovers to take care of.

 

Please delete the following FILES:

 

D:\WINDOWS\msguard.exe

E:\Tmp og diverse\Windows.Vista.Brute.Force.Keygen-ComputerUser\kg.rar

E:\Tmp og diverse\Windows.Vista.Brute.Force.Keygen-ComputerUser\wvbfgkgv.zip

 

You may have to Show hidden files and folders first.

 

 

NEXT:

 

Everything looks great --- your HijackThis log appears to be clean. :)

 

Please take some time reading this list; it is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.

  • Windows Updates (a must!)
    It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. You can either click on the link above and bookmark the updates page, or open Internet Explorer, then go to the Tools menu -> Windows Update, and follow the online instructions from there.
     
     
  • Firewall (a must!)
    It is definitely a must have. Some good FREE versions are Comodo, Outpost, or ZoneAlarm.
    Test your Firewall and make sure it is working properly.
    Note: You must only use 1 (one) firewall at a time because if you have 2 or more firewalls running at the same time, they will conflict with each other and make your security less reliable. Please also remember to turn off Windows Firewall once you have installed a new firewall.
     
     
  • Also make sure to run your antivirus software regularly, and to keep it up-to-date.
     
     
  • Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you do decide to install Firefox, please take a moment to read Switching from IE to Firefox.
     
     
  • SpywareBlaster
    This is a great FREE prevention tool to keep nasties from installing on your system.
    Tutorial: How to use!
     
     
  • IE-SPYAD
    This FREE tool puts over 5000 sites in your IE Restricted Zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
    Tutorial: How to use!
     
     
  • Spybot - Search & Destroy
    This is a very powerful FREE tool that can search for and annihilate nasties that make it onto your system. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features for realtime protection.
    Tutorial: How to use!
     
     
  • Ad-Aware SE
    This is another very powerful FREE tool that searches for and kills nasties that infect your system. Ad-Aware SE and Spybot Search & Destroy compliment each other very well.
    Tutorial: How to use!
     
     
  • AVG Anti-Spyware
    This is an excellent FREE scanner to look for trojans and other nasties that might be residing in your system.
    User Manual: How to use!
     
     
  • SUPERAntiSpyware
    This is another excellent FREE scanner to look for nasties that might be lurking in your system. SUPERAntiSpyware and AVG Anti-Spyware compliment each other very well.
    Quick Guide: How to use!
     
     
  • I suggest you perform an online virus scan once in a while because what one virus scanner can't find, another one maybe can:
    BitDefender Online Scanner
    F-Secure Online Scanner
    Panda ActiveScan
    Dr.Web CureIt <-- This is not really an online scanner, as it is a standalone utility. You need to download a new copy for updated virus definitions, but it can be run in Safe Mode, unlike the online scanners above.

Please also read Tony Klein's excellent article How I got Infected in the First Place and this CastleCops article Malware Prevention: Prevent Re-infection.

 

Hopefully this should take care of your problems! Good luck! :D

Edited by Sempurna

Share this post


Link to post
Share on other sites

ok, I couldn't find the msguard.exe file (I can view all files, including protected operating files..)

 

But the rest I have taken care of, allready using updates, and anti virus - but a decent firewall is something I should probably consider getting.

 

And just once more, thank you for your time.

Share this post


Link to post
Share on other sites

Hi pyTor, :wave:

 

You're most welcome, pyTor. :)

 

That msguard.exe file is most likely no longer present in your system. It was most likely deleted by SDFix, but I wanted to maker sure that it was gone.

 

Cheers! :wave:

~ Sempurna

Share this post


Link to post
Share on other sites

Since this issue appears resolved ... this Topic is closed.

 

If you need this topic reopened, please tell the moderating team by replying HERE with the address of the thread. This applies only to the original topic starter.

 

Everyone else please begin a New Topic.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0