Jump to content


Ash0 Log

Started by Ash0, Jul 03 2007 01:12 AM

  • You cannot reply to this topic
8 replies to this topic

#1 OFFLINE   Ash0

    Newbie

  • Members
  • Pip
  • 6 posts

Posted 03 July 2007 - 01:12 AM

Sorry if I'm hijacking this thread but I recieved the same file through MSN.

I followed the instructions you gave and the report I got was this:


SDFix: Version 1.89

Run by HP_Owner on 03/07/2007 at 01:39

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services: 






Restoring Windows Registry Values
Restoring Windows Default Hosts File 

Rebooting...


Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\70f4ffce-71e4-8292-0029-3b54e4c7c2a3.tmp.exe - Deleted
C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\cf0fdbaf-23d7-0034-88cc-ef91f116ca01.tmp.exe - Deleted
C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\d080e938-8866-edb6-4d49-57a6016084e7.tmp.exe - Deleted
C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\d743fe3e-2762-ec01-cb38-e1489ac44c82.tmp.exe - Deleted
C:\WINDOWS\system32\sysprinters.dll  - Deleted



Removing Temp Files...

ADS Check:

Checking C:\WINDOWS
C:\WINDOWS
No streams found. 

Checking C:\WINDOWS\system32
C:\WINDOWS\system32
No streams found. 

Checking C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.
 
Checking C:\WINDOWS\system32\ntoskrnl.exe
C:\WINDOWS\system32\ntoskrnl.exe
No streams found.
 


								 Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\yahoo!\\messenger\\ypager.exe\""="C:\\Program Files\\yahoo!\\messenger\\ypager.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\AOL 9.0\\waol.exe"="C:\\Program Files\\AOL 9.0\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\Valve\\Steam\\SteamApps\\ashoz69\\counter-strike source\\hl2.exe"="C:\\Program Files\\Valve\\Steam\\SteamApps\\ashoz69\\counter-strike source\\hl2.exe:*:Enabled:hl2"
"C:\\Program Files\\Xfire\\Xfire.exe"="C:\\Program Files\\Xfire\\Xfire.exe:*:Enabled:Xfire"
"C:\\Program Files\\Valve\\Steam\\SteamApps\\nathozz\\counter-strike source\\hl2.exe"="C:\\Program Files\\Valve\\Steam\\SteamApps\\nathozz\\counter-strike source\\hl2.exe:*:Enabled:hl2"
"C:\\StubInstaller.exe"="C:\\StubInstaller.exe:*:Enabled:LimeWire swarmed installer"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Valve\\Steam\\SteamApps\\nathozz\\day of defeat source\\hl2.exe"="C:\\Program Files\\Valve\\Steam\\SteamApps\\nathozz\\day of defeat source\\hl2.exe:*:Enabled:hl2"
"C:\\Program Files\\Valve\\Steam\\SteamApps\\common\\red orchestra\\System\\RedOrchestra.exe"="C:\\Program Files\\Valve\\Steam\\SteamApps\\common\\red orchestra\\System\\RedOrchestra.exe:*:Enabled:RedOrchestra"
"C:\\Program Files\\mIRC\\mirc.exe"="C:\\Program Files\\mIRC\\mirc.exe:*:Enabled:mIRC"
"C:\\Program Files\\Valve\\Steam\\SteamApps\\ashoz69\\counter-strike\\hl.exe"="C:\\Program Files\\Valve\\Steam\\SteamApps\\ashoz69\\counter-strike\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\Valve\\Steam\\SteamApps\\nathozz\\half-life 2 deathmatch\\hl2.exe"="C:\\Program Files\\Valve\\Steam\\SteamApps\\nathozz\\half-life 2 deathmatch\\hl2.exe:*:Enabled:hl2"
"C:\\Program Files\\Valve\\Steam\\SteamApps\\ashoz69\\half-life 2 deathmatch\\hl2.exe"="C:\\Program Files\\Valve\\Steam\\SteamApps\\ashoz69\\half-life 2 deathmatch\\hl2.exe:*:Enabled:hl2"
"C:\\Program Files\\TrackMania Nations ESWC\\TmNationsESWC.exe"="C:\\Program Files\\TrackMania Nations ESWC\\TmNationsESWC.exe:*:Enabled:TmNationsESWC"
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"="C:\\Program Files\\Windows Media Player\\wmplayer.exe:*:Enabled:Windows Media Player"
"C:\\Program Files\\World of Warcraft\\WoW-1.12.0-enGB-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-1.12.0-enGB-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\World of Warcraft\\WoW-1.12.0.5595-to-1.12.1.5875-enGB-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-1.12.0.5595-to-1.12.1.5875-enGB-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Enabled:RealPlayer"
"C:\\Program Files\\Valve\\Steam\\SteamApps\\ashoz69\\the ship\\ship.exe"="C:\\Program Files\\Valve\\Steam\\SteamApps\\ashoz69\\the ship\\ship.exe:*:Enabled:ship"
"C:\\Program Files\\PopCap Games\\Bejeweled Deluxe\\WinBej.exe"="C:\\Program Files\\PopCap Games\\Bejeweled Deluxe\\WinBej.exe:*:Enabled:Bejeweled"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Documents and Settings\\HP_Owner\\My Documents\\utorrent.exe"="C:\\Documents and Settings\\HP_Owner\\My Documents\\utorrent.exe:*:Disabled:ęTorrent"
"C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"="C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enGB-patch-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enGB-patch-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\Valve\\Steam\\SteamApps\\nathozz\\the ship\\ship.exe"="C:\\Program Files\\Valve\\Steam\\SteamApps\\nathozz\\the ship\\ship.exe:*:Enabled:ship"
"C:\\Program Files\\Valve\\Steam\\SteamApps\\rakity\\counter-strike source\\hl2.exe"="C:\\Program Files\\Valve\\Steam\\SteamApps\\rakity\\counter-strike source\\hl2.exe:*:Enabled:hl2"
"C:\\Program Files\\World of Warcraft\\WoW-2.0.3-enGB-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-2.0.3-enGB-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\Sports Interactive\\Football Manager 2007\\fm.exe"="C:\\Program Files\\Sports Interactive\\Football Manager 2007\\fm.exe:*:Enabled:Football Manager 2007"
"C:\\Program Files\\Valve\\Steam\\SteamApps\\nathozz\\source sdk base\\hl2.exe"="C:\\Program Files\\Valve\\Steam\\SteamApps\\nathozz\\source sdk base\\hl2.exe:*:Enabled:hl2"
"C:\\Program Files\\World of Warcraft\\WoW-2.0.4.6314-to-2.0.5.6320-enGB-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-2.0.4.6314-to-2.0.5.6320-enGB-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\World of Warcraft\\WoW-2.0.5.6320-to-2.0.6.6337-enGB-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-2.0.5.6320-to-2.0.6.6337-enGB-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\World of Warcraft\\WoW-2.0.6.6337-to-2.0.7.6383-enGB-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-2.0.6.6337-to-2.0.7.6383-enGB-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\World of Warcraft\\WoW-2.0.7.6383-to-2.0.8.6403-enGB-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-2.0.7.6383-to-2.0.8.6403-enGB-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\MessengerDiscovery\\MessengerDiscovery Live.exe"="C:\\Program Files\\MessengerDiscovery\\MessengerDiscovery Live.exe:*:Enabled:MessengerDiscovery Live the Windows Live Messenger addon"
"C:\\Program Files\\MessengerDiscovery\\Loader.exe"="C:\\Program Files\\MessengerDiscovery\\Loader.exe:*:Enabled:Loader"
"C:\\Program Files\\Octoshape Streaming Services\\HP_Owner\\OctoshapeClient.exe"="C:\\Program Files\\Octoshape Streaming Services\\HP_Owner\\OctoshapeClient.exe:*:Enabled:OctoshapeClient"
"C:\\Program Files\\Valve\\Steam\\SteamApps\\ashoz69\\condition zero deleted scenes\\hl.exe"="C:\\Program Files\\Valve\\Steam\\SteamApps\\ashoz69\\condition zero deleted scenes\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\Program Files\\World of Warcraft\\WoW-2.0.8.6403-to-2.0.10.6448-enGB-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-2.0.8.6403-to-2.0.10.6448-enGB-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\Program Files\\World of Warcraft\\WoW-2.0.10.6448-to-2.0.12.6546-enGB-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-2.0.10.6448-to-2.0.12.6546-enGB-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\Electronic Arts\\Command & Conquer 3\\RetailExe\\1.0\\cnc3game.dat"="C:\\Program Files\\Electronic Arts\\Command & Conquer 3\\RetailExe\\1.0\\cnc3game.dat:*:Enabled:Command & Conquer 3 Tiberium Wars"
"C:\\Documents and Settings\\HP_Owner\\Local Settings\\Temp\\ElectronicArts_Patcher_000.exe"="C:\\Documents and Settings\\HP_Owner\\Local Settings\\Temp\\ElectronicArts_Patcher_000.exe:*:Enabled:ElectronicArts_Patcher_000"
"C:\\Program Files\\Electronic Arts\\Command & Conquer 3\\RetailExe\\1.4\\cnc3game.dat"="C:\\Program Files\\Electronic Arts\\Command & Conquer 3\\RetailExe\\1.4\\cnc3game.dat:*:Enabled:Command & Conquer 3 Tiberium Wars"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"C:\\Program Files\\Valve\\Steam\\SteamApps\\rakity\\day of defeat\\hl.exe"="C:\\Program Files\\Valve\\Steam\\SteamApps\\rakity\\day of defeat\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\Program Files\\Valve\\Steam\\SteamApps\\gambet666\\half-life\\hl.exe"="C:\\Program Files\\Valve\\Steam\\SteamApps\\gambet666\\half-life\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\Program Files\\Valve\\Steam\\SteamApps\\gambet666\\counter-strike source\\hl2.exe"="C:\\Program Files\\Valve\\Steam\\SteamApps\\gambet666\\counter-strike source\\hl2.exe:*:Enabled:hl2"
"C:\\Program Files\\Codemasters\\The Lord of the Rings Online\\lotroclient.exe"="C:\\Program Files\\Codemasters\\The Lord of the Rings Online\\lotroclient.exe:*:Enabled:lotroclient.exe"
"C:\\Program Files\\Electronic Arts\\Command & Conquer 3\\RetailExe\\1.5\\cnc3game.dat"="C:\\Program Files\\Electronic Arts\\Command & Conquer 3\\RetailExe\\1.5\\cnc3game.dat:*:Enabled:Command & Conquer 3 Tiberium Wars"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype. Take a deep breath "
"C:\\Program Files\\BitLord\\BitLord.exe"="C:\\Program Files\\BitLord\\BitLord.exe:*:Disabled:BitLord"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Messenger\*@hotmail.com\Sharing Folders\*@hotmail.co.uk\Thumbs.db
C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Messenger\*@hotmail.com\Sharing Folders\*@hotmail.co.uk\Thumbs.db
C:\My Games\Bricks of Atlantis\BricksOfAtlantis.exe
C:\Program Files\AOL 9.0\aolphx.exe
C:\Program Files\AOL 9.0\aoltray.exe
C:\Program Files\AOL 9.0\RBM.exe
C:\Program Files\AOL 9.0\waol.exe
C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp

								 Finished

Does this mean the Trojan or whatever it is is gone?
I'm not a techy at all so be patient with me :)

#2 OFFLINE   AndyManchesta

    Power Member

  • Spyware Moderators
  • 1,821 posts
  • Gender:Male
  • Location:Manchester. UK
  • Interests:Music, Movies, Website Building & Design, Malware Testing/Research and spending time with friends & family.

Posted 03 July 2007 - 01:32 AM

Hi Ash0,

I put your post into a new topic to avoid confusing the one you added it to :)

Quote

Does this mean the Trojan or whatever it is is gone?
Yes I updated SDFix earlier today and added that backdoor trojan but its a serious threat as it allows the attacker to have access to your system via IRC channels, because of that we will need to run a couple of scans to make sure its not added anything else to your system while the backdoor was open,

Please post a HijackThis log to start with, if you do not have it installed here's the setup instructions

Click here to download HJTsetup.exe
  • Save HJTsetup.exe to your desktop.
  • Doubleclick on the HJTsetup.exe icon on your desktop.
  • By default it will install to C:\Program Files\Hijack This.
  • Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
  • Put a check by Create a desktop icon then click Next again.
  • Continue to follow the rest of the prompts from there.
  • At the final dialogue box click Finish and it will launch Hijack This.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even essential.

#3 OFFLINE   Ash0

    Newbie

  • Members
  • Pip
  • 6 posts

Posted 03 July 2007 - 01:44 PM

Thanks a lot :D 

Logfile of HijackThis v1.99.1
Scan saved at 14:43:41, on 03/07/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\keyhook.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\ps2.exe
C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\rundll32.exe
C:\program files\valve\steam\steam.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
c:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=Q404&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=Q404&bd=pavilion&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntl.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_GB&c=Q404&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [EPSON Stylus C46 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0T1.EXE /P23 "EPSON Stylus C46 Series" /O6 "USB001" /M "Stylus C46"
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AutoTBar] c:\Program Files\HP\Digital Imaging\bin\AUTOTBAR.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {029FDBA6-3547-11D7-AA4C-0050BF051A00} (Rawflow ICD Client) - http://www.quadv.com/quadvtv2/Rawflow.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - c:\Program Files\Sophos\AutoUpdate\ALsvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: SymWMI Service (SymWSC) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe (file missing)

#4 OFFLINE   AndyManchesta

    Power Member

  • Spyware Moderators
  • 1,821 posts
  • Gender:Male
  • Location:Manchester. UK
  • Interests:Music, Movies, Website Building & Design, Malware Testing/Research and spending time with friends & family.

Posted 03 July 2007 - 06:16 PM

Thanks Ash0

That looks ok, just a couple of entries to fix, It's not recommended to have more than one active Antivirus program installed though as the active components will conflict with each other which often means you will get alot more system crashes and other errors, if one is providing real time protection and the second is only used as a on-demand scanner which you start and stop manually then they should work ok together otherwise you should consider removing one so that there is only one Antivirus program providing protection and starting with Windows

It looks like Avast and Sophos is currently installed and Symantec has been on the system at some stage but may of now been removed as there is only one Symantec entry showing, if Symantec/Norton was on the system and then removed its worth running their removal tool from Here to make sure its not left any components behind but if you still use any Norton programs skip that step as it will remove all their programs from your system.


Run Hijack This and choose Do A System Scan then place a check next to these entries

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - ht*p://www.popcap.com/games/popcaploader_v6.cab

Close all open browser and other windows except for HijackThis and press the Fix Checked button

To make sure there is no remaining trojans run a scan with Kaspersky
  • Please go HERE and click Kaspersky Online Scanner
  • Read and Accept the Agreement
  • You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • If you see a Windows dialog asking if you want to install this software, click the Install button.
  • The program will launch and then begin downloading the latest definition files,
  • When the "Update progress" line changes to "Ready" and the "NEXT ->" button becomes available, please click on it.
  • Click on the Scan Settings button, and in the next window select the Extended database, and click Ok.
  • Under "Please select a target to scan:", click My Computer to start the scan.
  • When the scan is finished, click the "Save as Text" button, and save the file as kavscan.txt to your Desktop, close the Kaspersky On-line Scanner window.
Sometimes on IE7 the window may not display clearly and will not show the Accept and Decline buttons when the view is 100%

The window may look like this when it opens at 100%

Posted Image

If it does click Ctrl and - it will zoom out to 90% then the buttons will show or you can click the magnifying glass icon on the bottom right of the status bar and choose zoom out from there

Posted Image

It will then show the Accept and Decline button

Posted Image

If the text size is then too small to see the instructions once the scan has started press Ctrl and + to zoom back to 100%

Please post back the Kaspersky log and let us know if your having any problems on the pc,

Cheers

#5 OFFLINE   Ash0

    Newbie

  • Members
  • Pip
  • 6 posts

Posted 04 July 2007 - 10:25 AM

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, July 04, 2007 11:13:21 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 4/07/2007
Kaspersky Anti-Virus database records: 357449
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\

Scan Statistics:
Total number of scanned objects: 186369
Number of viruses found: 6
Number of infected objects: 64 / 0
Number of suspicious objects: 0
Duration of the scan process: 04:24:21

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\HP_Owner\Application Data\Adobe\Acrobat\7.0\Updater\udlog.txt Object is locked skipped
C:\Documents and Settings\HP_Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\HP_Owner\ehayjr.exe/data.rar/ghost.exe Infected: Trojan-Downloader.Win32.IstBar.gen skipped
C:\Documents and Settings\HP_Owner\ehayjr.exe/data.rar Infected: Trojan-Downloader.Win32.IstBar.gen skipped
C:\Documents and Settings\HP_Owner\ehayjr.exe RarSFX: infected - 2 skipped
C:\Documents and Settings\HP_Owner\fgjchg.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\Documents and Settings\HP_Owner\hsklqf.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\Documents and Settings\HP_Owner\hyhdxd.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\Documents and Settings\HP_Owner\irrrzf.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\Documents and Settings\HP_Owner\izokxv.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\Documents and Settings\HP_Owner\kimjzc.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\Documents and Settings\HP_Owner\kirdps.exe/data.rar/ghost.exe Infected: Trojan-Downloader.Win32.IstBar.gen skipped
C:\Documents and Settings\HP_Owner\kirdps.exe/data.rar Infected: Trojan-Downloader.Win32.IstBar.gen skipped
C:\Documents and Settings\HP_Owner\kirdps.exe RarSFX: infected - 2 skipped
C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Media Player\CurrentDatabase_360.wmdb Object is locked skipped
C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Messenger\*@hotmail.com\SharingMetadata\Logs\Dfsr00005.log Object is locked skipped
C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Messenger\*@hotmail.com\SharingMetadata\pending.dat Object is locked skipped
C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Messenger\*@hotmail.com\SharingMetadata\Working\database_5454_F23E_54F2_2282\dfsr.db Object is locked skipped
C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Messenger\*@hotmail.com\SharingMetadata\Working\database_5454_F23E_54F2_2282\fsr.log Object is locked skipped
C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Messenger\*@hotmail.com\SharingMetadata\Working\database_5454_F23E_54F2_2282\fsrtmp.log Object is locked skipped
C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Messenger\*@hotmail.com\SharingMetadata\Working\database_5454_F23E_54F2_2282\tmp.edb Object is locked skipped
C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Windows Live Contacts\*@hotmail.com\real\members.stg Object is locked skipped
C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Windows Live Contacts\*@hotmail.com\shadow\members.stg Object is locked skipped
C:\Documents and Settings\HP_Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\HP_Owner\Local Settings\History\History.IE5\MSHist012007070320070704\index.dat Object is locked skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\~DFA99D.tmp Object is locked skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\~DFA9A9.tmp Object is locked skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\~DFCE7D.tmp Object is locked skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\~DFCEAF.tmp Object is locked skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\~DFE6E6.tmp Object is locked skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\~DFE74D.tmp Object is locked skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\2MV3FA2M\mini[1].swf Object is locked skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\N014X77E\addy[1].exe/data.rar/ghost.exe Infected: Trojan-Downloader.Win32.IstBar.gen skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\N014X77E\addy[1].exe/data.rar Infected: Trojan-Downloader.Win32.IstBar.gen skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\N014X77E\addy[1].exe RarSFX: infected - 2 skipped
C:\Documents and Settings\HP_Owner\lqicjo.exe/data.rar/ghost.exe Infected: Trojan-Downloader.Win32.IstBar.gen skipped
C:\Documents and Settings\HP_Owner\lqicjo.exe/data.rar Infected: Trojan-Downloader.Win32.IstBar.gen skipped
C:\Documents and Settings\HP_Owner\lqicjo.exe RarSFX: infected - 2 skipped
C:\Documents and Settings\HP_Owner\mcrssz.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\Documents and Settings\HP_Owner\mmmuff.exe/data.rar/ghost.exe Infected: Trojan-Downloader.Win32.IstBar.gen skipped
C:\Documents and Settings\HP_Owner\mmmuff.exe/data.rar Infected: Trojan-Downloader.Win32.IstBar.gen skipped
C:\Documents and Settings\HP_Owner\mmmuff.exe RarSFX: infected - 2 skipped
C:\Documents and Settings\HP_Owner\naxpki.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\Documents and Settings\HP_Owner\ndegur.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\Documents and Settings\HP_Owner\ntuser.dat Object is locked skipped
C:\Documents and Settings\HP_Owner\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\HP_Owner\penclz.exe/data.rar/ghost.exe Infected: Trojan-Downloader.Win32.IstBar.gen skipped
C:\Documents and Settings\HP_Owner\penclz.exe/data.rar Infected: Trojan-Downloader.Win32.IstBar.gen skipped
C:\Documents and Settings\HP_Owner\penclz.exe RarSFX: infected - 2 skipped
C:\Documents and Settings\HP_Owner\pengon.exe/data.rar/ghost.exe Infected: Trojan-Downloader.Win32.IstBar.gen skipped
C:\Documents and Settings\HP_Owner\pengon.exe/data.rar Infected: Trojan-Downloader.Win32.IstBar.gen skipped
C:\Documents and Settings\HP_Owner\pengon.exe RarSFX: infected - 2 skipped
C:\Documents and Settings\HP_Owner\ppnzzm.exe/data.rar/ghost.exe Infected: Trojan-Downloader.Win32.IstBar.gen skipped
C:\Documents and Settings\HP_Owner\ppnzzm.exe/data.rar Infected: Trojan-Downloader.Win32.IstBar.gen skipped
C:\Documents and Settings\HP_Owner\ppnzzm.exe RarSFX: infected - 2 skipped
C:\Documents and Settings\HP_Owner\qjkdfd.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\Documents and Settings\HP_Owner\qjmixr.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\Documents and Settings\HP_Owner\rohlns.exe/data.rar/ghost.exe Infected: Trojan-Downloader.Win32.IstBar.gen skipped
C:\Documents and Settings\HP_Owner\rohlns.exe/data.rar Infected: Trojan-Downloader.Win32.IstBar.gen skipped
C:\Documents and Settings\HP_Owner\rohlns.exe RarSFX: infected - 2 skipped
C:\Documents and Settings\HP_Owner\sgmlrl.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\Documents and Settings\HP_Owner\slbkgw.exe/data.rar/ghost.exe Infected: Trojan-Downloader.Win32.IstBar.gen skipped
C:\Documents and Settings\HP_Owner\slbkgw.exe/data.rar Infected: Trojan-Downloader.Win32.IstBar.gen skipped
C:\Documents and Settings\HP_Owner\slbkgw.exe RarSFX: infected - 2 skipped
C:\Documents and Settings\HP_Owner\ukhpec.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\Documents and Settings\HP_Owner\vhsjwz.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\Documents and Settings\HP_Owner\vyvukl.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\Documents and Settings\HP_Owner\wltxol.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT.LOG Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\integ\avast.int Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.62 skipped
C:\Program Files\MP3 Player Utilities 1.51\DelDrv.exe Infected: not-a-virus:RiskTool.Win32.Deleter.b skipped
C:\Program Files\ntl\broadband medic\SmartBridge\AlertFilter.log Object is locked skipped
C:\Program Files\ntl\broadband medic\SmartBridge\log\httpclient.log Object is locked skipped
C:\Program Files\ntl\broadband medic\SmartBridge\SmartBridge.log Object is locked skipped
C:\Program Files\Valve\Steam\Steam.log Object is locked skipped
C:\Program Files\Valve\Steam\SteamApps\base source engine 2.gcf Object is locked skipped
C:\Program Files\Valve\Steam\SteamApps\counter-strike source client.gcf Object is locked skipped
C:\Program Files\Valve\Steam\SteamApps\counter-strike source shared.gcf Object is locked skipped
C:\Program Files\Valve\Steam\SteamApps\source engine.gcf Object is locked skipped
C:\Program Files\Valve\Steam\SteamApps\source materials.gcf Object is locked skipped
C:\Program Files\Valve\Steam\SteamApps\source models.gcf Object is locked skipped
C:\Program Files\Valve\Steam\SteamApps\source sounds.gcf Object is locked skipped
C:\Program Files\Valve\Steam\SteamApps\sourceinit.gcf Object is locked skipped
C:\Program Files\Valve\Steam\SteamApps\winui.gcf Object is locked skipped
C:\Program Files\Valve\Steam\SteamLogs\SteamStats.log Object is locked skipped
C:\SDFix\backups\backups.zip/backups/sysprinters.dll Infected: Backdoor.Win32.IRCBot.acd skipped
C:\SDFix\backups\backups.zip ZIP: infected - 1 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{80DC5C79-2A86-4CC1-9CD1-1BF7D6883F58}\RP320\A0213264.exe Infected: not-a-virus:RiskTool.Win32.PsKill.p skipped
C:\System Volume Information\_restore{80DC5C79-2A86-4CC1-9CD1-1BF7D6883F58}\RP321\A0213439.exe/data.rar/ghost.exe Infected: Trojan-Downloader.Win32.IstBar.gen skipped
C:\System Volume Information\_restore{80DC5C79-2A86-4CC1-9CD1-1BF7D6883F58}\RP321\A0213439.exe/data.rar Infected: Trojan-Downloader.Win32.IstBar.gen skipped
C:\System Volume Information\_restore{80DC5C79-2A86-4CC1-9CD1-1BF7D6883F58}\RP321\A0213439.exe RarSFX: infected - 2 skipped
C:\System Volume Information\_restore{80DC5C79-2A86-4CC1-9CD1-1BF7D6883F58}\RP321\A0213443.exe/data.rar/ghost.exe Infected: Trojan-Downloader.Win32.IstBar.gen skipped
C:\System Volume Information\_restore{80DC5C79-2A86-4CC1-9CD1-1BF7D6883F58}\RP321\A0213443.exe/data.rar Infected: Trojan-Downloader.Win32.IstBar.gen skipped
C:\System Volume Information\_restore{80DC5C79-2A86-4CC1-9CD1-1BF7D6883F58}\RP321\A0213443.exe RarSFX: infected - 2 skipped
C:\System Volume Information\_restore{80DC5C79-2A86-4CC1-9CD1-1BF7D6883F58}\RP321\A0213444.exe/data.rar/ghost.exe Infected: Trojan-Downloader.Win32.IstBar.gen skipped
C:\System Volume Information\_restore{80DC5C79-2A86-4CC1-9CD1-1BF7D6883F58}\RP321\A0213444.exe/data.rar Infected: Trojan-Downloader.Win32.IstBar.gen skipped
C:\System Volume Information\_restore{80DC5C79-2A86-4CC1-9CD1-1BF7D6883F58}\RP321\A0213444.exe RarSFX: infected - 2 skipped
C:\System Volume Information\_restore{80DC5C79-2A86-4CC1-9CD1-1BF7D6883F58}\RP322\A0214653.dll Infected: Backdoor.Win32.IRCBot.acd skipped
C:\System Volume Information\_restore{80DC5C79-2A86-4CC1-9CD1-1BF7D6883F58}\RP322\A0214668.dll Infected: Backdoor.Win32.IRCBot.acd skipped
C:\System Volume Information\_restore{80DC5C79-2A86-4CC1-9CD1-1BF7D6883F58}\RP322\A0214698.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\System Volume Information\_restore{80DC5C79-2A86-4CC1-9CD1-1BF7D6883F58}\RP322\A0214700.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\System Volume Information\_restore{80DC5C79-2A86-4CC1-9CD1-1BF7D6883F58}\RP322\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SB Insta.evt Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_544.dat Object is locked skipped
C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

#6 OFFLINE   Ash0

    Newbie

  • Members
  • Pip
  • 6 posts

Posted 04 July 2007 - 12:51 PM

Sorry about that, my post dissapeared :s

#7 OFFLINE   AndyManchesta

    Power Member

  • Spyware Moderators
  • 1,821 posts
  • Gender:Male
  • Location:Manchester. UK
  • Interests:Music, Movies, Website Building & Design, Malware Testing/Research and spending time with friends & family.

Posted 04 July 2007 - 07:58 PM

Hi Ash0,

Can you set Windows to show hidden files and folders so you can easily find all the files to remove:

Click Start. Goto MyComputer then C:\drive
Select the Tools menu from the top bar and click Folder Options. Select the View Tab.
Under the Hidden files and folders heading select "Show hidden files and folders".
UnCheck the "Hide protected operating system files (recommended)" option.

Click Yes to confirm then OK

Set this back once you have checked for the files by opening the same page and pressing the Restore Defaults button then click Apply and OK.

Once thats done please delete these files by right clicking each of them and choosing delete (make sure not to double click them as that will then allow the trojans to run on your system)

Goto Start Menu > Run > then copy and paste

C:\Documents and Settings\HP_Owner\

Press OK and it will open your profiles folder, delete all these files from inside that folder

ehayjr.exe
fgjchg.exe
hsklqf.exe
hyhdxd.exe
irrrzf.exe
izokxv.exe
kimjzc.exe
kirdps.exe
lqicjo.exe
mcrssz.exe
mmmuff.exe
naxpki.exe
ndegur.exe
penclz.exe
pengon.exe
ppnzzm.exe
qjkdfd.exe
qjmixr.exe
rohlns.exe
sgmlrl.exe
slbkgw.exe
ukhpec.exe
vhsjwz.exe
vyvukl.exe
wltxol.exe


Delete the C:\SDFix folder as it contains backups of the trojans files it removed which are not needed now,

Run CCleaner to clear out your Temp folders, if you do not have CCleaner installed follow these steps

Download CCleaner from Here. When the download page opens scroll down to the center download which is named (CCleaner v1.40.520 - Basic - No Toolbar 629KB) then click Download Now. Run the setup file and press Next, click I Agree on the Licence Agreement then Next again, click Install and then finally click Finish, Run CCleaner and press the Run Cleaner button to remove temp files then exit CCleaner.

Then clear your System Restore points:

Click Start Menu > All Programs > Accessories > System Tools > SystemRestore

Choose Create a Restore Point then click Next. Name it and click Create, when the confirmation screen shows the restore point has been created click Close.

Next goto Start Menu > Run > type

cleanmgr

Click OK, Disk Cleanup will open and start calculating the amount of space that can be freed, Once thats finished it will open the Disk Cleanup options screen, click the More Options tab then click Clean up on the system restore area and choose Yes at the confirmation window which will remove all the restore points except the one we just created. Then press OK to clear the temp files found in the initial scan and close Disk Cleanup


Finally download AVG Anti-Spyware
  • Load AVG and then click the Update tab at the top. Under Manual Update click Start update.
  • After the update finishes (the status bar at the bottom will display "Update successful")
  • Click on the Scanner tab at the top and then click on Complete System Scan
  • AVG will list any infections found on the left, when the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. AVG will then display "All actions have been applied" on the right.
  • Click on "Save Report", then "Save Report As". This will create a text file which you can then save to the Desktop and post back
Post back the AVG Antispyware report and let us know if there's any remaining problems

Cheers

Andy

#8 OFFLINE   Ash0

    Newbie

  • Members
  • Pip
  • 6 posts

Posted 05 July 2007 - 02:54 PM 

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

 + Created at:	15:52:43 05/07/2007

 + Scan result:	



[3400] VM_0729E000 -> Adware.NaviPromo : Ignored.
C:\Documents and Settings\HP_Owner\My Documents\ASHLEY\msnVirusRemoval\Run.bat -> Backdoor.Robobot.ae : Ignored.
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@adtech[2].txt -> TrackingCookie.Adtech : Ignored.
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@advertising[1].txt -> TrackingCookie.Advertising : Ignored.
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@atdmt[2].txt -> TrackingCookie.Atdmt : Ignored.
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@connextra[3].txt -> TrackingCookie.Connextra : Ignored.
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@doubleclick[1].txt -> TrackingCookie.Doubleclick : Ignored.
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@fastclick[2].txt -> TrackingCookie.Fastclick : Ignored.
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@ssl-hints.netflame[1].txt -> TrackingCookie.Netflame : Ignored.
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@questionmarket[2].txt -> TrackingCookie.Questionmarket : Ignored.
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Ignored.
C:\Documents and Settings\LocalService\Cookies\hp_owner@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Ignored.
C:\Documents and Settings\HP_Owner\My Documents\SONYkeygen.exe -> Trojan.Pakes.edg : Ignored.
C:\install\install.exe -> Trojan.VB.aqc : Ignored.


::Report end

#9 OFFLINE   AndyManchesta

    Power Member

  • Spyware Moderators
  • 1,821 posts
  • Gender:Male
  • Location:Manchester. UK
  • Interests:Music, Movies, Website Building & Design, Malware Testing/Research and spending time with friends & family.

Posted 05 July 2007 - 03:22 PM

Hi Ash0

Quote

[3400] VM_0729E000 -> Adware.NaviPromo : Ignored.
Looks like you still have a hidden trojan running as AVG detected it running in memory but hasnt detected its files so we still have more work to do, the scan results are also showing everything was ignored but you can remove the files manually rather than run the scanner again.

Delete these folders:

C:\Documents and Settings\HP_Owner\My Documents\ASHLEY\msnVirusRemoval
C:\install

Goto Start > Run > then copy and paste

C:\Documents and Settings\HP_Owner\My Documents\

Press OK to open the documents folder and then delete this trojan

SONYkeygen.exe


Download this file - combofix.exe and save it to your desktop.
Double click combofix.exe & follow the prompts.
When it's finished, it will produce a log of what it found. Please post the contents of that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running as it may cause it to stall

Cheers

Andy
Back to Spyware Hell


  1. Piriform Community Forums
  2. Computer Help and Discussion
  3. Spyware Hell