Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93078 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

HijackThis Log and Issues


  • This topic is locked This topic is locked
24 replies to this topic

#1 Parth

Parth

    Authentic Member

  • Authentic Member
  • PipPip
  • 156 posts

Posted 07 October 2010 - 09:00 AM

Hey guys,
Unfortunately, had to come back and bother you all again with yet another set of problems. And Mind you, this computer has kaspersky and stuf installed still my wife and them manage to have problems on it.

1. I keep getting a windows error:
AVC.exe has encountered a problem and will shutdown...yada yada. It keeps popping up randomly without us even using this desktop. Only thing that was running was jdownloader downloading some stuff.

2. I just checked my task manager, I had about 100 processes, majority of which are iexplorer.exe and I cant kill them cuz more just start over.

3. Kaspersky keeps giving me a warning,
Blacklist of keys has been corrupted. Run Update to fix this problem.
But, obviously, I cant even run update.

Those are the 3 problems I have found so far. And course, the fan of my desktop is running like a freaking exhaust fan non stop and loud as hell.

Here is the Hijackthis Log: And let me know if I need to run spybot S&D and stuff.


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:59:47 AM, on 10/7/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Anahua.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\DOCUME~1\PARTHI~1\LOCALS~1\Temp\Avc.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [JCFSE7V7Z1] C:\DOCUME~1\PARTHI~1\LOCALS~1\Temp\Avc.exe
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10h_ActiveX.exe -update activex
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: Add to Banner Ad Blocker - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {1D082E71-DF20-4AAF-863B-596428C49874} (TPIR Control) - http://www.worldwinn...0/tpir/tpir.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplane...C_2.3.3.102.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinn...ed/wwlaunch.cab
O16 - DPF: {8F6E7FB2-E56B-4F66-A4E1-9765D2565280} (WorldWinner ActiveX Launcher Control) - http://www.worldwinn....0/iewwload.cab
O16 - DPF: {A903E5AB-C67E-40FB-94F1-E1305982F6E0} (KooPlayer Control) - http://www.idesitv.com/livetv.ocx
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O16 - DPF: {ADACAA8F-3595-47FE-9C31-9C7471B9BEC7} (OCXDownloadChecker Control) - http://68.213.32.251...hecker_8198.cab
O16 - DPF: {C52439A0-2693-4E40-B141-9F9AD5257241} (Lexmark eDiagnostics Class) - https://ediagnostics....com/serval.cab
O16 - DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} (Java Plug-in 1.5.0_03) -
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -
O16 - DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} (H2hPool Control) - http://www.worldwinn...ool/h2hpool.cab
O16 - DPF: {FEC048AB-277A-460C-BF50-1A4193AEF148} (DownloadCenter Control) - http://68.213.32.251...Center_8200.cab
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll,C:\PROGRA~1\KASPER~1\KASPER~1\adialhk.dll,C:\PROGRA~1\KASPER~1\KASPER~1\kloehk.dll acaptuser32.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NMSAccess - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/PARTHI~1/LOCALS~1/Temp/msohtmlclip1/01/clip_image002.jpg

--
End of file - 13605 bytes

    Advertisements

Register to Remove


#2 JonTom

JonTom

    Teacher Emeritus

  • Malware Team
  • 5,496 posts

Posted 07 October 2010 - 04:04 PM

Hello Parth and :welcome:

My name is JonTom.

  • Malware Logs can sometimes take a lot of time to research and interpret.
  • Please be patient while I try to assist with your problem. If at any time you do not understand what is required, please ask for further explanation.
  • Please note that there is no "Quick Fix" to modern malware infections and we may need to use several different approaches to get your system clean.
  • Read every reply you receive carefully and thoroughly before carrying out the instructions. You may also find it helpful to print out the instructions you receive, as in some instances you may have to disconnect your computer from the Internet.
  • PLEASE NOTE: If you do not reply after 5 days your thread will be closed.

Lets take a closer look at your system before we begin.


  • Please perform the following scan


    • Please download DDS from here and save it to your desktop.
    • Disable any script blocking protection (How to Disable your Security Programs)
    • Double click on the DDS icon to run the tool (may take up to 3 minutes to run).
    • When done, DDS.txt will open.
    • After a few moments, attach.txt will open in a second window.
    • Save both reports to your desktop.
    • Please post the contents of the DDS.txt and Attach.txt logs in your next reply.

  • Please scan your system with GMER


    Posted Image
    Download GMER Rootkit Scanner from here or here.
    • Extract the contents of the zipped file to desktop.
    • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent.
    • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
    • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and post it in your reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


Please post the DDS logs and the GMER log in your next reply.

If you encounter any difficulty with the scans just let me know :)

Would you like to help others? Join the Classroom and learn how.
 
Member of UNITE
Proud Graduate of the WTT Classroom

#3 Parth

Parth

    Authentic Member

  • Authentic Member
  • PipPip
  • 156 posts

Posted 07 October 2010 - 06:06 PM

Hey JonTom, Thanks for helping me. Here are the DDS reports. DDS.txt DDS (Ver_10-10-05.01) - NTFSx86 Run by Parthiv Thakore at 19:05:12.91 on Thu 10/07/2010 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.671 [GMT -4:00] AV: Kaspersky Internet Security *On-access scanning enabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0} FW: Kaspersky Internet Security *enabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0} ============== Running Processes =============== C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\WINDOWS\System32\svchost.exe -k Akamai C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\CTsvcCDA.EXE C:\WINDOWS\system32\svchost.exe -k hpdevmgmt C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\System32\svchost.exe -k HPZ12 C:\Program Files\CDBurnerXP\NMSAccessU.exe C:\WINDOWS\System32\svchost.exe -k HPZ12 svchost.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe C:\WINDOWS\system32\fxssvc.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Common Files\Java\Java Update\jusched.exe C:\WINDOWS\stsystra.exe C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\Anahua.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\HelpCtr.exe C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe C:\Documents and Settings\Parthiv Thakore\Desktop\dds.scr ============== Pseudo HJT Report =============== uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7 ustart page = about:blank uInternet Settings,ProxyOverride = *.local uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky internet security 2009\ievkbd.dll BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll TB: Veoh Browser Plug-in: {d0943516-5076-4020-a3b5-aefaf26ab263} - c:\program files\veoh networks\veoh\plugins\reg\VeohToolbar.dll TB: Veoh Web Player Video Finder: {0fbb9689-d3d7-4f7a-a2e2-585b10099bfc} - c:\program files\veoh networks\veohwebplayer\VeohIEToolbar.dll TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll TB: {724D43A0-0D85-11D4-9908-00400523E39A} - No File TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File {555d4d79-4bd2-4094-a395-cfc534424a05} uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [SetDefaultMIDI] MIDIDef.exe uRun: [Creative Detector] "c:\program files\creative\mediasource\detector\CTDetect.exe" /R uRun: [JCFSE7V7Z1] c:\docume~1\parthi~1\locals~1\temp\Avc.exe uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10h_ActiveX.exe -update activex mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 2009\avp.exe" mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe" mRun: [SigmatelSysTrayApp] stsystra.exe mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [CTSysVol] c:\program files\creative\sbaudigy\surround mixer\CTSysVol.exe /r mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe" mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe" mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe mRun: [hpqSRMon] mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe IE: Add to Banner Ad Blocker - c:\program files\kaspersky lab\kaspersky internet security 2009\ie_banner_deny.htm IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000 IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\kaspersky lab\kaspersky internet security 2009\SCIEPlgn.dll IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll DPF: {1D082E71-DF20-4AAF-863B-596428C49874} - hxxp://www.worldwinner.com/games/v50/tpir/tpir.cab DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.3.102.cab DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab DPF: {8F6E7FB2-E56B-4F66-A4E1-9765D2565280} - hxxp://www.worldwinner.com/games/launcher/ie/v2.22.01.0/iewwload.cab DPF: {A903E5AB-C67E-40FB-94F1-E1305982F6E0} - hxxp://www.idesitv.com/livetv.ocx DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - hxxps://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx DPF: {ADACAA8F-3595-47FE-9C31-9C7471B9BEC7} - hxxp://68.213.32.251/cab/OCXChecker_8198.cab DPF: {C52439A0-2693-4E40-B141-9F9AD5257241} - hxxps://ediagnostics.lexmark.com/serval.cab DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} - hxxp://www.worldwinner.com/games/v53/h2hpool/h2hpool.cab DPF: {FEC048AB-277A-460C-BF50-1A4193AEF148} - hxxp://68.213.32.251/cab/DownloadCenter_8200.cab Notify: klogon - c:\windows\system32\klogon.dll Notify: LMIinit - LMIinit.dll AppInit_DLLs: c:\progra~1\kasper~1\kasper~1\mzvkbd3.dll,c:\progra~1\kasper~1\kasper~1\adialhk.dll,c:\progra~1\kasper~1\kasper~1\kloehk.dll acaptuser32.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, msansspc.dll LSA: Authentication Packages = msv1_0 nwprovau ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\parthi~1\applic~1\mozilla\firefox\profiles\5tuxkkf3.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/ FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll FF - plugin: c:\documents and settings\parthiv thakore\application data\mozilla\firefox\profiles\5tuxkkf3.default\extensions\{195a3098-0bd5-4e90-ae22-ba1c540afd1e}\plugins\npGarmin.dll FF - plugin: c:\documents and settings\parthiv thakore\application data\mozilla\firefox\profiles\5tuxkkf3.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll FF - plugin: c:\documents and settings\parthiv thakore\application data\mozilla\firefox\profiles\5tuxkkf3.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll FF - plugin: c:\program files\veoh networks\veoh\plugins\noreg\NPVeohVersion.dll FF - plugin: c:\program files\veoh networks\veohwebplayer\npWebPlayerVideoPluginATL.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\ FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} ---- FIREFOX POLICIES ---- FF - user.js: yahoo.ytff.general.dontshowhpoffer - truec:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true); ============= SERVICES / DRIVERS =============== R0 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2008-7-21 121872] R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-1-29 33808] R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2009-5-26 226832] R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-4-30 46112] R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [2008-3-13 26640] R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2008-4-30 24592] S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\logmein\x86\rainfo.sys --> c:\program files\logmein\x86\RaInfo.sys [?] S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [2010-9-24 27064] S4 LMIRfsClientNP;LMIRfsClientNP; [x] =============== Created Last 30 ================ 2010-10-02 16:07:10 -------- d-----w- C:\Your Software Here 2010-10-02 14:00:15 -------- d-----w- c:\program files\Wide Angle Software 2010-10-02 13:45:51 -------- d-----w- c:\program files\BitTorrent 2010-10-02 13:45:23 -------- d-----w- c:\docume~1\parthi~1\applic~1\BitTorrent 2010-10-02 13:30:53 48 ----a-w- c:\docume~1\parthi~1\locals~1\applic~1\84756-11986-27475-00TC1-94865 2010-10-02 04:48:13 -------- d-----w- c:\docume~1\parthi~1\locals~1\applic~1\tctemp 2010-10-02 04:38:51 192512 ----a-w- c:\windows\Anahua.exe 2010-10-02 04:33:35 -------- d-----w- c:\docume~1\parthi~1\locals~1\applic~1\Wide Angle Software 2010-09-29 22:39:12 -------- d-----w- c:\program files\iTunes 2010-09-29 15:37:13 729088 ----a-w- c:\windows\system32\hpowiax7.dll 2010-09-29 15:37:13 581632 ----a-w- c:\windows\system32\hpotscl6.dll 2010-09-29 15:37:13 372736 ----a-w- c:\windows\system32\hppldcoi.dll 2010-09-29 15:37:13 309760 ----a-w- c:\windows\system32\difxapi.dll 2010-09-29 15:37:13 303104 ----a-w- c:\windows\system32\hpovst15.dll 2010-09-29 15:26:21 112056 ----a-w- c:\windows\system32\acaptuser32.dll 2010-09-29 15:24:22 -------- d-----w- C:\_AcroTemp 2010-09-25 22:48:49 -------- d-----w- c:\program files\common files\Hewlett-Packard 2010-09-25 22:48:32 -------- d-----w- c:\program files\common files\HP 2010-09-25 22:47:52 -------- d-----w- c:\program files\HP 2010-09-24 19:51:00 -------- d-----w- c:\docume~1\parthi~1\locals~1\applic~1\VS Revo Group 2010-09-24 19:50:50 27064 ----a-w- c:\windows\system32\drivers\revoflt.sys 2010-09-24 19:50:48 -------- d-----w- c:\program files\VS Revo Group 2010-09-24 19:15:37 -------- d-----w- c:\docume~1\parthi~1\applic~1\Registry Mechanic 2010-09-24 18:24:54 -------- d-----w- c:\docume~1\alluse~1\applic~1\RegCure 2010-09-24 14:21:39 -------- d-----w- c:\docume~1\parthi~1\applic~1\HpUpdate 2010-09-24 14:21:10 -------- d-----w- c:\windows\Cache 2010-09-24 14:21:09 -------- d-----w- c:\program files\Coupons 2010-09-24 04:08:52 -------- d-----w- c:\program files\CCleaner 2010-09-24 03:37:40 423656 ----a-w- c:\windows\system32\deployJava1.dll 2010-09-23 04:03:41 -------- d-----w- c:\program files\common files\Macrovision Shared 2010-09-23 04:02:59 46928 ----a-w- c:\windows\system32\AdobePDF.dll 2010-09-23 04:02:59 22872 ----a-r- c:\windows\system32\AdobePDFUI.dll 2010-09-17 03:56:06 -------- d-----w- c:\program files\Lavalys 2010-09-12 23:29:53 -------- d-----w- c:\docume~1\alluse~1\applic~1\{429CAD59-35B1-4DBC-BB6D-1DB246563521} 2010-09-12 23:21:57 3062048 ----a-w- c:\windows\system32\usbaaplrc.dll 2010-09-12 23:21:27 -------- d-----w- c:\program files\Bonjour 2010-09-10 16:38:00 -------- d-----w- c:\docume~1\parthi~1\applic~1\TeamViewer 2010-09-08 15:17:46 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx 2010-09-08 15:17:46 69632 ----a-w- c:\windows\system32\QuickTime.qts ==================== Find3M ==================== 2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe 2010-07-27 22:44:10 91424 ----a-w- c:\windows\system32\dnssd.dll 2010-07-27 22:44:10 197920 ----a-w- c:\windows\system32\dnssdX.dll 2010-07-27 22:44:10 107808 ----a-w- c:\windows\system32\dns-sd.exe 2010-07-22 15:49:15 590848 ----a-w- c:\windows\system32\rpcrt4.dll 2010-07-22 05:57:20 5120 ----a-w- c:\windows\system32\xpsp4res.dll 2010-07-17 06:42:29 73728 ----a-w- c:\windows\system32\javacpl.cpl ============= FINISH: 19:47:55.03 =============== Attach.txt UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG. IF REQUESTED, ZIP IT UP & ATTACH IT DDS (Ver_10-10-05.01) Microsoft Windows XP Professional Boot Device: \Device\HarddiskVolume1 Install Date: 6/7/2006 10:52:11 PM System Uptime: 10/2/2010 9:00:19 AM (130 hours ago) Motherboard: Dell Inc. | | 0HJ054 Processor: Intel® Pentium® D CPU 2.80GHz | Microprocessor | 2793/800mhz ==== Disk Partitions ========================= C: is FIXED (NTFS) - 233 GiB total, 149.657 GiB free. E: is Removable F: is Removable G: is Removable H: is CDROM (UDF) I: is CDROM (CDFS) J: is Removable ==== Disabled Device Manager Items ============= ==== System Restore Points =================== RP542: 9/23/2010 11:00:38 PM - Removed HP Update RP543: 9/23/2010 11:28:41 PM - Removed Java™ 6 Update 2 RP544: 9/23/2010 11:36:10 PM - Installed Java™ 6 Update 21 RP545: 9/24/2010 1:03:38 PM - Removed HP Update. RP546: 9/25/2010 1:28:41 PM - System Checkpoint RP547: 9/27/2010 1:13:40 PM - System Checkpoint RP548: 9/29/2010 3:00:26 AM - Software Distribution Service 3.0 RP549: 9/29/2010 11:41:33 AM - Installed MSVCSetup RP550: 9/30/2010 12:33:41 PM - System Checkpoint RP551: 10/1/2010 12:47:36 PM - System Checkpoint RP552: 10/2/2010 12:32:54 AM - Installed TouchCopy 09 RP553: 10/2/2010 12:49:38 AM - Removed TouchCopy 09 RP554: 10/2/2010 9:21:29 AM - Installed TouchCopy 09 RP555: 10/2/2010 9:26:50 AM - Removed TouchCopy 09 RP556: 10/2/2010 9:32:01 AM - Installed TouchCopy 09 RP557: 10/2/2010 9:41:45 AM - Removed TouchCopy 09 RP558: 10/2/2010 9:52:10 AM - Installed TouchCopy 09 RP559: 10/2/2010 9:56:11 AM - Removed TouchCopy 09 RP560: 10/2/2010 10:00:12 AM - Installed TouchCopy 09 RP561: 10/2/2010 10:38:14 AM - Removed TouchCopy 09 RP562: 10/2/2010 11:25:36 AM - Installed TouchCopy 09 RP563: 10/2/2010 11:28:45 AM - Removed TouchCopy 09 RP564: 10/2/2010 12:01:11 PM - Removed Ask Toolbar. RP565: 10/2/2010 12:07:48 PM - Installed TouchCopy 09 RP566: 10/6/2010 3:02:04 AM - Software Distribution Service 3.0 RP567: 10/7/2010 10:58:36 AM - Installed HiJackThis ==== Installed Programs ====================== 2007 Microsoft Office Suite Service Pack 2 (SP2) 32 Bit HP CIO Components Installer Acrobat.com Adobe Acrobat 9 Pro Extended - English, Français, Deutsch Adobe Acrobat 9.3.4 - CPSID_83708 Adobe AIR Adobe Flash Player 10 ActiveX Adobe Flash Player 10 Plugin Adobe Reader 9.3.4 Adobe® Photoshop® Album Starter Edition 3.0 AGEIA PhysX v2.6.0 Akamai NetSession Interface Apple Application Support Apple Mobile Device Support Apple Software Update ATI - Software Uninstall Utility ATI Control Panel ATI Display Driver ATT-PRT22 BitTorrent Bonjour BufferChm Canon Utilities ZoomBrowser EX CCleaner CDBurnerXP Compatibility Pack for the 2007 Office system Conexant D850 56K V.9x DFVc Modem Copy Coupon Printer for Windows Creative MediaSource Critical Update for Windows Media Player 11 (KB959772) CustomerResearchQFolder Dell Driver Download Manager Destination Component DeviceDiscovery DeviceManagementQFolder DivX Setup DJ_AIO_03_F4200_Software_Min DMMultiView eSupportQFolder EVEREST Home Edition v2.20 Foxit PDF Editor Garmin USB Drivers Garmin WebUpdater GemMaster Mystic GeoVision ADPCM GeoVision H264 GeoVision JPEG GeoVision MPEG2 GeoVision MPEG4 GeoVision MPEG4 ASP GeoVision MPEG4 AVC Google Update Helper GPBaseService GPBaseService2 GroundSchool - Private and Recreational Pilot High Definition Audio Driver Package - KB835221 HiJackThis Hotfix for Microsoft .NET Framework 3.0 (KB932471) Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595) Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484) Hotfix for Windows Internet Explorer 7 (KB947864) Hotfix for Windows Media Format 11 SDK (KB929399) Hotfix for Windows Media Player 10 (KB903157) Hotfix for Windows Media Player 11 (KB939683) Hotfix for Windows XP (KB2158563) Hotfix for Windows XP (KB952287) Hotfix for Windows XP (KB954550-v5) Hotfix for Windows XP (KB961118) Hotfix for Windows XP (KB970653-v3) Hotfix for Windows XP (KB976098-v2) Hotfix for Windows XP (KB979306) Hotfix for Windows XP (KB981793) HP Customer Participation Program 10.0 HP Deskjet F4200 All-In-One Driver 11.0 03 HP Imaging Device Functions 10.0 HP Photosmart Essential 2.5 HP Smart Web Printing HP Solution Center 13.0 HP Update HPProductAssistant HPSSupply ImageConverter Plus 8.0 Intel® PRO Network Connections Drivers iTunes Jasc Paint Shop Photo Album 5 Jasc Paint Shop Pro Studio, Dell Editon Java Auto Updater Java DB 10.4.1.3 Java™ 6 Update 21 Java™ SE Development Kit 6 Update 13 JavaFX™ 1.1 SDK JDownloader K-Lite Codec Pack 5.6.1 (Full) Kaspersky Internet Security 2009 LiquorPOS Demo Version 5.01.185 Macromedia Shockwave Player MarketResearch Maxthon Browser (remove only) Microsoft .NET Framework 1.0 Hotfix (KB953295) Microsoft .NET Framework 1.0 Hotfix (KB979904) Microsoft .NET Framework 2.0 Service Pack 2 Microsoft .NET Framework 3.0 Service Pack 2 Microsoft .NET Framework 3.5 SP1 Microsoft Base Smart Card Cryptographic Service Provider Package Microsoft Compression Client Pack 1.0 for Windows XP Microsoft Internationalized Domain Names Mitigation APIs Microsoft National Language Support Downlevel APIs Microsoft Office Excel MUI (English) 2007 Microsoft Office Home and Student 2007 Microsoft Office OneNote MUI (English) 2007 Microsoft Office PowerPoint MUI (English) 2007 Microsoft Office Proof (English) 2007 Microsoft Office Proof (French) 2007 Microsoft Office Proof (Spanish) 2007 Microsoft Office Proofing (English) 2007 Microsoft Office Shared MUI (English) 2007 Microsoft Office Shared Setup Metadata MUI (English) 2007 Microsoft Office Word MUI (English) 2007 Microsoft Silverlight Microsoft Software Update for Web Folders (English) 12 Microsoft User-Mode Driver Framework Feature Pack 1.0 Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 Microsoft Visual C++ 2005 Redistributable Microsoft Web Publishing Wizard 1.52 MobileMe Control Panel Move Networks Media Player for Internet Explorer Mozilla Firefox (3.6.10) MSVCSetup MSXML 4.0 SP2 (KB927978) MSXML 4.0 SP2 (KB936181) MSXML 4.0 SP2 (KB954430) MSXML 4.0 SP2 (KB973688) MSXML 6.0 Parser (KB933579) Octoshape add-in for Adobe Flash Player PrimoPDF -- brought to you by Nitro PDF Software PSSWCORE Python 2.6.2 QuickTime Real Alternative 1.48 RealPlayer Revo Uninstaller Pro 2.4.1 SA32xx Device Manager SA32xx Media Converter Scan Security Update for 2007 Microsoft Office System (KB2277947) Security Update for 2007 Microsoft Office System (KB2288621) Security Update for 2007 Microsoft Office System (KB969559) Security Update for 2007 Microsoft Office System (KB976321) Security Update for 2007 Microsoft Office System (KB982312) Security Update for 2007 Microsoft Office System (KB982331) Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473) Security Update for Microsoft Office Excel 2007 (KB982308) Security Update for Microsoft Office InfoPath 2007 (KB979441) Security Update for Microsoft Office PowerPoint 2007 (KB982158) Security Update for Microsoft Office system 2007 (972581) Security Update for Microsoft Office system 2007 (KB974234) Security Update for Microsoft Office Visio Viewer 2007 (KB973709) Security Update for Microsoft Office Word 2007 (KB2251419) Security Update for Windows Internet Explorer 7 (KB937143) Security Update for Windows Internet Explorer 7 (KB938127) Security Update for Windows Internet Explorer 7 (KB939653) Security Update for Windows Internet Explorer 7 (KB942615) Security Update for Windows Internet Explorer 7 (KB944533) Security Update for Windows Internet Explorer 7 (KB950759) Security Update for Windows Internet Explorer 7 (KB953838) Security Update for Windows Internet Explorer 8 (KB2183461) Security Update for Windows Internet Explorer 8 (KB969897) Security Update for Windows Internet Explorer 8 (KB971961) Security Update for Windows Internet Explorer 8 (KB972260) Security Update for Windows Internet Explorer 8 (KB974455) Security Update for Windows Internet Explorer 8 (KB976325) Security Update for Windows Internet Explorer 8 (KB978207) Security Update for Windows Internet Explorer 8 (KB981332) Security Update for Windows Internet Explorer 8 (KB982381) Security Update for Windows Media Player (KB952069) Security Update for Windows Media Player (KB954155) Security Update for Windows Media Player (KB968816) Security Update for Windows Media Player (KB973540) Security Update for Windows Media Player (KB975558) Security Update for Windows Media Player (KB978695) Security Update for Windows Media Player 10 (KB911565) Security Update for Windows Media Player 10 (KB917734) Security Update for Windows Media Player 11 (KB936782) Security Update for Windows Media Player 11 (KB954154) Security Update for Windows Media Player 6.4 (KB925398) Security Update for Windows XP (KB2079403) Security Update for Windows XP (KB2115168) Security Update for Windows XP (KB2121546) Security Update for Windows XP (KB2160329) Security Update for Windows XP (KB2229593) Security Update for Windows XP (KB2259922) Security Update for Windows XP (KB2286198) Security Update for Windows XP (KB2347290) Security Update for Windows XP (KB913433) Security Update for Windows XP (KB923561) Security Update for Windows XP (KB938464-v2) Security Update for Windows XP (KB938464) Security Update for Windows XP (KB941569) Security Update for Windows XP (KB946648) Security Update for Windows XP (KB950760) Security Update for Windows XP (KB950762) Security Update for Windows XP (KB950974) Security Update for Windows XP (KB951066) Security Update for Windows XP (KB951376-v2) Security Update for Windows XP (KB951376) Security Update for Windows XP (KB951698) Security Update for Windows XP (KB951748) Security Update for Windows XP (KB952004) Security Update for Windows XP (KB952954) Security Update for Windows XP (KB953839) Security Update for Windows XP (KB954211) Security Update for Windows XP (KB954459) Security Update for Windows XP (KB954600) Security Update for Windows XP (KB955069) Security Update for Windows XP (KB956391) Security Update for Windows XP (KB956572) Security Update for Windows XP (KB956744) Security Update for Windows XP (KB956802) Security Update for Windows XP (KB956803) Security Update for Windows XP (KB956841) Security Update for Windows XP (KB956844) Security Update for Windows XP (KB957095) Security Update for Windows XP (KB957097) Security Update for Windows XP (KB958644) Security Update for Windows XP (KB958687) Security Update for Windows XP (KB958690) Security Update for Windows XP (KB958869) Security Update for Windows XP (KB959426) Security Update for Windows XP (KB960225) Security Update for Windows XP (KB960715) Security Update for Windows XP (KB960803) Security Update for Windows XP (KB960859) Security Update for Windows XP (KB961371) Security Update for Windows XP (KB961373) Security Update for Windows XP (KB961501) Security Update for Windows XP (KB968537) Security Update for Windows XP (KB969059) Security Update for Windows XP (KB969898) Security Update for Windows XP (KB969947) Security Update for Windows XP (KB970238) Security Update for Windows XP (KB970430) Security Update for Windows XP (KB971468) Security Update for Windows XP (KB971486) Security Update for Windows XP (KB971557) Security Update for Windows XP (KB971633) Security Update for Windows XP (KB971657) Security Update for Windows XP (KB972270) Security Update for Windows XP (KB973346) Security Update for Windows XP (KB973354) Security Update for Windows XP (KB973507) Security Update for Windows XP (KB973525) Security Update for Windows XP (KB973869) Security Update for Windows XP (KB973904) Security Update for Windows XP (KB974112) Security Update for Windows XP (KB974318) Security Update for Windows XP (KB974392) Security Update for Windows XP (KB974571) Security Update for Windows XP (KB975025) Security Update for Windows XP (KB975467) Security Update for Windows XP (KB975560) Security Update for Windows XP (KB975561) Security Update for Windows XP (KB975562) Security Update for Windows XP (KB975713) Security Update for Windows XP (KB977165) Security Update for Windows XP (KB977816) Security Update for Windows XP (KB977914) Security Update for Windows XP (KB978037) Security Update for Windows XP (KB978251) Security Update for Windows XP (KB978262) Security Update for Windows XP (KB978338) Security Update for Windows XP (KB978542) Security Update for Windows XP (KB978601) Security Update for Windows XP (KB979309) Security Update for Windows XP (KB979482) Security Update for Windows XP (KB979559) Security Update for Windows XP (KB979683) Security Update for Windows XP (KB980195) Security Update for Windows XP (KB980218) Security Update for Windows XP (KB980232) Security Update for Windows XP (KB980436) Security Update for Windows XP (KB981322) Security Update for Windows XP (KB981852) Security Update for Windows XP (KB981997) Security Update for Windows XP (KB982214) Security Update for Windows XP (KB982665) Security Update for Windows XP (KB982802) Shop for HP Supplies SigmaTel Audio SmartWebPrintingOC SolutionCenter Sonic Encoders Sound Blaster Audigy ADVANCED MB Spelling Dictionaries Support For Adobe Reader 9 Spybot - Search & Destroy Status TBS WMP Plug-in Toolbox TouchCopy 09 TrayApp Update for 2007 Microsoft Office System (KB967642) Update for Microsoft .NET Framework 3.5 SP1 (KB963707) Update for Microsoft Office OneNote 2007 (KB980729) Update for Windows Internet Explorer 8 (KB968220) Update for Windows Internet Explorer 8 (KB976662) Update for Windows Internet Explorer 8 (KB976749) Update for Windows Internet Explorer 8 (KB980182) Update for Windows Media Player 10 (KB913800) Update for Windows XP (KB2141007) Update for Windows XP (KB951072-v2) Update for Windows XP (KB951978) Update for Windows XP (KB955759) Update for Windows XP (KB955839) Update for Windows XP (KB960763) Update for Windows XP (KB967715) Update for Windows XP (KB968389) Update for Windows XP (KB971737) Update for Windows XP (KB973687) Update for Windows XP (KB973815) Update Rollup 2 for Windows XP Media Center Edition 2005 VC80CRTRedist - 8.0.50727.4053 Veoh Web Player VeohTV BETA VideoToolkit01 VLC media player 0.9.2 WebFldrs XP Windows Driver Package - Garmin (grmnusb) GARMIN Devices (06/03/2009 2.3.0.0) Windows Genuine Advantage Notifications (KB905474) Windows Genuine Advantage Validation Tool (KB892130) Windows Imaging Component Windows Internet Explorer 7 Windows Internet Explorer 8 Windows Media Format 11 runtime Windows Media Player 11 Windows Media Player Firefox Plugin Windows Presentation Foundation Windows XP Media Center Edition 2005 KB925766 Windows XP Media Center Edition 2005 KB973768 Windows XP Service Pack 3 WinRAR archiver XML Paper Specification Shared Components Pack 1.0 Yahoo! BrowserPlus 2.7.1 Yahoo! Messenger Yahoo! Software Update Yahoo! Toolbar ==== Event Viewer Messages From Past Week ======== 9/30/2010 9:11:36 AM, error: Service Control Manager [7022] - The HP CUE DeviceDiscovery Service service hung on starting. 9/30/2010 9:10:11 AM, error: Service Control Manager [7000] - The LogMeIn Kernel Information Provider service failed to start due to the following error: The system cannot find the path specified. ==== End Of File =========================== GMER is running now, so will post results soon. Parth

#4 Parth

Parth

    Authentic Member

  • Authentic Member
  • PipPip
  • 156 posts

Posted 08 October 2010 - 08:17 AM

mmm, I had started GMER.exe last night when I had made that post. Only C: is selected, IAT/EAT thing is UNCHECKED and show all is UNCHECKED. Its been like 15 hrs and its still running o_O Is that normal ? lol Thanks. Parth

#5 Parth

Parth

    Authentic Member

  • Authentic Member
  • PipPip
  • 156 posts

Posted 08 October 2010 - 09:04 AM

Ah, Finally got it done.
Here you go,


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-10-08 10:55:32
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\PARTHI~1\LOCALS~1\Temp\fxldapow.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwAdjustPrivilegesToken [0xB07C01DA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwClose [0xB07C07AE]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwConnectPort [0xB07C21EA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwCreateFile [0xB07C1B9C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwCreateKey [0xB07BF950]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwCreateSymbolicLinkObject [0xB07C3B7C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwCreateThread [0xB07C05AE]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwDeleteKey [0xB07BFD92]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwDeleteValueKey [0xB07BFF92]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwDeviceIoControlFile [0xB07C1EAC]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwDuplicateObject [0xB07C4084]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwEnumerateKey [0xB07C00A8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwEnumerateValueKey [0xB07C0110]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwFsControlFile [0xB07C1D5E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwLoadDriver [0xB07C3620]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenFile [0xB07C19F8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenKey [0xB07BFAB2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenProcess [0xB07C03B2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenSection [0xB07C3BA6]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenThread [0xB07C02FE]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwQueryKey [0xB07C0178]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwQueryMultipleValueKey [0xB07BFE7C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwQueryValueKey [0xB07BFC5A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwQueueApcThread [0xB07C3888]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwReplaceKey [0xB07BF5D2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwRequestWaitReplyPort [0xB07C2A74]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwRestoreKey [0xB07BF734]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwResumeThread [0xB07C3F56]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSaveKey [0xB07BF3D0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSecureConnectPort [0xB07C208C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSetContextThread [0xB07C06AC]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSetSecurityObject [0xB07C371A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSetSystemInformation [0xB07C3BD0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSetValueKey [0xB07BFB08]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSuspendProcess [0xB07C3CB4]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSuspendThread [0xB07C3DE0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSystemDebugControl [0xB07C354C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwTerminateProcess [0xB07C047E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwWriteVirtualMemory [0xB07C04F0]

Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) FsRtlCheckLockForReadAccess
Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) IoIsOperationSynchronous

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!FsRtlCheckLockForReadAccess 804EAF84 5 Bytes JMP B07D7626 \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab)
.text ntkrnlpa.exe!IoIsOperationSynchronous 804EF912 5 Bytes JMP B07D79E0 \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab)
.text ntkrnlpa.exe!ZwCallbackReturn + 2C60 805044FC 4 Bytes JMP B4B07C21
.text ntkrnlpa.exe!ZwCallbackReturn + 2FD8 80504874 12 Bytes [B4, 3C, 7C, B0, E0, 3D, 7C, ...]
init C:\WINDOWS\system32\drivers\sigfilt.sys entry point in "init" section [0xB09E2F80]

---- User code sections - GMER 1.0.15 ----

? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[788] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch;
.text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[788] USER32.dll!AlignRects + FFFA5598 7E412A78 4 Bytes [70, 11, 41, 6D] {JO 0x13; INC ECX; INSD }
? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[2084] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch;
.text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[2084] USER32.dll!AlignRects + FFFA5598 7E412A78 4 Bytes [70, 11, 41, 6D] {JO 0x13; INC ECX; INSD }

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Tcpip \Device\Tcp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Tcpip \Device\Udp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Tcpip \Device\RawIp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\7404D2C904E0a994CAA74C9BBB21EF30\Usage@TrayApp 1028063330
Reg HKLM\SOFTWARE\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}@scansk 0x54 0x66 0x12 0xAC ...
Reg HKLM\SOFTWARE\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}@scansk 0x84 0xDF 0xCA 0xBD ...
Reg HKLM\SOFTWARE\Classes\CLSID\{85bc9adf-f379-4bdf-bd85-701218c36723}@Model 46
Reg HKLM\SOFTWARE\Classes\CLSID\{85bc9adf-f379-4bdf-bd85-701218c36723}@Therad 16
Reg HKLM\SOFTWARE\Classes\CLSID\{85bc9adf-f379-4bdf-bd85-701218c36723}@MData 0x73 0xD5 0xCF 0xB8 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{ecbefe36-efea-434d-822a-fd1b484e49d6}@Model 342
Reg HKLM\SOFTWARE\Classes\CLSID\{ecbefe36-efea-434d-822a-fd1b484e49d6}@Therad 30
Reg HKLM\SOFTWARE\Classes\CLSID\{ecbefe36-efea-434d-822a-fd1b484e49d6}@MData 0x2B 0x8F 0x78 0x29 ...

---- EOF - GMER 1.0.15 ----

#6 JonTom

JonTom

    Teacher Emeritus

  • Malware Team
  • 5,496 posts

Posted 08 October 2010 - 02:31 PM

Hello Parth

Thank you for the the logs.

Please work your way through the following steps:


  • P2P Programs:


    • P2P programs are a major source of Malware infections.
    • From your log I see you have BitTorrent. We do not pass judgment on file-sharing, however we must inform you that engaging in this activity and having this kind of software installed on your system will always make you more susceptible to Malware infections.
    • The use of P2P programs may be contributing to your current situation, and you would certainly be doing yourself a favour by removing them.
    • If you wish to keep the program(s), please do not use them until your computer is cleaned.
    • Information regarding the risk of using these programs can be found from here and here.
    • It is strongly recommend that you uninstall any P2P programs you have on your system.
    • To do this, Click on "Start" then on "Control Panel" and then on "Add or remove programs".
    • A list of currently installed programs will be displayed.
    • Find the "BitTorrent" program, click on it once and then click on the "Remove" button.
    • If you are prompted to re-boot your computer to complete the uninstall please do so.


      PLEASE NOTE:
    • Even if you are using a P2P program that is deemed safe, it is only the program that is safe. Any files that you receive using a "safe" P2P program may be infected with Malware. The malware writers use P2P file-sharing as a major conduit to spread infected files.

  • Combofix



    • VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

    • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here .
    • Double click on ComboFix.exe & follow the prompts.

    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

    Posted Image

    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image

    • Click on Yes, to continue scanning for malware.
    • When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
    • Notes: Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    • Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Would you like to help others? Join the Classroom and learn how.
 
Member of UNITE
Proud Graduate of the WTT Classroom

#7 Parth

Parth

    Authentic Member

  • Authentic Member
  • PipPip
  • 156 posts

Posted 08 October 2010 - 03:13 PM

Here is the combofix log: ComboFix 10-10-07.02 - Parthiv Thakore 10/08/2010 16:47:15.3.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1248 [GMT -4:00] Running from: c:\documents and settings\Parthiv Thakore\Desktop\ComboFix.exe AV: Kaspersky Internet Security *On-access scanning disabled* (Outdated) {2C4D4BC6-0793-4956-A9F9-E252435469C0} FW: Kaspersky Internet Security *enabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\program files\Internet Explorer\SET5BE.tmp c:\program files\Internet Explorer\SET5BF.tmp c:\program files\Internet Explorer\SET5C1.tmp c:\windows\system32\Data c:\windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job . ((((((((((((((((((((((((( Files Created from 2010-09-08 to 2010-10-08 ))))))))))))))))))))))))))))))) . 2010-10-07 14:58 . 2010-10-07 14:58 388096 ----a-r- c:\documents and settings\Parthiv Thakore\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe 2010-10-02 21:38 . 2010-10-08 19:08 664 ----a-w- c:\windows\system32\d3d9caps.dat 2010-10-02 16:07 . 2010-02-11 09:56 -------- d-----w- C:\Your Software Here 2010-10-02 14:00 . 2010-10-02 14:00 -------- d-----w- c:\program files\Wide Angle Software 2010-10-02 04:48 . 2010-10-02 17:01 -------- d-----w- c:\documents and settings\Parthiv Thakore\Local Settings\Application Data\tctemp 2010-10-02 04:38 . 2010-10-02 04:38 192512 ----a-w- c:\windows\Anahua.exe 2010-10-02 04:33 . 2010-10-02 13:36 -------- d-----w- c:\documents and settings\Parthiv Thakore\Local Settings\Application Data\Wide Angle Software 2010-09-29 22:39 . 2010-09-29 22:40 -------- d-----w- c:\program files\iTunes 2010-09-29 16:01 . 2010-09-29 16:06 116839 ----a-w- c:\windows\hpqins00.dat 2010-09-29 15:45 . 2010-09-29 15:45 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Product Assistant 2010-09-29 15:41 . 2010-09-29 15:50 77390 ----a-w- c:\windows\hpqins05.dat 2010-09-29 15:38 . 2010-09-29 15:38 -------- d-----w- c:\program files\Hewlett-Packard 2010-09-29 15:37 . 2008-01-25 12:22 729088 ----a-w- c:\windows\system32\hpowiax7.dll 2010-09-29 15:37 . 2008-01-25 12:22 303104 ----a-w- c:\windows\system32\hpovst15.dll 2010-09-29 15:37 . 2008-01-25 12:22 581632 ----a-w- c:\windows\system32\hpotscl6.dll 2010-09-29 15:37 . 2008-01-25 12:22 372736 ----a-w- c:\windows\system32\hppldcoi.dll 2010-09-29 15:37 . 2008-01-25 12:22 309760 ----a-w- c:\windows\system32\difxapi.dll 2010-09-29 15:26 . 2009-12-21 23:20 112056 ----a-w- c:\windows\system32\acaptuser32.dll 2010-09-29 15:24 . 2010-09-29 15:49 -------- d-----w- C:\_AcroTemp 2010-09-25 22:48 . 2010-09-25 22:48 -------- d-----w- c:\program files\Common Files\Hewlett-Packard 2010-09-25 22:48 . 2010-09-25 22:48 -------- d-----w- c:\program files\Common Files\HP 2010-09-25 22:47 . 2010-09-25 22:49 -------- d-----w- c:\program files\HP 2010-09-25 22:46 . 2010-09-29 15:39 163116 ----a-w- c:\windows\hpoins28.dat 2010-09-25 22:46 . 2008-05-12 19:46 796 ------w- c:\windows\hpomdl28.dat 2010-09-24 19:51 . 2010-09-24 19:51 -------- d-----w- c:\documents and settings\Parthiv Thakore\Local Settings\Application Data\VS Revo Group 2010-09-24 19:50 . 2009-12-30 16:20 27064 ----a-w- c:\windows\system32\drivers\revoflt.sys 2010-09-24 19:50 . 2010-09-24 19:50 -------- d-----w- c:\program files\VS Revo Group 2010-09-24 19:15 . 2010-09-24 19:15 -------- d-----w- c:\documents and settings\Parthiv Thakore\Application Data\Registry Mechanic 2010-09-24 18:24 . 2010-09-24 19:07 -------- d-----w- c:\documents and settings\All Users\Application Data\RegCure 2010-09-24 14:21 . 2010-09-24 14:29 -------- d-----w- c:\documents and settings\Parthiv Thakore\Application Data\HpUpdate 2010-09-24 14:21 . 2010-09-24 14:21 -------- d-----w- c:\windows\Cache 2010-09-24 14:21 . 2010-09-24 14:21 -------- d-----w- c:\program files\Coupons 2010-09-24 12:11 . 2010-09-24 12:11 503808 ----a-w- c:\documents and settings\Parthiv Thakore\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-530ba3d4-n\msvcp71.dll 2010-09-24 12:11 . 2010-09-24 12:11 499712 ----a-w- c:\documents and settings\Parthiv Thakore\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-530ba3d4-n\jmc.dll 2010-09-24 12:11 . 2010-09-24 12:11 348160 ----a-w- c:\documents and settings\Parthiv Thakore\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-530ba3d4-n\msvcr71.dll 2010-09-24 12:10 . 2010-09-24 12:10 61440 ----a-w- c:\documents and settings\Parthiv Thakore\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-523e0601-n\decora-sse.dll 2010-09-24 12:10 . 2010-09-24 12:10 12800 ----a-w- c:\documents and settings\Parthiv Thakore\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-523e0601-n\decora-d3d.dll 2010-09-24 04:08 . 2010-09-24 04:08 -------- d-----w- c:\program files\CCleaner 2010-09-24 03:38 . 2010-09-24 03:38 61440 ----a-w- c:\documents and settings\Default User\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-72f4d296-n\decora-sse.dll 2010-09-24 03:38 . 2010-09-24 03:38 503808 ----a-w- c:\documents and settings\Default User\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-7e49a39c-n\msvcp71.dll 2010-09-24 03:38 . 2010-09-24 03:38 499712 ----a-w- c:\documents and settings\Default User\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-7e49a39c-n\jmc.dll 2010-09-24 03:38 . 2010-09-24 03:38 348160 ----a-w- c:\documents and settings\Default User\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-7e49a39c-n\msvcr71.dll 2010-09-24 03:38 . 2010-09-24 03:38 12800 ----a-w- c:\documents and settings\Default User\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-72f4d296-n\decora-d3d.dll 2010-09-24 03:38 . 2010-09-24 03:38 -------- d-----w- c:\program files\Common Files\Java 2010-09-24 03:37 . 2010-07-17 09:00 423656 ----a-w- c:\windows\system32\deployJava1.dll 2010-09-23 04:03 . 2010-09-23 04:03 -------- d-----w- c:\program files\Common Files\Macrovision Shared 2010-09-23 04:02 . 2009-08-20 03:50 22872 ----a-r- c:\windows\system32\AdobePDFUI.dll 2010-09-23 04:02 . 2009-08-20 03:50 46928 ----a-w- c:\windows\system32\AdobePDF.dll 2010-09-19 23:21 . 2010-07-08 11:51 711168 ----a-w- c:\documents and settings\Parthiv Thakore\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\pmv307hw-1007080-0-main.dll 2010-09-19 23:21 . 2010-09-19 23:21 348160 ----a-w- c:\documents and settings\Parthiv Thakore\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe 2010-09-17 03:56 . 2010-09-17 03:56 -------- d-----w- c:\program files\Lavalys 2010-09-15 22:17 . 2010-09-15 22:17 -------- d-----w- c:\program files\QuickTime 2010-09-12 23:29 . 2010-09-12 23:30 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521} 2010-09-12 23:21 . 2010-04-20 00:47 3062048 ----a-w- c:\windows\system32\usbaaplrc.dll 2010-09-12 23:21 . 2010-09-12 23:21 -------- d-----w- c:\program files\Bonjour 2010-09-10 19:27 . 2010-09-10 19:27 -------- d-----w- c:\documents and settings\Parthiv Thakore\Application Data\dvdcss 2010-09-10 16:38 . 2010-09-10 16:38 -------- d-----w- c:\documents and settings\Parthiv Thakore\Application Data\TeamViewer . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-10-08 21:00 . 2010-07-11 18:07 -------- d-----w- c:\program files\Common Files\Akamai 2010-10-08 21:00 . 2006-06-09 15:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab 2010-10-08 20:58 . 2009-05-27 01:47 5476 --sha-w- c:\windows\system32\drivers\fidbox2.idx 2010-10-08 20:58 . 2009-05-27 01:47 1286176 --sha-w- c:\windows\system32\drivers\fidbox2.dat 2010-10-08 20:58 . 2009-05-27 01:47 5247008 --sha-w- c:\windows\system32\drivers\fidbox.dat 2010-10-08 20:58 . 2009-05-27 01:47 43120 --sha-w- c:\windows\system32\drivers\fidbox.idx 2010-10-02 15:30 . 2006-06-13 21:22 -------- d-----w- c:\documents and settings\Parthiv Thakore\Application Data\Apple Computer 2010-10-02 13:21 . 2010-10-07 16:38 178776 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Professional_32_1033.dat 2010-10-02 13:13 . 2010-03-31 17:56 -------- d-----w- c:\program files\JDownloader 2010-10-02 04:33 . 2007-07-16 19:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple 2010-09-29 22:39 . 2008-08-07 03:50 -------- d-----w- c:\program files\Common Files\Apple 2010-09-29 22:39 . 2006-06-13 21:20 -------- d-----w- c:\program files\iPod 2010-09-29 22:33 . 2010-09-29 22:33 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 10.0.1.22\SetupAdmin.exe 2010-09-29 18:23 . 2006-06-09 01:33 34544 ----a-w- c:\documents and settings\Parthiv Thakore\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2010-09-29 15:49 . 2009-11-03 02:40 -------- d-----w- c:\program files\Microsoft Silverlight 2010-09-29 15:46 . 2009-09-08 13:42 -------- d-----w- c:\documents and settings\All Users\Application Data\HP 2010-09-25 02:37 . 2006-06-13 21:22 -------- d-----w- c:\documents and settings\Parthiv Thakore\Application Data\Media Player Classic 2010-09-25 02:34 . 2010-08-11 16:38 -------- d-----w- c:\documents and settings\Parthiv Thakore\Application Data\PrimoPDF 2010-09-24 19:16 . 2008-12-01 16:13 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2010-09-24 04:10 . 2007-08-03 19:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2010-09-24 03:37 . 2006-06-13 21:44 -------- d-----w- c:\program files\Java 2010-09-23 23:41 . 2010-07-11 19:40 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet 2010-09-21 18:37 . 2010-09-21 18:37 932288 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Acrobat\9.3\ARM\14107\AdobeARM.exe 2010-09-21 18:37 . 2010-09-21 18:37 70584 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Acrobat\9.3\ARM\14107\AdobeExtractFiles.dll 2010-09-21 18:37 . 2010-09-21 18:37 338856 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Acrobat\9.3\ARM\14107\ReaderUpdater.exe 2010-09-21 18:37 . 2010-09-21 18:37 338856 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Acrobat\9.3\ARM\14107\AcrobatUpdater.exe 2010-09-15 20:20 . 2009-05-27 22:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help 2010-09-09 01:42 . 2010-08-13 19:26 57344 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.dll 2010-09-09 01:42 . 2010-09-09 01:42 56765 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivXPlusShortcuts\Uninstaller.exe 2010-09-09 01:42 . 2010-05-04 17:38 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX 2010-09-09 01:42 . 2007-07-19 19:18 -------- d-----w- c:\program files\DivX 2010-09-09 01:42 . 2010-09-09 01:42 56997 ----a-w- c:\documents and settings\All Users\Application Data\DivX\WebPlayer\Uninstaller.exe 2010-09-09 01:41 . 2010-09-09 01:41 53600 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Update\Uninstaller.exe 2010-09-09 01:41 . 2010-09-09 01:41 57691 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Player\Uninstaller.exe 2010-09-09 01:41 . 2010-09-09 01:41 84063 ----a-w- c:\documents and settings\All Users\Application Data\DivX\TransferWizard\Uninstaller.exe 2010-09-09 01:41 . 2010-09-09 01:41 54153 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DFXPlugin\Uninstaller.exe 2010-09-09 01:03 . 2010-09-09 01:42 185640 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\finishPlugin.dll 2010-09-09 01:02 . 2010-08-13 19:25 1090856 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\Resource.dll 2010-09-09 01:02 . 2010-08-13 19:22 144696 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.exe 2010-09-09 01:02 . 2010-08-13 19:25 850200 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\DivXSetup.exe 2010-09-08 01:01 . 2010-08-13 19:25 -------- d-----w- c:\documents and settings\Parthiv Thakore\Application Data\DivX 2010-09-07 16:47 . 2010-09-07 16:46 -------- d-----w- c:\program files\Garmin 2010-09-07 16:47 . 2010-09-07 16:47 -------- d-----w- c:\program files\DIFX 2010-09-07 16:40 . 2010-09-07 16:40 12255080 ----a-w- c:\documents and settings\Parthiv Thakore\Application Data\Mozilla\Firefox\Profiles\5tuxkkf3.default\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}\plugins\npGarmin.dll 2010-08-31 04:03 . 2008-12-06 06:01 -------- d--h--w- c:\program files\parth1 2010-08-27 02:54 . 2010-08-27 02:54 137216 ----a-w- c:\documents and settings\All Users\Application Data\WorldWinner\shared\fmod.dll 2010-08-27 02:54 . 2010-08-27 02:54 339968 ----a-w- c:\documents and settings\All Users\Application Data\WorldWinner\dealornodeal\dealornodeal.dll 2010-08-27 02:54 . 2010-08-27 02:54 -------- d-----w- c:\documents and settings\All Users\Application Data\WorldWinner 2010-08-17 13:17 . 2004-08-10 11:00 58880 ----a-w- c:\windows\system32\spoolsv.exe 2010-08-13 19:25 . 2010-08-13 19:25 57054 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSDesktopComponents\Uninstaller.exe 2010-08-13 19:25 . 2010-08-13 19:25 54166 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSAVCDecoder\Uninstaller.exe 2010-08-13 19:25 . 2010-08-13 19:25 57532 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSASPDecoder\Uninstaller.exe 2010-08-13 19:24 . 2010-08-13 19:24 56458 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivXDecoderShortcut\Uninstaller.exe 2010-08-13 19:24 . 2010-08-13 19:24 54174 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSAACDecoder\Uninstaller.exe 2010-08-13 19:24 . 2010-08-13 19:24 54128 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Converter\Uninstaller.exe 2010-08-13 19:24 . 2010-08-13 19:24 54644 ----a-w- c:\documents and settings\All Users\Application Data\DivX\TranscodeEngine\Uninstaller.exe 2010-08-13 19:24 . 2010-08-13 19:24 54101 ----a-w- c:\documents and settings\All Users\Application Data\DivX\MPEG2Plugin\Uninstaller.exe 2010-08-13 19:24 . 2010-08-13 19:24 57409 ----a-w- c:\documents and settings\All Users\Application Data\DivX\ControlPanel\Uninstaller.exe 2010-08-13 19:24 . 2010-08-13 19:24 52963 ----a-w- c:\documents and settings\All Users\Application Data\DivX\MSVC80CRTRedist\Uninstaller.exe 2010-08-13 19:24 . 2010-08-13 19:24 -------- d-----w- c:\program files\Common Files\DivX Shared 2010-08-13 19:24 . 2010-08-13 19:24 54073 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Qt4.5\Uninstaller.exe 2010-08-13 19:24 . 2010-08-13 19:24 56969 ----a-w- c:\documents and settings\All Users\Application Data\DivX\ASPEncoder\Uninstaller.exe 2010-08-11 16:36 . 2010-08-11 16:36 -------- d-----w- c:\program files\Nitro PDF 2010-07-29 16:26 . 2009-05-27 01:48 97549 ----a-w- c:\windows\system32\drivers\klick.dat 2010-07-29 16:26 . 2009-05-27 01:48 113933 ----a-w- c:\windows\system32\drivers\klin.dat 2010-07-27 22:44 . 2010-07-27 22:44 91424 ----a-w- c:\windows\system32\dnssd.dll 2010-07-27 22:44 . 2010-07-27 22:44 197920 ----a-w- c:\windows\system32\dnssdX.dll 2010-07-27 22:44 . 2010-07-27 22:44 107808 ----a-w- c:\windows\system32\dns-sd.exe 2010-07-22 15:49 . 2004-08-10 11:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll 2010-07-22 05:57 . 2009-04-17 13:40 5120 ----a-w- c:\windows\system32\xpsp4res.dll 2010-07-11 17:58 . 2010-07-11 17:59 38784 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe 2010-07-11 17:58 . 2010-07-11 17:57 38784 ----a-w- c:\documents and settings\Parthiv Thakore\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe 2007-04-06 20:54 . 2007-04-06 20:14 80 --sh--r- c:\windows\system32\18CBEC2B90.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SetDefaultMIDI"="MIDIDef.exe" [2004-12-23 24576] "Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2009-07-21 208616] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552] "SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 339968] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888] "CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-02-15 57344] "Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2010-06-19 38840] "Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2010-06-19 640440] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152] "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-09-08 47904] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160] c:\documents and settings\All Users\Start Menu\Programs\Startup\ HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit] 2007-11-15 22:46 87352 ----a-w- c:\windows\system32\LMIinit.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Authentication Packages REG_MULTI_SZ msv1_0 nwprovau [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-] "Adobe Acrobat Synchronizer"="c:\program files\Adobe\Acrobat 9.0\Acrobat\AdobeCollabSync.exe" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" "DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW "dlcdmon.exe"="c:\program files\Dell Photo AIO Printer 944\dlcdmon.exe" "HP Software Update"=c:\program files\HP\HP Software Update\HPWuSchd2.exe "parth1"=c:\program files\parth1\parth1.exe "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" "MemoryCardManager"="c:\program files\Dell Photo AIO Printer 944\memcard.exe" [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\mIRC\\mirc.exe"= "c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"= "c:\\Program Files\\Maxthon\\Maxthon.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"= "c:\\Program Files\\AGEIA Technologies\\TrayIcon.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"= "c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"= "c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"= "c:\\Program Files\\Foxit Software\\PDF Editor\\PDFEdit.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\v8200\\DMMultiView\\MultiView.exe"= "c:\\Documents and Settings\\Parthiv Thakore\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy2.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"= "c:\\Program Files\\HP\\HP Software Update\\hpwucli.exe"= "c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"= "c:\\Program Files\\Java\\jre6\\bin\\java.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "135:TCP"= 135:TCP:TCP Port 135 "5000:TCP"= 5000:TCP:TCP Port 5000 "5001:TCP"= 5001:TCP:TCP Port 5001 "5002:TCP"= 5002:TCP:TCP Port 5002 "5003:TCP"= 5003:TCP:TCP Port 5003 "5004:TCP"= 5004:TCP:TCP Port 5004 "5005:TCP"= 5005:TCP:TCP Port 5005 "5006:TCP"= 5006:TCP:TCP Port 5006 "5007:TCP"= 5007:TCP:TCP Port 5007 "5008:TCP"= 5008:TCP:TCP Port 5008 "5009:TCP"= 5009:TCP:TCP Port 5009 "5010:TCP"= 5010:TCP:TCP Port 5010 "5011:TCP"= 5011:TCP:TCP Port 5011 "5012:TCP"= 5012:TCP:TCP Port 5012 "5013:TCP"= 5013:TCP:TCP Port 5013 "5014:TCP"= 5014:TCP:TCP Port 5014 "5015:TCP"= 5015:TCP:TCP Port 5015 "5016:TCP"= 5016:TCP:TCP Port 5016 "5017:TCP"= 5017:TCP:TCP Port 5017 "5018:TCP"= 5018:TCP:TCP Port 5018 "5019:TCP"= 5019:TCP:TCP Port 5019 "5020:TCP"= 5020:TCP:TCP Port 5020 "808:TCP"= 808:TCP:ccproxy port "1036:TCP"= 1036:TCP:Akamai NetSession Interface "5000:UDP"= 5000:UDP:Akamai NetSession Interface R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [1/29/2008 5:29 PM 33808] R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [8/10/2004 7:00 AM 14336] R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [3/13/2008 6:02 PM 26640] R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [4/30/2008 5:06 PM 24592] S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/31/2009 10:11 PM 133104] S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\x86\RaInfo.sys --> c:\program files\LogMeIn\x86\RaInfo.sys [?] S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [9/24/2010 3:50 PM 27064] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 Akamai REG_MULTI_SZ Akamai hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc . Contents of the 'Scheduled Tasks' folder 2010-10-06 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:34] 2010-10-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-11-01 02:11] 2010-10-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-11-01 02:11] . . ------- Supplementary Scan ------- . uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7 ustart page = about:blank uInternet Settings,ProxyOverride = *.local uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com IE: Add to Banner Ad Blocker - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 DPF: {ADACAA8F-3595-47FE-9C31-9C7471B9BEC7} - hxxp://68.213.32.251/cab/OCXChecker_8198.cab DPF: {FEC048AB-277A-460C-BF50-1A4193AEF148} - hxxp://68.213.32.251/cab/DownloadCenter_8200.cab FF - ProfilePath - c:\documents and settings\Parthiv Thakore\Application Data\Mozilla\Firefox\Profiles\5tuxkkf3.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/ FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll FF - plugin: c:\documents and settings\Parthiv Thakore\Application Data\Mozilla\Firefox\Profiles\5tuxkkf3.default\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}\plugins\npGarmin.dll FF - plugin: c:\documents and settings\Parthiv Thakore\Application Data\Mozilla\Firefox\Profiles\5tuxkkf3.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll FF - plugin: c:\documents and settings\Parthiv Thakore\Application Data\Mozilla\Firefox\Profiles\5tuxkkf3.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npMozCouponPrinter.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ ---- FIREFOX POLICIES ---- FF - user.js: yahoo.ytff.general.dontshowhpoffer - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false); . - - - - ORPHANS REMOVED - - - - WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file) HKLM-Run-hpqSRMon - (no file) . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}] @Denied: (Full) (Everyone) "scansk"=hex(0):54,66,12,ac,67,6b,52,df,d5,ad,8c,bb,67,4d,43,24,60,a5,fa,8f,97, 5c,44,5d,3b,75,d4,78,35,d9,4d,08,81,3f,d4,0b,08,d2,b4,fe,00,00,00,00,00,00,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}] @Denied: (Full) (Everyone) "scansk"=hex(0):84,df,ca,bd,3f,dc,3a,be,60,94,0e,f6,9f,c5,52,d2,53,85,eb,b3,49, 0a,2e,9c,ca,79,94,b5,25,37,2e,da,f0,ac,86,a3,82,78,fe,dd,00,00,00,00,00,00,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{85bc9adf-f379-4bdf-bd85-701218c36723}] @Denied: (Full) (Everyone) "Model"=dword:0000002e "Therad"=dword:00000010 "MData"=hex(0):73,d5,cf,b8,a4,07,89,80,31,e4,35,6b,2a,ca,fe,43,b6,1f,81,1f,5a, 1b,4d,36,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{ecbefe36-efea-434d-822a-fd1b484e49d6}] @Denied: (Full) (Everyone) "Model"=dword:00000156 "Therad"=dword:0000001e "MData"=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5,9f,6a,96,3e,ab,de,c5,81,26, 38,95,44,85,b1,12,f9,90,dd,23,a1,49,8c,bf,1a,9d,fe,41,71,cb,3f,46,a4,7c,ab,\ [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(972) c:\windows\system32\LMIinit.dll - - - - - - - > 'explorer.exe'(2800) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\Ati2evxx.exe c:\windows\system32\LEXBCES.EXE c:\windows\system32\LEXPPS.EXE c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\windows\system32\CTsvcCDA.EXE c:\program files\Java\jre6\bin\jqs.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\program files\CDBurnerXP\NMSAccessU.exe c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe c:\windows\system32\fxssvc.exe c:\windows\ehome\mcrdsvc.exe c:\windows\stsystra.exe c:\windows\system32\wscntfy.exe c:\program files\iPod\bin\iPodService.exe . ************************************************************************** . Completion time: 2010-10-08 17:10:49 - machine was rebooted ComboFix-quarantined-files.txt 2010-10-08 21:10 Pre-Run: 160,599,691,264 bytes free Post-Run: 162,810,990,592 bytes free - - End Of File - - 5F70E433A5990FF52DC034CB874FEE75

#8 JonTom

JonTom

    Teacher Emeritus

  • Malware Team
  • 5,496 posts

Posted 08 October 2010 - 06:18 PM

Hello Parth

Thank you for the log.

Before we continue I would like to take a closer look at a couple of files on your machine.

Please do the following:

  • Please make all files and folders Visible:


    • Click "Start" Go to My Computer-> Tools-> Folder Options-> View tab:
    • Choose to "Show hidden files and folders".
    • Uncheck the "Hide protected operating system files" and the "Hide extensions for know file types" boxes.
    • Close the window with "OK".

  • Please scan the following files


    • Please visit Virus Total by clicking here.
    • Click the Browse button and search for the following file (if present): c:\windows\Anahua.exe
    • Click Open.
    • Then click Send File.
    • Please be patient while the file is scanned.
    • If Virus Total tells you that the file has already been scanned, click "reanalyse now".

    • Once the scan results appear, please click on the "Show All" button, then copy and paste the results into Notepad and repeat the procedure for the following file(s):

    c:\documents and settings\Parthiv Thakore\Local Settings\Temp\Avc.exe

    • Please provide the results from the scans in your next reply.

    Do you recognise this file: c:\program files\parth1\parth1.exe? If not, scan it with Virus Total as described above :)

Would you like to help others? Join the Classroom and learn how.
 
Member of UNITE
Proud Graduate of the WTT Classroom

#9 Parth

Parth

    Authentic Member

  • Authentic Member
  • PipPip
  • 156 posts

Posted 08 October 2010 - 06:31 PM

Here is the result for anahua.exe, And there was no avc.exe so.... and parth1.exe, it was for something i used to use but I have removed it. File name: Anahua.exe Submission date: 2010-10-09 00:24:58 (UTC) Current status: queued queued analysing finished Result: 30/ 42 (71.4%) VT Community not reviewed Safety score: - Compact Print results Antivirus Version Last Update Result AhnLab-V3 2010.10.09.00 2010.10.08 Win-Trojan/Mdob.192512.H AntiVir 7.10.12.167 2010.10.08 TR/Crypt.EPACK.Gen2 Antiy-AVL 2.0.3.7 2010.10.08 Trojan/Win32.FraudPack.gen Authentium 5.2.0.5 2010.10.08 W32/Renos.A!Generic Avast 4.8.1351.0 2010.10.09 Win32:MalOb-BX Avast5 5.0.594.0 2010.10.09 Win32:MalOb-BX AVG 9.0.0.851 2010.10.08 Generic19.AKIH BitDefender 7.2 2010.10.09 Gen:Variant.Kazy.1130 CAT-QuickHeal 11.00 2010.10.08 - ClamAV 0.96.2.0-git 2010.10.09 PUA.Packed.StarForce.CopyProtect.3XDLL Comodo 6324 2010.10.09 - DrWeb 5.0.2.03300 2010.10.09 Trojan.DownLoader1.22695 Emsisoft 5.0.0.50 2010.10.09 - eSafe 7.0.17.0 2010.10.07 - eTrust-Vet 36.1.7901 2010.10.08 Win32/Renos.D!generic F-Prot 4.6.2.117 2010.10.08 W32/Renos.A!Generic F-Secure 9.0.15370.0 2010.10.09 Trojan-Downloader:W32/Renos.GSS Fortinet 4.2.249.0 2010.10.08 W32/CodecPack.fam!tr.dldr GData 21 2010.10.09 Gen:Variant.Kazy.1130 Ikarus T3.1.1.90.0 2010.10.08 - Jiangmin 13.0.900 2010.10.08 - K7AntiVirus 9.65.2707 2010.10.08 Virus Kaspersky 7.0.0.125 2010.10.09 Packed.Win32.Katusha.o McAfee 5.400.0.1158 2010.10.09 Downloader-CEW.i McAfee-GW-Edition 2010.1C 2010.10.08 Heuristic.BehavesLike.Win32.Obfuscated.H Microsoft 1.6201 2010.10.08 TrojanDownloader:Win32/Renos.LX NOD32 5516 2010.10.08 Win32/TrojanDownloader.FakeAlert.AQI Norman 6.06.07 2010.10.08 W32/Obfuscated.M nProtect 2010-10-08.01 2010.10.08 Trojan/W32.FraudPack.192512.N Panda 10.0.2.7 2010.10.08 Trj/Agent.NHR PCTools 7.0.3.5 2010.10.09 - Prevx 3.0 2010.10.09 - Rising 22.67.02.07 2010.09.30 - Sophos 4.58.0 2010.10.08 Mal/FakeAV-CX Sunbelt 7018 2010.10.09 VirTool.Win32.Obfuscator.hg!b1 (v) SUPERAntiSpyware 4.40.0.1006 2010.10.09 Trojan.Agent/Gen-Fraudera Symantec 20101.2.0.161 2010.10.09 - TheHacker 6.7.0.1.053 2010.10.08 Trojan/FraudPack.bqgt TrendMicro-HouseCall 9.120.0.1004 2010.10.09 TROJ_FAKEAV.SMA7 VBA32 3.12.14.1 2010.10.08 - ViRobot 2010.10.4.4074 2010.10.08 - VirusBuster 12.67.9.0 2010.10.08 Trojan.FraudPack.AQRQ Additional information Show all MD5 : c1a264bffdea322f32969304ef3a9e8f SHA1 : 4cc7ad699be28405038b7c8ebffa9bc1ed435554 SHA256: 5474c9e50776cf7745647df1212401476bfa36934003ed539f112d78b521b9a1 ssdeep: 3072:3O7gSkqBtbcbtO7c9E6uCXzM/aTqL+xDvOpO8ZykgMgobcBkvvSpZ:3O8SpncbtOwzuKzM /aWsDvwO8ZlgM0C File size : 192512 bytes First seen: 2010-10-09 00:24:58 Last seen : 2010-10-09 00:24:58 TrID: Win32 Executable Generic (42.3%) Win32 Dynamic Link Library (generic) (37.6%) Generic Win/DOS Executable (9.9%) DOS Executable Generic (9.9%) Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%) sigcheck: publisher....: Simon Tatham copyright....: GoldG ver3 product......: GoldG description..: GoldG original name: GoldG.exe internal name: GoldG file version.: 3.1.1.1 comments.....: n/a signers......: - signing date.: - verified.....: Unsigned PEiD: StarForce V3.X DLL -> StarForce Copy Protection System PEInfo: PE structure information [[ basic data ]] entrypointaddress: 0x1385 timedatestamp....: 0x49BFFD4F (Tue Mar 17 19:43:11 2009) machinetype......: 0x14c (I386) [[ 5 section(s) ]] name, viradd, virsiz, rawdsiz, ntropy, md5 .text, 0x1000, 0x9410, 0x9600, 5.36, 4c0a2cef822369f162804fd5d85c46f6 .rdata, 0xB000, 0x203B5, 0x20400, 7.48, a5f274ec0a3280a60d11b23bbe7705e4 .data, 0x2C000, 0x1C9D3, 0x2A00, 4.03, cc7fcdefde47ef031c17a0fddba9d74a BSS, 0x49000, 0x275, 0x400, 0.16, 60f20ddd7ccf085c5be9c2797b7a219d .rsrc, 0x4A000, 0x220C, 0x2400, 3.42, fadefe5c36d38584f376b4a102437126 [[ 6 import(s) ]] VERSION.dll: VerQueryValueA kernel32.dll: IsBadReadPtr, DeleteFileA, EnumCalendarInfoA, ExitProcess, GetProcAddress, VirtualAllocEx, LoadLibraryA, LockResource, GetFileSize, GetCommandLineA, GetCommandLineW, ExitThread, GetVersion, lstrlenW, GetModuleFileNameA, GetLocalTime, GetLastError, GetModuleHandleA shlwapi.dll: SHDeleteValueA, SHGetValueA, SHEnumValueA, PathGetCharTypeA, SHStrDupA, PathFileExistsA, SHSetValueA, PathIsDirectoryA MSVCRT.dll: clock, wcscspn, swprintf, acos, cos COMDLG32.dll: GetFileTitleA, GetOpenFileNameA, GetSaveFileNameA COMCTL32.dll: ImageList_Draw ExifTool: file metadata CharacterSet: Unicode CodeSize: 38400 CompanyName: Simon Tatham EntryPoint: 0x1385 FileDescription: GoldG FileFlagsMask: 0x003f FileOS: Win32 FileSize: 188 kB FileSubtype: 0 FileType: Win32 EXE FileVersion: 3.1.1.1 FileVersionNumber: 3.1.1.1 ImageVersion: 0.0 InitializedDataSize: 153088 InternalName: GoldG LanguageCode: English (U.S.) LegalCopyright: GoldG ver3 LinkerVersion: 3.3 MIMEType: application/octet-stream MachineType: Intel 386 or later, and compatibles OSVersion: 4.0 ObjectFileType: Executable application OriginalFilename: GoldG.exe PEType: PE32 ProductName: GoldG ProductVersion: 3.1.1.1 ProductVersionNumber: 3.1.1.1 Subsystem: Windows GUI SubsystemVersion: 4.0 TimeStamp: 2009:03:17 20:43:11+01:00 UninitializedDataSize: 106496 Symantec reputation:Suspicious.Insight VT Community

#10 JonTom

JonTom

    Teacher Emeritus

  • Malware Team
  • 5,496 posts

Posted 09 October 2010 - 04:42 AM

Hello Parth

Thank you for the scan results.


  • Please work through the following steps


    • Open Notepad (Click on "Start", then on "Run" and type "notepad" (without quotations) in the Open field, then click on "OK").
    • NOTE: Do not Use Wordpad or any other text editor except Notepad or the script will fail.
    • Copy and Paste the text in the codebox below (including the link) into the open Notepad window:

      http://forums.whatthetech.com/index.php?showtopic=114930
      
      collect::
      c:\windows\Anahua.exe
      
      Registry::
      [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
      "135:TCP"=-
      "5000:TCP"=-
      "5001:TCP"=-
      "5002:TCP"=-
      "5003:TCP"=-
      "5004:TCP"=-
      "5005:TCP"=-
      "5006:TCP"=-
      "5007:TCP"=-
      "5008:TCP"=-
      "5009:TCP"=-
      "5010:TCP"=-
      "5011:TCP"=-
      "5012:TCP"=-
      "5013:TCP"=-
      "5014:TCP"=-
      "5015:TCP"=-
      "5016:TCP"=-
      "5017:TCP"=-
      "5018:TCP"=-
      "5019:TCP"=-
      "5020:TCP"=-
      "808:TCP"=-
      
      DirLook::
      C:\Your Software Here
    • Save this as "CFScript.txt" (including the quotation marks), change the "Save as type" to "All Files" and save it to your desktop.
    • Close any open browsers.
    • Disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Refering to the picture below, drag CFScript.txt into ComboFix.exe

      Posted Image
    • When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
    • Once the log is produced, re-engage your resident anti virus.
    • Note: When ComboFix finishes running, the ComboFix log will open along with a message box - do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
    • Ensure you are connected to the internet and click OK on the message box.


    there was no avc.exe

    As this is where your problems began (error messages stating that AVC.exe has encountered a problem and will shutdown) I would like to search for the file to make sure that it has definitely gone.

  • Please download SystemLook by JPShortstuff


    • Please download SystemLook by JPShortstuff by clicking here or here and save the file (called SystemLook.exe) to your desktop.
    • Double click SystemLook.exe to run the program.
    • Copy the content of the following codebox into the main textfield:

    :filefind
    *AVC.exe*

    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    • Note: The log can also be found on your Desktop entitled SystemLook.txt

    Please post the ComboFix log and the SystemLook log in your next reply.

Would you like to help others? Join the Classroom and learn how.
 
Member of UNITE
Proud Graduate of the WTT Classroom

    Advertisements

Register to Remove


#11 Parth

Parth

    Authentic Member

  • Authentic Member
  • PipPip
  • 156 posts

Posted 09 October 2010 - 08:52 AM

Here are the logs that you requested.... ComboFix 10-10-08.01 - Parthiv Thakore 10/09/2010 10:29:37.4.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1319 [GMT -4:00] Running from: c:\documents and settings\Parthiv Thakore\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Parthiv Thakore\Desktop\CFScript.txt AV: Kaspersky Internet Security *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0} FW: Kaspersky Internet Security *enabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0} file zipped: c:\windows\Anahua.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\Anahua.exe . ((((((((((((((((((((((((( Files Created from 2010-09-09 to 2010-10-09 ))))))))))))))))))))))))))))))) . 2010-10-07 14:58 . 2010-10-07 14:58 388096 ----a-r- c:\documents and settings\Parthiv Thakore\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe 2010-10-02 21:38 . 2010-10-08 19:08 664 ----a-w- c:\windows\system32\d3d9caps.dat 2010-10-02 16:07 . 2010-02-11 09:56 -------- d-----w- C:\Your Software Here 2010-10-02 14:00 . 2010-10-02 14:00 -------- d-----w- c:\program files\Wide Angle Software 2010-10-02 04:48 . 2010-10-02 17:01 -------- d-----w- c:\documents and settings\Parthiv Thakore\Local Settings\Application Data\tctemp 2010-10-02 04:33 . 2010-10-02 13:36 -------- d-----w- c:\documents and settings\Parthiv Thakore\Local Settings\Application Data\Wide Angle Software 2010-09-29 22:39 . 2010-09-29 22:40 -------- d-----w- c:\program files\iTunes 2010-09-29 22:33 . 2010-09-29 22:33 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 10.0.1.22\SetupAdmin.exe 2010-09-29 16:01 . 2010-09-29 16:06 116839 ----a-w- c:\windows\hpqins00.dat 2010-09-29 15:45 . 2010-09-29 15:45 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Product Assistant 2010-09-29 15:41 . 2010-09-29 15:50 77390 ----a-w- c:\windows\hpqins05.dat 2010-09-29 15:38 . 2010-09-29 15:38 -------- d-----w- c:\program files\Hewlett-Packard 2010-09-29 15:37 . 2008-01-25 12:22 729088 ----a-w- c:\windows\system32\hpowiax7.dll 2010-09-29 15:37 . 2008-01-25 12:22 303104 ----a-w- c:\windows\system32\hpovst15.dll 2010-09-29 15:37 . 2008-01-25 12:22 581632 ----a-w- c:\windows\system32\hpotscl6.dll 2010-09-29 15:37 . 2008-01-25 12:22 372736 ----a-w- c:\windows\system32\hppldcoi.dll 2010-09-29 15:37 . 2008-01-25 12:22 309760 ----a-w- c:\windows\system32\difxapi.dll 2010-09-29 15:26 . 2009-12-21 23:20 112056 ----a-w- c:\windows\system32\acaptuser32.dll 2010-09-29 15:24 . 2010-09-29 15:49 -------- d-----w- C:\_AcroTemp 2010-09-25 22:48 . 2010-09-25 22:48 -------- d-----w- c:\program files\Common Files\Hewlett-Packard 2010-09-25 22:48 . 2010-09-25 22:48 -------- d-----w- c:\program files\Common Files\HP 2010-09-25 22:47 . 2010-09-25 22:49 -------- d-----w- c:\program files\HP 2010-09-25 22:46 . 2010-09-29 15:39 163116 ----a-w- c:\windows\hpoins28.dat 2010-09-25 22:46 . 2008-05-12 19:46 796 ------w- c:\windows\hpomdl28.dat 2010-09-24 19:51 . 2010-09-24 19:51 -------- d-----w- c:\documents and settings\Parthiv Thakore\Local Settings\Application Data\VS Revo Group 2010-09-24 19:50 . 2009-12-30 16:20 27064 ----a-w- c:\windows\system32\drivers\revoflt.sys 2010-09-24 19:50 . 2010-09-24 19:50 -------- d-----w- c:\program files\VS Revo Group 2010-09-24 19:15 . 2010-09-24 19:15 -------- d-----w- c:\documents and settings\Parthiv Thakore\Application Data\Registry Mechanic 2010-09-24 18:24 . 2010-09-24 19:07 -------- d-----w- c:\documents and settings\All Users\Application Data\RegCure 2010-09-24 14:21 . 2010-09-24 14:29 -------- d-----w- c:\documents and settings\Parthiv Thakore\Application Data\HpUpdate 2010-09-24 14:21 . 2010-09-24 14:21 -------- d-----w- c:\windows\Cache 2010-09-24 14:21 . 2010-09-24 14:21 -------- d-----w- c:\program files\Coupons 2010-09-24 12:11 . 2010-09-24 12:11 503808 ----a-w- c:\documents and settings\Parthiv Thakore\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-530ba3d4-n\msvcp71.dll 2010-09-24 12:11 . 2010-09-24 12:11 499712 ----a-w- c:\documents and settings\Parthiv Thakore\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-530ba3d4-n\jmc.dll 2010-09-24 12:11 . 2010-09-24 12:11 348160 ----a-w- c:\documents and settings\Parthiv Thakore\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-530ba3d4-n\msvcr71.dll 2010-09-24 12:10 . 2010-09-24 12:10 61440 ----a-w- c:\documents and settings\Parthiv Thakore\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-523e0601-n\decora-sse.dll 2010-09-24 12:10 . 2010-09-24 12:10 12800 ----a-w- c:\documents and settings\Parthiv Thakore\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-523e0601-n\decora-d3d.dll 2010-09-24 04:08 . 2010-09-24 04:08 -------- d-----w- c:\program files\CCleaner 2010-09-24 03:38 . 2010-09-24 03:38 61440 ----a-w- c:\documents and settings\Default User\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-72f4d296-n\decora-sse.dll 2010-09-24 03:38 . 2010-09-24 03:38 503808 ----a-w- c:\documents and settings\Default User\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-7e49a39c-n\msvcp71.dll 2010-09-24 03:38 . 2010-09-24 03:38 499712 ----a-w- c:\documents and settings\Default User\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-7e49a39c-n\jmc.dll 2010-09-24 03:38 . 2010-09-24 03:38 348160 ----a-w- c:\documents and settings\Default User\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-7e49a39c-n\msvcr71.dll 2010-09-24 03:38 . 2010-09-24 03:38 12800 ----a-w- c:\documents and settings\Default User\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-72f4d296-n\decora-d3d.dll 2010-09-24 03:38 . 2010-09-24 03:38 -------- d-----w- c:\program files\Common Files\Java 2010-09-24 03:37 . 2010-07-17 09:00 423656 ----a-w- c:\windows\system32\deployJava1.dll 2010-09-23 04:03 . 2010-09-23 04:03 -------- d-----w- c:\program files\Common Files\Macrovision Shared 2010-09-23 04:02 . 2009-08-20 03:50 22872 ----a-r- c:\windows\system32\AdobePDFUI.dll 2010-09-23 04:02 . 2009-08-20 03:50 46928 ----a-w- c:\windows\system32\AdobePDF.dll 2010-09-21 18:37 . 2010-09-21 18:37 932288 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Acrobat\9.3\ARM\14107\AdobeARM.exe 2010-09-21 18:37 . 2010-09-21 18:37 70584 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Acrobat\9.3\ARM\14107\AdobeExtractFiles.dll 2010-09-21 18:37 . 2010-09-21 18:37 338856 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Acrobat\9.3\ARM\14107\ReaderUpdater.exe 2010-09-21 18:37 . 2010-09-21 18:37 338856 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\Acrobat\9.3\ARM\14107\AcrobatUpdater.exe 2010-09-19 23:21 . 2010-07-08 11:51 711168 ----a-w- c:\documents and settings\Parthiv Thakore\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\pmv307hw-1007080-0-main.dll 2010-09-19 23:21 . 2010-09-19 23:21 348160 ----a-w- c:\documents and settings\Parthiv Thakore\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe 2010-09-17 03:56 . 2010-09-17 03:56 -------- d-----w- c:\program files\Lavalys 2010-09-15 22:17 . 2010-09-15 22:17 -------- d-----w- c:\program files\QuickTime 2010-09-12 23:29 . 2010-09-12 23:30 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521} 2010-09-12 23:21 . 2010-04-20 00:47 3062048 ----a-w- c:\windows\system32\usbaaplrc.dll 2010-09-12 23:21 . 2010-09-12 23:21 -------- d-----w- c:\program files\Bonjour 2010-09-10 19:27 . 2010-09-10 19:27 -------- d-----w- c:\documents and settings\Parthiv Thakore\Application Data\dvdcss 2010-09-10 16:38 . 2010-09-10 16:38 -------- d-----w- c:\documents and settings\Parthiv Thakore\Application Data\TeamViewer . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-10-09 14:00 . 2010-07-11 18:07 -------- d-----w- c:\program files\Common Files\Akamai 2010-10-08 21:00 . 2006-06-09 15:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab 2010-10-08 20:58 . 2009-05-27 01:47 5476 --sha-w- c:\windows\system32\drivers\fidbox2.idx 2010-10-08 20:58 . 2009-05-27 01:47 1286176 --sha-w- c:\windows\system32\drivers\fidbox2.dat 2010-10-08 20:58 . 2009-05-27 01:47 5247008 --sha-w- c:\windows\system32\drivers\fidbox.dat 2010-10-08 20:58 . 2009-05-27 01:47 43120 --sha-w- c:\windows\system32\drivers\fidbox.idx 2010-10-02 15:30 . 2006-06-13 21:22 -------- d-----w- c:\documents and settings\Parthiv Thakore\Application Data\Apple Computer 2010-10-02 13:21 . 2010-10-07 16:38 178776 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Professional_32_1033.dat 2010-10-02 13:13 . 2010-03-31 17:56 -------- d-----w- c:\program files\JDownloader 2010-10-02 04:33 . 2007-07-16 19:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple 2010-09-29 22:39 . 2008-08-07 03:50 -------- d-----w- c:\program files\Common Files\Apple 2010-09-29 22:39 . 2006-06-13 21:20 -------- d-----w- c:\program files\iPod 2010-09-29 18:23 . 2006-06-09 01:33 34544 ----a-w- c:\documents and settings\Parthiv Thakore\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2010-09-29 15:49 . 2009-11-03 02:40 -------- d-----w- c:\program files\Microsoft Silverlight 2010-09-29 15:46 . 2009-09-08 13:42 -------- d-----w- c:\documents and settings\All Users\Application Data\HP 2010-09-25 02:37 . 2006-06-13 21:22 -------- d-----w- c:\documents and settings\Parthiv Thakore\Application Data\Media Player Classic 2010-09-25 02:34 . 2010-08-11 16:38 -------- d-----w- c:\documents and settings\Parthiv Thakore\Application Data\PrimoPDF 2010-09-24 19:16 . 2008-12-01 16:13 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2010-09-24 04:10 . 2007-08-03 19:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2010-09-24 03:37 . 2006-06-13 21:44 -------- d-----w- c:\program files\Java 2010-09-23 23:41 . 2010-07-11 19:40 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet 2010-09-15 20:20 . 2009-05-27 22:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help 2010-09-09 01:42 . 2010-08-13 19:26 57344 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.dll 2010-09-09 01:42 . 2010-09-09 01:42 56765 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivXPlusShortcuts\Uninstaller.exe 2010-09-09 01:42 . 2010-05-04 17:38 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX 2010-09-09 01:42 . 2007-07-19 19:18 -------- d-----w- c:\program files\DivX 2010-09-09 01:42 . 2010-09-09 01:42 56997 ----a-w- c:\documents and settings\All Users\Application Data\DivX\WebPlayer\Uninstaller.exe 2010-09-09 01:41 . 2010-09-09 01:41 53600 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Update\Uninstaller.exe 2010-09-09 01:41 . 2010-09-09 01:41 57691 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Player\Uninstaller.exe 2010-09-09 01:41 . 2010-09-09 01:41 84063 ----a-w- c:\documents and settings\All Users\Application Data\DivX\TransferWizard\Uninstaller.exe 2010-09-09 01:41 . 2010-09-09 01:41 54153 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DFXPlugin\Uninstaller.exe 2010-09-09 01:03 . 2010-09-09 01:42 185640 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\finishPlugin.dll 2010-09-09 01:02 . 2010-08-13 19:25 1090856 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\Resource.dll 2010-09-09 01:02 . 2010-08-13 19:22 144696 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.exe 2010-09-09 01:02 . 2010-08-13 19:25 850200 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\DivXSetup.exe 2010-09-08 01:01 . 2010-08-13 19:25 -------- d-----w- c:\documents and settings\Parthiv Thakore\Application Data\DivX 2010-09-07 16:47 . 2010-09-07 16:46 -------- d-----w- c:\program files\Garmin 2010-09-07 16:47 . 2010-09-07 16:47 -------- d-----w- c:\program files\DIFX 2010-09-07 16:40 . 2010-09-07 16:40 12255080 ----a-w- c:\documents and settings\Parthiv Thakore\Application Data\Mozilla\Firefox\Profiles\5tuxkkf3.default\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}\plugins\npGarmin.dll 2010-08-27 02:54 . 2010-08-27 02:54 137216 ----a-w- c:\documents and settings\All Users\Application Data\WorldWinner\shared\fmod.dll 2010-08-27 02:54 . 2010-08-27 02:54 339968 ----a-w- c:\documents and settings\All Users\Application Data\WorldWinner\dealornodeal\dealornodeal.dll 2010-08-27 02:54 . 2010-08-27 02:54 -------- d-----w- c:\documents and settings\All Users\Application Data\WorldWinner 2010-08-17 13:17 . 2004-08-10 11:00 58880 ----a-w- c:\windows\system32\spoolsv.exe 2010-08-13 19:25 . 2010-08-13 19:25 57054 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSDesktopComponents\Uninstaller.exe 2010-08-13 19:25 . 2010-08-13 19:25 54166 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSAVCDecoder\Uninstaller.exe 2010-08-13 19:25 . 2010-08-13 19:25 57532 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSASPDecoder\Uninstaller.exe 2010-08-13 19:24 . 2010-08-13 19:24 56458 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivXDecoderShortcut\Uninstaller.exe 2010-08-13 19:24 . 2010-08-13 19:24 54174 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSAACDecoder\Uninstaller.exe 2010-08-13 19:24 . 2010-08-13 19:24 54128 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Converter\Uninstaller.exe 2010-08-13 19:24 . 2010-08-13 19:24 54644 ----a-w- c:\documents and settings\All Users\Application Data\DivX\TranscodeEngine\Uninstaller.exe 2010-08-13 19:24 . 2010-08-13 19:24 54101 ----a-w- c:\documents and settings\All Users\Application Data\DivX\MPEG2Plugin\Uninstaller.exe 2010-08-13 19:24 . 2010-08-13 19:24 57409 ----a-w- c:\documents and settings\All Users\Application Data\DivX\ControlPanel\Uninstaller.exe 2010-08-13 19:24 . 2010-08-13 19:24 52963 ----a-w- c:\documents and settings\All Users\Application Data\DivX\MSVC80CRTRedist\Uninstaller.exe 2010-08-13 19:24 . 2010-08-13 19:24 -------- d-----w- c:\program files\Common Files\DivX Shared 2010-08-13 19:24 . 2010-08-13 19:24 54073 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Qt4.5\Uninstaller.exe 2010-08-13 19:24 . 2010-08-13 19:24 56969 ----a-w- c:\documents and settings\All Users\Application Data\DivX\ASPEncoder\Uninstaller.exe 2010-08-11 16:36 . 2010-08-11 16:36 -------- d-----w- c:\program files\Nitro PDF 2010-07-29 16:26 . 2009-05-27 01:48 97549 ----a-w- c:\windows\system32\drivers\klick.dat 2010-07-29 16:26 . 2009-05-27 01:48 113933 ----a-w- c:\windows\system32\drivers\klin.dat 2010-07-27 22:44 . 2010-07-27 22:44 91424 ----a-w- c:\windows\system32\dnssd.dll 2010-07-27 22:44 . 2010-07-27 22:44 197920 ----a-w- c:\windows\system32\dnssdX.dll 2010-07-27 22:44 . 2010-07-27 22:44 107808 ----a-w- c:\windows\system32\dns-sd.exe 2010-07-22 15:49 . 2004-08-10 11:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll 2010-07-22 05:57 . 2009-04-17 13:40 5120 ----a-w- c:\windows\system32\xpsp4res.dll 2010-07-11 17:58 . 2010-07-11 17:59 38784 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe 2010-07-11 17:58 . 2010-07-11 17:57 38784 ----a-w- c:\documents and settings\Parthiv Thakore\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe 2007-04-06 20:54 . 2007-04-06 20:14 80 --sh--r- c:\windows\system32\18CBEC2B90.dll . (((((((((((((((((((((((((((((((((((((((((((( Look ))))))))))))))))))))))))))))))))))))))))))))))))))))))))) . ---- Directory of C:\Your Software Here ---- 2010-10-02 16:07 . 2010-02-11 09:48 115 ----a-w- c:\your software here\Link here to download Free Software's.url 2010-10-02 16:07 . 2010-02-11 09:49 184 ----a-w- c:\your software here\READ ME.txt 2010-10-02 16:07 . 2010-02-11 04:25 13128704 ----a-w- c:\your software here\TouchCopy09.msi 2010-10-02 16:07 . 2010-01-11 10:57 116 ----a-w- c:\your software here\Amazing ebooks Download.url ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SetDefaultMIDI"="MIDIDef.exe" [2004-12-23 24576] "Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2009-07-21 208616] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552] "SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 339968] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888] "CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-02-15 57344] "Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2010-06-19 38840] "Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2010-06-19 640440] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152] "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-09-08 47904] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160] c:\documents and settings\All Users\Start Menu\Programs\Startup\ HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit] 2007-11-15 22:46 87352 ----a-w- c:\windows\system32\LMIinit.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Authentication Packages REG_MULTI_SZ msv1_0 nwprovau [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-] "Adobe Acrobat Synchronizer"="c:\program files\Adobe\Acrobat 9.0\Acrobat\AdobeCollabSync.exe" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" "DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW "dlcdmon.exe"="c:\program files\Dell Photo AIO Printer 944\dlcdmon.exe" "HP Software Update"=c:\program files\HP\HP Software Update\HPWuSchd2.exe "parth1"=c:\program files\parth1\parth1.exe "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" "MemoryCardManager"="c:\program files\Dell Photo AIO Printer 944\memcard.exe" [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\mIRC\\mirc.exe"= "c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"= "c:\\Program Files\\Maxthon\\Maxthon.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"= "c:\\Program Files\\AGEIA Technologies\\TrayIcon.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"= "c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"= "c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"= "c:\\Program Files\\Foxit Software\\PDF Editor\\PDFEdit.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\v8200\\DMMultiView\\MultiView.exe"= "c:\\Documents and Settings\\Parthiv Thakore\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy2.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"= "c:\\Program Files\\HP\\HP Software Update\\hpwucli.exe"= "c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"= "c:\\Program Files\\Java\\jre6\\bin\\java.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "1036:TCP"= 1036:TCP:Akamai NetSession Interface "5000:UDP"= 5000:UDP:Akamai NetSession Interface R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [1/29/2008 5:29 PM 33808] R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [8/10/2004 7:00 AM 14336] R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [3/13/2008 6:02 PM 26640] R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [4/30/2008 5:06 PM 24592] S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/31/2009 10:11 PM 133104] S2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\x86\RaInfo.sys --> c:\program files\LogMeIn\x86\RaInfo.sys [?] S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [9/24/2010 3:50 PM 27064] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 Akamai REG_MULTI_SZ Akamai hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc . Contents of the 'Scheduled Tasks' folder 2010-10-06 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:34] 2010-10-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-11-01 02:11] 2010-10-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-11-01 02:11] . . ------- Supplementary Scan ------- . uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7 ustart page = about:blank uInternet Settings,ProxyOverride = *.local uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 DPF: {ADACAA8F-3595-47FE-9C31-9C7471B9BEC7} - hxxp://68.213.32.251/cab/OCXChecker_8198.cab DPF: {FEC048AB-277A-460C-BF50-1A4193AEF148} - hxxp://68.213.32.251/cab/DownloadCenter_8200.cab FF - ProfilePath - c:\documents and settings\Parthiv Thakore\Application Data\Mozilla\Firefox\Profiles\5tuxkkf3.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/ FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll FF - plugin: c:\documents and settings\Parthiv Thakore\Application Data\Mozilla\Firefox\Profiles\5tuxkkf3.default\extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E}\plugins\npGarmin.dll FF - plugin: c:\documents and settings\Parthiv Thakore\Application Data\Mozilla\Firefox\Profiles\5tuxkkf3.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll FF - plugin: c:\documents and settings\Parthiv Thakore\Application Data\Mozilla\Firefox\Profiles\5tuxkkf3.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npMozCouponPrinter.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ ---- FIREFOX POLICIES ---- FF - user.js: yahoo.ytff.general.dontshowhpoffer - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false); . . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}] @Denied: (Full) (Everyone) "scansk"=hex(0):54,66,12,ac,67,6b,52,df,d5,ad,8c,bb,67,4d,43,24,60,a5,fa,8f,97, 5c,44,5d,3b,75,d4,78,35,d9,4d,08,81,3f,d4,0b,08,d2,b4,fe,00,00,00,00,00,00,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}] @Denied: (Full) (Everyone) "scansk"=hex(0):84,df,ca,bd,3f,dc,3a,be,60,94,0e,f6,9f,c5,52,d2,53,85,eb,b3,49, 0a,2e,9c,ca,79,94,b5,25,37,2e,da,f0,ac,86,a3,82,78,fe,dd,00,00,00,00,00,00,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{85bc9adf-f379-4bdf-bd85-701218c36723}] @Denied: (Full) (Everyone) "Model"=dword:0000002e "Therad"=dword:00000010 "MData"=hex(0):73,d5,cf,b8,a4,07,89,80,31,e4,35,6b,2a,ca,fe,43,b6,1f,81,1f,5a, 1b,4d,36,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{ecbefe36-efea-434d-822a-fd1b484e49d6}] @Denied: (Full) (Everyone) "Model"=dword:00000156 "Therad"=dword:0000001e "MData"=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5,9f,6a,96,3e,ab,de,c5,81,26, 38,95,44,85,b1,12,f9,90,dd,23,a1,49,8c,bf,1a,9d,fe,41,71,cb,3f,46,a4,7c,ab,\ [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(972) c:\windows\system32\LMIinit.dll . Completion time: 2010-10-09 10:37:19 ComboFix-quarantined-files.txt 2010-10-09 14:37 ComboFix2.txt 2010-10-08 21:10 Pre-Run: 165,884,661,760 bytes free Post-Run: 165,864,706,048 bytes free - - End Of File - - 4C5A66E07E63CCEA6FBA59F29EAA28B7 Upload was successful And here is the systemlook... SystemLook 04.09.10 by jpshortstuff Log created at 10:51 on 09/10/2010 by Parthiv Thakore Administrator - Elevation successful ========== filefind ========== Searching for "*AVC.exe*" C:\WINDOWS\Prefetch\AVC.EXE-20EE82B1.pf --a---- 45036 bytes [04:38 02/10/2010] [20:30 08/10/2010] 7AB5DC6DA188ED7A8EFBFF83172B153E -= EOF =-

#12 JonTom

JonTom

    Teacher Emeritus

  • Malware Team
  • 5,496 posts

Posted 09 October 2010 - 11:58 AM

Hello Parth

Thank you for the log.

Please navigate to, and scan the file in bold using Virus Total:

C:\WINDOWS\Prefetch\AVC.EXE-20EE82B1.pf


Scan your system again with DDS (I only need to see the DDS.txt log, no need for the attach.txt).

Please post both logs in your next reply :)
Would you like to help others? Join the Classroom and learn how.
 
Member of UNITE
Proud Graduate of the WTT Classroom

#13 Parth

Parth

    Authentic Member

  • Authentic Member
  • PipPip
  • 156 posts

Posted 09 October 2010 - 12:11 PM

Here is the VirusTotal for the file: Working on dds now... File name: AVC.EXE-20EE82B1.pf Submission date: 2010-10-09 18:10:08 (UTC) Current status: queued queued (#5) analysing finished Result: 0/ 43 (0.0%) VT Community not reviewed Safety score: - Compact Print results Antivirus Version Last Update Result AhnLab-V3 2010.10.09.00 2010.10.08 - AntiVir 7.10.12.167 2010.10.08 - Antiy-AVL 2.0.3.7 2010.10.09 - Authentium 5.2.0.5 2010.10.09 - Avast 4.8.1351.0 2010.10.09 - Avast5 5.0.594.0 2010.10.09 - AVG 9.0.0.851 2010.10.09 - BitDefender 7.2 2010.10.09 - CAT-QuickHeal 11.00 2010.10.09 - ClamAV 0.96.2.0-git 2010.10.09 - Comodo 6331 2010.10.09 - DrWeb 5.0.2.03300 2010.10.09 - Emsisoft 5.0.0.50 2010.10.09 - eSafe 7.0.17.0 2010.10.07 - eTrust-Vet 36.1.7901 2010.10.08 - F-Prot 4.6.2.117 2010.10.08 - F-Secure 9.0.15370.0 2010.10.09 - Fortinet 4.2.249.0 2010.10.09 - GData 21 2010.10.09 - Ikarus T3.1.1.90.0 2010.10.09 - Jiangmin 13.0.900 2010.10.09 - K7AntiVirus 9.65.2713 2010.10.09 - Kaspersky 7.0.0.125 2010.10.09 - McAfee 5.400.0.1158 2010.10.09 - McAfee-GW-Edition 2010.1C 2010.10.09 - Microsoft 1.6201 2010.10.09 - NOD32 5518 2010.10.09 - Norman 6.06.07 2010.10.09 - nProtect 2010-10-09.01 2010.10.09 - Panda 10.0.2.7 2010.10.09 - PCTools 7.0.3.5 2010.10.09 - Prevx 3.0 2010.10.09 - Rising 22.68.05.00 2010.10.09 - Sophos 4.58.0 2010.10.09 - Sunbelt 7024 2010.10.09 - SUPERAntiSpyware 4.40.0.1006 2010.10.09 - Symantec 20101.2.0.161 2010.10.09 - TheHacker 6.7.0.1.053 2010.10.09 - TrendMicro 9.120.0.1004 2010.10.09 - TrendMicro-HouseCall 9.120.0.1004 2010.10.09 - VBA32 3.12.14.1 2010.10.08 - ViRobot 2010.9.25.4060 2010.10.09 - VirusBuster 12.67.10.0 2010.10.09 - Additional information Show all MD5 : 7ab5dc6da188ed7a8efbff83172b153e SHA1 : 882970525889c1b792d71937632eb3d27c708b28 SHA256: 45c420b7b8983e36faaff03cc96cdc23f861375489c3c54a12a2ade35198ae3f ssdeep: 768:CzU+GPVIIBIfJkP1RSmZYOZHqkWWx4QTrk1VitSqS4NPApwqZz:Co+GP/WkP1R/YO5QWxRr QV9h40waz File size : 45036 bytes First seen: 2010-10-09 18:10:08 Last seen : 2010-10-09 18:10:08 TrID: Microsoft Windows XP Prefetch file (98.9%) LTAC compressed audio (v1.71) (1.0%) sigcheck: publisher....: n/a copyright....: n/a product......: n/a description..: n/a original name: n/a internal name: n/a file version.: n/a comments.....: n/a signers......: - signing date.: - verified.....: Unsigned VT Community

#14 Parth

Parth

    Authentic Member

  • Authentic Member
  • PipPip
  • 156 posts

Posted 09 October 2010 - 12:12 PM

Ok, got a problem with dds.scr... It just opens a black window real quick and closes it automatically... Any suggestions on how else I can run it ?

#15 JonTom

JonTom

    Teacher Emeritus

  • Malware Team
  • 5,496 posts

Posted 09 October 2010 - 12:33 PM

Hello Parth

That file appears to be clean.

It just opens a black window real quick and closes it automatically

Never encountered that before...

Are you able to scan with HJT?

If so, please run a scan and post the log created :)
Would you like to help others? Join the Classroom and learn how.
 
Member of UNITE
Proud Graduate of the WTT Classroom

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users