Hello,
I am using Windows XP Pro with SP2 and IE7. For a few days now my home page has been changed to http:/// (triple slash) and I cannot change it back to any other site, as soon as I change it, its changed back to http:/// immediately again.
Following is the log from a HijackThis scan...
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:35:52 AM, on 6/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Avast4\aswUpdSv.exe
C:\Program Files\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\wscript.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\eTSrv.exe
C:\Program Files\Hotspot Shield\bin\openvpnas.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\PROGRA~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\TeamViewer3\TeamViewer_Host.exe
C:\Program files\SourceNDP\bin\SourceNDPManager.exe
C:\Program Files\TeamViewer3\TeamViewer.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Avast4\ashMaiSv.exe
C:\Program Files\Avast4\ashWebSv.exe
C:\Program Files\Azureus\Azureus.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Hijack\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.divx.com/divx/webplayerdemo/en?r...dist=divxdotcom
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wscript.exe C:\WINDOWS\system32\AngAntiVirus.vbs
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [CertStoreInit] C:\WINDOWS\system32\CertStoreInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{497604C6-324E-4A18-B4BC-A91FE6058608}: NameServer = 10.8.144.1
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: eToken Notification Service (ETOKSRV) - Aladdin Ltd. - C:\WINDOWS\system32\eTSrv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Hotspot Shield Service (HotspotShieldService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\openvpnas.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: TeamViewer 3 (TeamViewer) - Unknown owner - C:\Program Files\TeamViewer3\TeamViewer_Host.exe
O23 - Service: Unisys Source NDP Manager Service (Unisys_CAPI_TSManager) - Unknown owner - C:\Program files\SourceNDP\bin\SourceNDPManager.exe
--
End of file - 5716 bytes
I would be grateful if someone can help me.
Regards,
Abbas.
Full Version: Internet Explorer Homapage Changed To Http:///
Suggest A Fix PC Support Forums > Security > Malicious Code: Viruses, Trojans, Spyware and Browser HiJacking
Hello Abbas...run HijackThis and click on 'Do a system scan only'. Put a check in the box next to this line:
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wscript.exe C:\WINDOWS\system32\AngAntiVirus.vbs
Click on 'Fix checked' and close HijackThis.
Reboot and locate AngAntiVirus.vbs in the C:\WINDOWS\system32 folder. Delete it.
Let us know if that fixes the problem.
I'll move this thread to the Malicious Code forum.
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wscript.exe C:\WINDOWS\system32\AngAntiVirus.vbs
Click on 'Fix checked' and close HijackThis.
Reboot and locate AngAntiVirus.vbs in the C:\WINDOWS\system32 folder. Delete it.
Let us know if that fixes the problem.
I'll move this thread to the Malicious Code forum.
Hello Hked,
Really appreciate your prompt reply. I have followed the above steps, rebooted and checked for angantivirus.vbs in the C:\WINDOWS\system32 folder, but couldn't find it. I checked even the hidden files.
And in HijackThis when I select this option and do fix this, this entry comes back again on rescanning. The problem still persists.
What can we do next please ???
Regards.
Really appreciate your prompt reply. I have followed the above steps, rebooted and checked for angantivirus.vbs in the C:\WINDOWS\system32 folder, but couldn't find it. I checked even the hidden files.
And in HijackThis when I select this option and do fix this, this entry comes back again on rescanning. The problem still persists.
What can we do next please ???
Regards.
I've not come across this one before, but if AngAntiVirus came back, there's a hidden file reloading it. It's just a matter of finding it.
Download Deckard's System Scanner to the desktop (the download link is in the centre, about 2/3rds of the way down the page). Run Dss.exe and post the log it generates.
Download Deckard's System Scanner to the desktop (the download link is in the centre, about 2/3rds of the way down the page). Run Dss.exe and post the log it generates.
Thanks HKed,
I downloaded DSS.exe. While running this file, when it reaches to the "Scanning Event Logs" stage, its gives error. I have attached the screenshot of the error.
Please advise.
Click to view attachment
I downloaded DSS.exe. While running this file, when it reaches to the "Scanning Event Logs" stage, its gives error. I have attached the screenshot of the error.
Please advise.
Click to view attachment
Try running it in safe mode - instructions here.
No Luck buddy 
Same error in safe mode as well.
Same error in safe mode as well.
Run SilentRunners.VBS and post the log it generates.
Wait for the prompt that the scan has finished, otherwise the log will be incomplete.
Wait for the prompt that the scan has finished, otherwise the log will be incomplete.
Thanks again HKed, here you go.
"Silent Runners.vbs", revision 58, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"Yahoo! Pager" = ""C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet" ["Yahoo! Inc."]
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"SynTPLpr" = "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" ["Synaptics, Inc."]
"SynTPEnh" = "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" ["Synaptics, Inc."]
"SoundMAXPnP" = "C:\Program Files\Analog Devices\Core\smax4pnp.exe" ["Analog Devices, Inc."]
"SoundMAX" = "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray" ["Analog Devices, Inc."]
"avast!" = "C:\PROGRA~1\Avast4\ashDisp.exe" ["ALWIL Software"]
"IgfxTray" = "C:\WINDOWS\system32\igfxtray.exe" ["Intel Corporation"]
"HotKeysCmds" = "C:\WINDOWS\system32\hkcmd.exe" ["Intel Corporation"]
"Persistence" = "C:\WINDOWS\system32\igfxpers.exe" ["Intel Corporation"]
"CertStoreInit" = "C:\WINDOWS\system32\CertStoreInit" [" Aladdin Ltd. "]
"QuickTime Task" = ""C:\Program Files\QuickTime\QTTask.exe" -atboottime" ["Apple Inc."]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll" ["Sun Microsystems, Inc."]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "C:\Program Files\Avast4\ashShell.dll" ["ALWIL Software"]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\OLKFSTUB.DLL" [MS]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\MLSHEXT.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\msohevi.dll" [MS]
"{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler"
-> {HKLM...CLSID} = "Microsoft Office Metadata Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler"
-> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{97090E2F-3062-4459-855B-014F0D3CDBB1}" = "Windows Search Deskbar"
-> {HKCU...CLSID} = "Windows Search Deskbar"
\InProcServer32\(Default) = "C:\Program Files\Windows Desktop Search\deskbar.dll" [MS]
-> {HKLM...CLSID} = "Windows Search Deskbar"
\InProcServer32\(Default) = "C:\Program Files\Windows Desktop Search\deskbar.dll" [MS]
"{13E7F612-F261-4391-BEA2-39DF4F3FA311}" = "Windows Desktop Search"
-> {HKLM...CLSID} = "Windows Desktop Search"
\InProcServer32\(Default) = "C:\Program Files\Windows Desktop Search\msnlExt.dll" [MS]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{56F9679E-7826-4C84-81F3-532071A8BCC5}" = (no title provided)
-> {HKLM...CLSID} = "Windows Desktop Search Namespace Manager"
\InProcServer32\(Default) = "C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [MS]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
-> {HKLM...CLSID} = "WPDShServiceObj Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]
HKLM\SOFTWA RE\Microsoft\Windows NT\CurrentVersion\Winlogon\
<<!>> "Userinit" = "C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wscript.exe C:\WINDOWS\system32\AngAntiVirus.vbs" [MS], [MS], [null data]
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> igfxcui\DLLName = "igfxdev.dll" ["Intel Corporation"]
HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807563E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = "Microsoft Office InfoPath XML Mime Filter"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL" [MS]
HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]
HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "C:\Program Files\Avast4\ashShell.dll" ["ALWIL Software"]
HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "C:\Program Files\Avast4\ashShell.dll" ["ALWIL Software"]
Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------
Note: detected settings may not have any effect.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\
"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}
"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}
Active Desktop and Wallpaper:
-----------------------------
Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"
Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Abbas\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"
Enabled Screen Saver:
---------------------
HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]
Windows Portable Device AutoPlay Handlers
-----------------------------------------
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\
BridgeCS3ImportMediaOnArrival\
"Provider" = "Adobe Bridge CS3"
"InvokeProgID" = "Adobe.adobebridge"
"InvokeVerb" = "launch"
HKLM\SOFTWARE\Classes\Adobe.adobebridge\shell\launch\command\(Default) = "C:\Program Files\Adobe\Adobe Bridge CS3\bridgeproxy.exe -v %1" ["Adobe Systems, Inc."]
MSWPDShellNamespaceHandler\
"Provider" = "@%SystemRoot%\System32\WPDShextRes.dll,-501"
"CLSID" = "{A55803CC-4D53-404c-8557-FD63DBA95D24}"
"InitCmdLine" = " "
-> {HKLM...CLSID} = "WPDShextAutoplay"
\LocalServer32\(Default) = "C:\WINDOWS\system32\WPDShextAutoplay.exe" [MS]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "C:\Program Files\Bonjour\mdnsNSP.dll" ["Apple Computer, Inc."]
Transport Service Providers
HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
Toolbars, Explorer Bars, Extensions:
------------------------------------
Explorer Bars
HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL" [MS]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"
{E2E2DD38-D088-4134-82B7-F2BA38496583}\
"MenuText" = "@xpsp3res.dll,-20001"
"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##, Bonjour Service, ""C:\Program Files\Bonjour\mDNSResponder.exe"" ["Apple Computer, Inc."]
avast! Antivirus, avast! Antivirus, ""C:\Program Files\Avast4\ashServ.exe"" ["ALWIL Software"]
avast! iAVS4 Control Service, aswUpdSv, ""C:\Program Files\Avast4\aswUpdSv.exe"" ["ALWIL Software"]
avast! Mail Scanner, avast! Mail Scanner, ""C:\Program Files\Avast4\ashMaiSv.exe" /service" ["ALWIL Software"]
avast! Web Scanner, avast! Web Scanner, ""C:\Program Files\Avast4\ashWebSv.exe" /service" ["ALWIL Software"]
eToken Notification Service, ETOKSRV, "C:\WINDOWS\system32\eTSrv.exe" ["Aladdin Ltd. "]
Hotspot Shield Service, HotspotShieldService, "C:\Program Files\Hotspot Shield\bin\openvpnas.exe" [null data]
TeamViewer 3, TeamViewer, ""C:\Program Files\TeamViewer3\TeamViewer_Host.exe" -service" [null data]
ThinkPad PM Service, IBMPMSVC, "C:\WINDOWS\system32\ibmpmsvc.exe" ["Lenovo"]
Unisys Source NDP Manager Service, Unisys_CAPI_TSManager, "C:\Program files\SourceNDP\bin\SourceNDPManager.exe" [null data]
Windows Search, WSearch, "C:\WINDOWS\system32\SearchIndexer.exe /Embedding" [MS]
Print Monitors:
---------------
HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
CutePDF Writer Monitor\Driver = "cpwmon2k.dll" [null data]
---------- (launch time: 2008-06-14 10:26:40)
<<!>>: Suspicious data at a malware launch point.
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 54 seconds, including 14 seconds for message boxes)
"Silent Runners.vbs", revision 58, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"Yahoo! Pager" = ""C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet" ["Yahoo! Inc."]
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"SynTPLpr" = "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" ["Synaptics, Inc."]
"SynTPEnh" = "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" ["Synaptics, Inc."]
"SoundMAXPnP" = "C:\Program Files\Analog Devices\Core\smax4pnp.exe" ["Analog Devices, Inc."]
"SoundMAX" = "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray" ["Analog Devices, Inc."]
"avast!" = "C:\PROGRA~1\Avast4\ashDisp.exe" ["ALWIL Software"]
"IgfxTray" = "C:\WINDOWS\system32\igfxtray.exe" ["Intel Corporation"]
"HotKeysCmds" = "C:\WINDOWS\system32\hkcmd.exe" ["Intel Corporation"]
"Persistence" = "C:\WINDOWS\system32\igfxpers.exe" ["Intel Corporation"]
"CertStoreInit" = "C:\WINDOWS\system32\CertStoreInit" [" Aladdin Ltd. "]
"QuickTime Task" = ""C:\Program Files\QuickTime\QTTask.exe" -atboottime" ["Apple Inc."]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll" ["Sun Microsystems, Inc."]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "C:\Program Files\Avast4\ashShell.dll" ["ALWIL Software"]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\OLKFSTUB.DLL" [MS]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\MLSHEXT.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\msohevi.dll" [MS]
"{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler"
-> {HKLM...CLSID} = "Microsoft Office Metadata Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler"
-> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{97090E2F-3062-4459-855B-014F0D3CDBB1}" = "Windows Search Deskbar"
-> {HKCU...CLSID} = "Windows Search Deskbar"
\InProcServer32\(Default) = "C:\Program Files\Windows Desktop Search\deskbar.dll" [MS]
-> {HKLM...CLSID} = "Windows Search Deskbar"
\InProcServer32\(Default) = "C:\Program Files\Windows Desktop Search\deskbar.dll" [MS]
"{13E7F612-F261-4391-BEA2-39DF4F3FA311}" = "Windows Desktop Search"
-> {HKLM...CLSID} = "Windows Desktop Search"
\InProcServer32\(Default) = "C:\Program Files\Windows Desktop Search\msnlExt.dll" [MS]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{56F9679E-7826-4C84-81F3-532071A8BCC5}" = (no title provided)
-> {HKLM...CLSID} = "Windows Desktop Search Namespace Manager"
\InProcServer32\(Default) = "C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [MS]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
-> {HKLM...CLSID} = "WPDShServiceObj Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]
HKLM\SOFTWA RE\Microsoft\Windows NT\CurrentVersion\Winlogon\
<<!>> "Userinit" = "C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wscript.exe C:\WINDOWS\system32\AngAntiVirus.vbs" [MS], [MS], [null data]
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> igfxcui\DLLName = "igfxdev.dll" ["Intel Corporation"]
HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807563E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = "Microsoft Office InfoPath XML Mime Filter"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL" [MS]
HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]
HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "C:\Program Files\Avast4\ashShell.dll" ["ALWIL Software"]
HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "C:\Program Files\Avast4\ashShell.dll" ["ALWIL Software"]
Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------
Note: detected settings may not have any effect.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\
"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}
"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}
Active Desktop and Wallpaper:
-----------------------------
Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"
Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Abbas\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"
Enabled Screen Saver:
---------------------
HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]
Windows Portable Device AutoPlay Handlers
-----------------------------------------
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\
BridgeCS3ImportMediaOnArrival\
"Provider" = "Adobe Bridge CS3"
"InvokeProgID" = "Adobe.adobebridge"
"InvokeVerb" = "launch"
HKLM\SOFTWARE\Classes\Adobe.adobebridge\shell\launch\command\(Default) = "C:\Program Files\Adobe\Adobe Bridge CS3\bridgeproxy.exe -v %1" ["Adobe Systems, Inc."]
MSWPDShellNamespaceHandler\
"Provider" = "@%SystemRoot%\System32\WPDShextRes.dll,-501"
"CLSID" = "{A55803CC-4D53-404c-8557-FD63DBA95D24}"
"InitCmdLine" = " "
-> {HKLM...CLSID} = "WPDShextAutoplay"
\LocalServer32\(Default) = "C:\WINDOWS\system32\WPDShextAutoplay.exe" [MS]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "C:\Program Files\Bonjour\mdnsNSP.dll" ["Apple Computer, Inc."]
Transport Service Providers
HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
Toolbars, Explorer Bars, Extensions:
------------------------------------
Explorer Bars
HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL" [MS]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"
{E2E2DD38-D088-4134-82B7-F2BA38496583}\
"MenuText" = "@xpsp3res.dll,-20001"
"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##, Bonjour Service, ""C:\Program Files\Bonjour\mDNSResponder.exe"" ["Apple Computer, Inc."]
avast! Antivirus, avast! Antivirus, ""C:\Program Files\Avast4\ashServ.exe"" ["ALWIL Software"]
avast! iAVS4 Control Service, aswUpdSv, ""C:\Program Files\Avast4\aswUpdSv.exe"" ["ALWIL Software"]
avast! Mail Scanner, avast! Mail Scanner, ""C:\Program Files\Avast4\ashMaiSv.exe" /service" ["ALWIL Software"]
avast! Web Scanner, avast! Web Scanner, ""C:\Program Files\Avast4\ashWebSv.exe" /service" ["ALWIL Software"]
eToken Notification Service, ETOKSRV, "C:\WINDOWS\system32\eTSrv.exe" ["Aladdin Ltd. "]
Hotspot Shield Service, HotspotShieldService, "C:\Program Files\Hotspot Shield\bin\openvpnas.exe" [null data]
TeamViewer 3, TeamViewer, ""C:\Program Files\TeamViewer3\TeamViewer_Host.exe" -service" [null data]
ThinkPad PM Service, IBMPMSVC, "C:\WINDOWS\system32\ibmpmsvc.exe" ["Lenovo"]
Unisys Source NDP Manager Service, Unisys_CAPI_TSManager, "C:\Program files\SourceNDP\bin\SourceNDPManager.exe" [null data]
Windows Search, WSearch, "C:\WINDOWS\system32\SearchIndexer.exe /Embedding" [MS]
Print Monitors:
---------------
HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
CutePDF Writer Monitor\Driver = "cpwmon2k.dll" [null data]
---------- (launch time: 2008-06-14 10:26:40)
<<!>>: Suspicious data at a malware launch point.
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 54 seconds, including 14 seconds for message boxes)
SilentRunners looks OK, so we have to find another way of locating the file(s).
Download Malwarebytes Anti-Malware to the desktop.
Download Malwarebytes Anti-Malware to the desktop.
- * Double-click on Download_mbam-setup.exe to install the application.
* When the installation begins, follow the prompts and do not make any changes to default settings.
* When installation has finished, make sure you leave both these checked:
o Update Malwarebytes Anti-Malware
o Launch Malwarebytes Anti-Malware
* Then click Finish.
* MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
* On the Scanner tab:
o Make sure the "Perform Full Scan" option is selected.
o Then click on the Scan button.
* The next screen will ask you to select the drives to scan. Leave all the drives selected and click on the Start Scan button.
* The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
* When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
* Click OK to close the message box and continue with the removal process.
* Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
* Make sure that everything is checked, and click Remove Selected.
* When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
* The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
* Copy and paste the contents of that report in your next reply along with a fresh HijackThis log.
MBAM Scan done, found 2 infections. The log is as follows :
Malwarebytes' Anti-Malware 1.17
Database version: 857
5:10:57 PM 6/15/2008
mbam-log-6-15-2008 (17-10-57).txt
Scan type: Full Scan (C:\|D:\|F:\|)
Objects scanned: 140883
Time elapsed: 32 minute(s), 42 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
________________________________________________________________________________
__
HIJACKTHIS SCAN IS AS FOLLOWS:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:20:07 PM, on 6/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Avast4\aswUpdSv.exe
C:\Program Files\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\wscript.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\PROGRA~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\eTSrv.exe
C:\Program Files\Hotspot Shield\bin\openvpnas.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TeamViewer3\TeamViewer_Host.exe
C:\Program files\SourceNDP\bin\SourceNDPManager.exe
C:\Program Files\TeamViewer3\TeamViewer.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Avast4\ashMaiSv.exe
C:\Program Files\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Hijack\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.divx.com/divx/webplayerdemo/en?r...dist=divxdotcom
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy1.emirates.net.ae:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local;<local>
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wscript.exe C:\WINDOWS\system32\AngAntiVirus.vbs
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [CertStoreInit] C:\WINDOWS\system32\CertStoreInit
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{497604C6-324E-4A18-B4BC-A91FE6058608}: NameServer = 10.8.144.1
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: eToken Notification Service (ETOKSRV) - Aladdin Ltd. - C:\WINDOWS\system32\eTSrv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Hotspot Shield Service (HotspotShieldService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\openvpnas.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: TeamViewer 3 (TeamViewer) - Unknown owner - C:\Program Files\TeamViewer3\TeamViewer_Host.exe
O23 - Service: Unisys Source NDP Manager Service (Unisys_CAPI_TSManager) - Unknown owner - C:\Program files\SourceNDP\bin\SourceNDPManager.exe
--
End of file - 5744 bytes
Malwarebytes' Anti-Malware 1.17
Database version: 857
5:10:57 PM 6/15/2008
mbam-log-6-15-2008 (17-10-57).txt
Scan type: Full Scan (C:\|D:\|F:\|)
Objects scanned: 140883
Time elapsed: 32 minute(s), 42 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
________________________________________________________________________________
__
HIJACKTHIS SCAN IS AS FOLLOWS:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:20:07 PM, on 6/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Avast4\aswUpdSv.exe
C:\Program Files\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\wscript.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\PROGRA~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\eTSrv.exe
C:\Program Files\Hotspot Shield\bin\openvpnas.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TeamViewer3\TeamViewer_Host.exe
C:\Program files\SourceNDP\bin\SourceNDPManager.exe
C:\Program Files\TeamViewer3\TeamViewer.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Avast4\ashMaiSv.exe
C:\Program Files\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Hijack\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.divx.com/divx/webplayerdemo/en?r...dist=divxdotcom
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy1.emirates.net.ae:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local;<local>
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wscript.exe C:\WINDOWS\system32\AngAntiVirus.vbs
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [CertStoreInit] C:\WINDOWS\system32\CertStoreInit
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{497604C6-324E-4A18-B4BC-A91FE6058608}: NameServer = 10.8.144.1
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: eToken Notification Service (ETOKSRV) - Aladdin Ltd. - C:\WINDOWS\system32\eTSrv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Hotspot Shield Service (HotspotShieldService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\openvpnas.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: TeamViewer 3 (TeamViewer) - Unknown owner - C:\Program Files\TeamViewer3\TeamViewer_Host.exe
O23 - Service: Unisys Source NDP Manager Service (Unisys_CAPI_TSManager) - Unknown owner - C:\Program files\SourceNDP\bin\SourceNDPManager.exe
--
End of file - 5744 bytes
Log just shows a couple of registry items, text really. We're no closer to finding the hidden file.
Can you locate that C:\WINDOWS\system32\AngAntiVirus.vbs file, zip it and email it to me? You can get my email address by clicking on my user name.
Download ComboFix to the desktop.
Disconnect from the internet and disable Avast. See if ComboFix will run and post the log it generates (don't forget to re-enable Avast). Please don't mouse-click in the ComboFix window when it's running as this will cause it to stall.
Can you locate that C:\WINDOWS\system32\AngAntiVirus.vbs file, zip it and email it to me? You can get my email address by clicking on my user name.
Download ComboFix to the desktop.
Disconnect from the internet and disable Avast. See if ComboFix will run and post the log it generates (don't forget to re-enable Avast). Please don't mouse-click in the ComboFix window when it's running as this will cause it to stall.
I still cannot find C:\WINDOWS\system32\AngAntiVirus.vbs, I checked even the hidden files. The combofix log is as follows.
ComboFix 08-06-15.1 - Abbas 2008-06-16 8:42:00.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.367 [GMT 4:00]
Running from: C:\Documents and Settings\Abbas\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\cfx32.ocx
C:\WINDOWS\system32\x64
E:\copy.exe
E:\host.exe
F:\copy.exe
F:\host.exe
.
((((((((((((((((((((((((( Files Created from 2008-05-16 to 2008-06-16 )))))))))))))))))))))))))))))))
.
2008-06-15 16:20 . 2008-06-15 16:20 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-15 16:20 . 2008-06-15 16:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-15 16:20 . 2008-06-15 16:20 <DIR> d-------- C:\Documents and Settings\Abbas\Application Data\Malwarebytes
2008-06-15 16:20 . 2008-06-10 19:02 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-15 16:20 . 2008-06-10 19:02 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-15 16:19 . 2008-06-15 16:19 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-06-13 13:29 . 2008-06-13 13:29 <DIR> d-------- C:\Deckard
2008-06-13 09:48 . 2008-06-13 09:48 38,712 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-06-13 09:47 . 2008-06-13 09:47 <DIR> d-------- C:\Documents and Settings\Abbas\Application Data\Apple Computer
2008-06-13 09:46 . 2008-06-13 09:47 <DIR> d-------- C:\Program Files\Safari
2008-06-13 09:46 . 2008-06-13 09:46 <DIR> d-------- C:\Program Files\Apple Software Update
2008-06-13 09:46 . 2008-06-13 09:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-06-13 09:35 . 2008-06-15 17:20 <DIR> d-------- C:\Program Files\Hijack
2008-06-11 23:47 . 2008-04-14 15:01 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 23:47 . 2008-04-14 15:01 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-11 16:08 . 2008-06-11 16:08 <DIR> d-------- C:\Documents and Settings\Abbas\Application Data\Oxford
2008-06-11 16:07 . 2008-06-11 16:27 13 --a------ C:\WINDOWS\TEXTware.ini
2008-06-09 13:17 . 2008-06-09 13:17 <DIR> d-------- C:\Program Files\Oxford
2008-06-08 10:38 . 2008-06-08 10:39 <DIR> d-------- C:\Program Files\FOX Video Converter
2008-06-08 10:38 . 2004-05-26 21:37 719,872 --a------ C:\WINDOWS\system32\devil.dll
2008-06-08 10:38 . 2003-03-19 11:03 544,768 --a------ C:\WINDOWS\system32\msvcr71d.dll
2008-06-08 10:38 . 2002-01-05 14:37 344,064 --a------ C:\WINDOWS\system32\msvcr70.dll
2008-06-08 10:38 . 2006-09-16 19:44 314,368 --a------ C:\WINDOWS\system32\avisynth.dll
2008-06-08 10:21 . 2008-06-08 10:22 <DIR> d-------- C:\Program Files\Video Editor
2008-06-08 08:53 . 2008-06-08 08:53 0 --a------ C:\WINDOWS\SMMVSplitter.INI
2008-06-08 08:52 . 2008-06-08 10:29 <DIR> d-------- C:\Program Files\Common Files\Elecard
2008-06-07 01:47 . 2008-06-07 01:48 <DIR> d-------- C:\Program Files\QuickTime
2008-06-07 01:47 . 2008-06-07 01:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-06-06 10:31 . 2008-06-06 10:31 <DIR> d-------- C:\Program Files\Hotspot Shield
2008-06-05 17:01 . 1998-10-29 16:45 306,688 --a------ C:\WINDOWS\IsUninst.exe
2008-06-03 14:00 . 2008-06-03 14:00 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-06-03 13:59 . 2008-06-03 13:59 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-06-03 13:59 . 2008-06-03 13:59 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-06-03 13:43 . 2008-06-03 13:43 <DIR> d-------- C:\Program Files\AC3Filter
2008-06-03 13:43 . 2007-08-18 11:54 380,928 --a------ C:\WINDOWS\system32\ac3filter.acm
2008-06-01 10:44 . 2008-06-01 10:44 8,502 -rahs---- C:\WINDOWS\system32\AngAntiVirus.vbs
2008-05-31 13:03 . 2004-08-04 00:56 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2008-05-31 13:03 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-05-31 13:03 . 2004-08-03 22:58 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2008-05-31 13:03 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2008-05-30 19:09 . 2008-05-30 19:09 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-05-29 12:00 . 2008-05-29 12:00 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-05-29 12:00 . 2003-09-15 11:15 137,824 --a------ C:\WINDOWS\system32\drivers\aksifdh.sys
2008-05-29 12:00 . 2003-09-15 11:15 62,456 --a------ C:\WINDOWS\system32\drivers\AksUp.sys
2008-05-29 11:59 . 2008-06-16 08:25 <DIR> d-------- C:\Program Files\SourceNDP
2008-05-29 11:59 . 2008-05-29 12:00 <DIR> d-------- C:\Program Files\Common Files\Unisys
2008-05-29 11:59 . 2001-05-10 00:01 729,088 --a------ C:\WINDOWS\system32\_ISource21.dll
2008-05-29 11:59 . 2001-11-09 09:37 172,032 --a------ C:\WINDOWS\system32\psImage.ocx
2008-05-28 20:10 . 2008-05-28 20:10 <DIR> d-------- C:\Documents and Settings\Abbas\Application Data\Talkback
2008-05-28 20:10 . 2008-05-28 20:10 0 --a------ C:\WINDOWS\nsreg.dat
2008-05-26 23:51 . 2008-05-26 23:52 <DIR> d-------- C:\Program Files\Trickshot
2008-05-24 13:12 . 2008-06-07 02:09 <DIR> d-------- C:\Documents and Settings\Abbas\Application Data\LimeWire
2008-05-21 16:55 . 2008-06-14 22:26 <DIR> d-------- C:\_Souq_
2008-05-21 09:16 . 2008-05-21 09:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-05-21 08:54 . 2007-02-20 16:04 2,463,976 --a------ C:\WINDOWS\system32\NPSWF32.dll
2008-05-21 08:54 . 2007-02-20 16:04 190,696 --a------ C:\WINDOWS\system32\NPSWF32_FlashUtil.exe
2008-05-21 08:46 . 2008-05-21 08:46 <DIR> d-------- C:\Program Files\Bonjour
2008-05-21 08:40 . 2008-05-21 08:40 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-05-21 00:32 . 2008-05-21 00:32 <DIR> d--h----- C:\WINDOWS\PIF
2008-05-20 23:47 . 2008-05-20 23:47 <DIR> d-------- C:\Documents and Settings\Abbas\Application Data\Windows Desktop Search
2008-05-20 23:43 . 2008-05-20 23:43 <DIR> d-------- C:\Program Files\Windows Desktop Search
2008-05-20 23:21 . 2008-05-21 03:17 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-05-20 23:21 . 2008-05-21 08:57 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-05-20 18:18 . 2008-05-20 18:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Azureus
2008-05-20 18:18 . 2008-06-16 07:56 <DIR> d-------- C:\Documents and Settings\Abbas\Application Data\Azureus
2008-05-20 18:14 . 2008-05-20 18:14 <DIR> d-------- C:\Program Files\CONEXANT
2008-05-20 17:58 . 2008-05-20 17:58 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\TeamViewer
2008-05-20 17:08 . 2008-05-20 17:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-05-20 17:02 . 2008-05-27 22:21 <DIR> d-------- C:\Documents and Settings\Abbas\Application Data\DivX
2008-05-20 17:02 . 2004-08-03 23:37 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-05-20 16:59 . 2008-05-20 18:37 <DIR> d-------- C:\Program Files\Azureus
2008-05-20 16:57 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-05-20 16:56 . 2008-05-20 16:57 <DIR> d-------- C:\Program Files\Java
2008-05-20 16:49 . 2008-05-20 16:49 <DIR> d-------- C:\Program Files\IrfanView
2008-05-20 16:45 . 2008-05-20 16:45 <DIR> d-------- C:\Program Files\Yahoo!
2008-05-20 16:41 . 2008-05-20 16:41 <DIR> d-------- C:\Program Files\Common Files\Java
2008-05-20 16:40 . 2008-04-23 08:16 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-05-20 16:40 . 2007-04-17 13:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-05-20 16:40 . 2007-03-08 09:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-05-20 16:40 . 2008-04-23 08:16 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-05-20 16:40 . 2008-04-23 08:16 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-05-20 16:40 . 2008-04-23 08:16 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-05-20 16:40 . 2008-04-23 08:16 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-05-20 16:40 . 2008-04-23 08:16 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-05-20 16:40 . 2008-04-22 11:39 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-05-20 16:39 . 2008-05-20 16:57 <DIR> d-------- C:\Program Files\LimeWire
2008-05-20 16:36 . 2008-05-20 16:36 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\TeamViewer
2008-05-20 16:36 . 2008-06-13 22:50 <DIR> d-------- C:\Program Files\TeamViewer3
2008-05-20 16:36 . 2008-05-27 13:59 <DIR> d-------- C:\Documents and Settings\Abbas\Application Data\TeamViewer
2008-05-20 16:35 . 2008-05-20 16:35 <DIR> d-------- C:\Documents and Settings\Abbas\temp
2008-05-20 16:24 . 2008-05-20 16:24 <DIR> d-------- C:\Program Files\Google
2008-05-20 16:23 . 2008-05-20 16:23 <DIR> d-------- C:\Program Files\GPLGS
2008-05-20 16:18 . 2008-05-20 16:18 <DIR> d-------- C:\Program Files\DivX
2008-05-20 16:18 . 2008-05-20 16:18 <DIR> d-------- C:\Program Files\Acro Software
2008-05-20 16:13 . 2008-05-20 16:13 <DIR> d-------- C:\Program Files\Microsoft Works
2008-05-20 16:09 . 2008-05-20 16:10 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-05-20 16:08 . 2008-05-20 16:08 <DIR> dr-h----- C:\MSOCache
2008-05-20 16:08 . 2008-05-26 08:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-20 16:08 . 2006-03-17 04:38 28,672 --------- C:\WINDOWS\system32\verclsid.exe
2008-05-20 16:02 . 2008-05-21 23:53 <DIR> d-------- C:\Program Files\Avast4
2008-05-20 16:01 . 2006-06-14 12:47 172,416 --a------ C:\WINDOWS\system32\drivers\kmixer.sys
2008-05-20 16:00 . 2008-05-20 16:00 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2008-05-20 16:00 . 2008-05-20 16:00 <DIR> d-------- C:\Program Files\Analog Devices
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-20 12:00 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-05-20 11:59 --------- d-----w C:\Program Files\Synaptics
2008-05-20 11:56 --------- d-----w C:\Program Files\Lenovo
2008-05-20 11:40 --------- d-----w C:\Program Files\microsoft frontpage
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-08-30 17:43 4670704]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:37 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2007-04-25 00:41 110592]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-04-25 00:41 512000]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2007-04-25 00:41 925696]
"avast!"="C:\PROGRA~1\Avast4\ashDisp.exe" [2008-05-16 03:19 79224]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-08-09 16:32 135168]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-08-09 16:32 155648]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-08-09 16:32 131072]
"CertStoreInit"="C:\WINDOWS\system32\CertStoreInit" [ ]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2007-02-05 15:39 294400]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Desktop Search.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Desktop Search.lnk
backup=C:\WINDOWS\pss\Windows Desktop Search.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
--a------ 2007-01-02 01:22 3739648 C:\Program Files\Google\Google Talk\googletalk.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 20:24 1694208 C:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-10 15:27 385024 C:\Program Files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-12-14 03:42 144784 C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-16 03:20]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-16 03:16]
R2 TeamViewer;TeamViewer 3;"C:\Program Files\TeamViewer3\TeamViewer_Host.exe" -service []
R2 Unisys_CAPI_TSManager;Unisys Source NDP Manager Service;C:\Program files\SourceNDP\bin\SourceNDPManager.exe [2007-03-06 07:56]
R3 tapvpn;TAP VPN Adapter;C:\WINDOWS\system32\DRIVERS\tapvpn.sys [2008-01-24 01:25]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d7b91ebd-2ae5-11dd-9fc0-0018deb00d10}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe AngAntiVirus.vbs
*Newly Created Service* - CATCHME
*Newly Created Service* - DMADMIN
*Newly Created Service* - DMSERVER
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-16 08:46:06
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-06-16 8:47:06
ComboFix-quarantined-files.txt 2008-06-16 04:46:46
Pre-Run: 9,216,483,328 bytes free
Post-Run: 9,909,202,944 bytes free
212 --- E O F --- 2008-06-12 06:58:49
ComboFix 08-06-15.1 - Abbas 2008-06-16 8:42:00.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.367 [GMT 4:00]
Running from: C:\Documents and Settings\Abbas\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\cfx32.ocx
C:\WINDOWS\system32\x64
E:\copy.exe
E:\host.exe
F:\copy.exe
F:\host.exe
.
((((((((((((((((((((((((( Files Created from 2008-05-16 to 2008-06-16 )))))))))))))))))))))))))))))))
.
2008-06-15 16:20 . 2008-06-15 16:20 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-15 16:20 . 2008-06-15 16:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-15 16:20 . 2008-06-15 16:20 <DIR> d-------- C:\Documents and Settings\Abbas\Application Data\Malwarebytes
2008-06-15 16:20 . 2008-06-10 19:02 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-15 16:20 . 2008-06-10 19:02 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-15 16:19 . 2008-06-15 16:19 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-06-13 13:29 . 2008-06-13 13:29 <DIR> d-------- C:\Deckard
2008-06-13 09:48 . 2008-06-13 09:48 38,712 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-06-13 09:47 . 2008-06-13 09:47 <DIR> d-------- C:\Documents and Settings\Abbas\Application Data\Apple Computer
2008-06-13 09:46 . 2008-06-13 09:47 <DIR> d-------- C:\Program Files\Safari
2008-06-13 09:46 . 2008-06-13 09:46 <DIR> d-------- C:\Program Files\Apple Software Update
2008-06-13 09:46 . 2008-06-13 09:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-06-13 09:35 . 2008-06-15 17:20 <DIR> d-------- C:\Program Files\Hijack
2008-06-11 23:47 . 2008-04-14 15:01 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 23:47 . 2008-04-14 15:01 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-11 16:08 . 2008-06-11 16:08 <DIR> d-------- C:\Documents and Settings\Abbas\Application Data\Oxford
2008-06-11 16:07 . 2008-06-11 16:27 13 --a------ C:\WINDOWS\TEXTware.ini
2008-06-09 13:17 . 2008-06-09 13:17 <DIR> d-------- C:\Program Files\Oxford
2008-06-08 10:38 . 2008-06-08 10:39 <DIR> d-------- C:\Program Files\FOX Video Converter
2008-06-08 10:38 . 2004-05-26 21:37 719,872 --a------ C:\WINDOWS\system32\devil.dll
2008-06-08 10:38 . 2003-03-19 11:03 544,768 --a------ C:\WINDOWS\system32\msvcr71d.dll
2008-06-08 10:38 . 2002-01-05 14:37 344,064 --a------ C:\WINDOWS\system32\msvcr70.dll
2008-06-08 10:38 . 2006-09-16 19:44 314,368 --a------ C:\WINDOWS\system32\avisynth.dll
2008-06-08 10:21 . 2008-06-08 10:22 <DIR> d-------- C:\Program Files\Video Editor
2008-06-08 08:53 . 2008-06-08 08:53 0 --a------ C:\WINDOWS\SMMVSplitter.INI
2008-06-08 08:52 . 2008-06-08 10:29 <DIR> d-------- C:\Program Files\Common Files\Elecard
2008-06-07 01:47 . 2008-06-07 01:48 <DIR> d-------- C:\Program Files\QuickTime
2008-06-07 01:47 . 2008-06-07 01:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-06-06 10:31 . 2008-06-06 10:31 <DIR> d-------- C:\Program Files\Hotspot Shield
2008-06-05 17:01 . 1998-10-29 16:45 306,688 --a------ C:\WINDOWS\IsUninst.exe
2008-06-03 14:00 . 2008-06-03 14:00 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-06-03 13:59 . 2008-06-03 13:59 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-06-03 13:59 . 2008-06-03 13:59 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-06-03 13:43 . 2008-06-03 13:43 <DIR> d-------- C:\Program Files\AC3Filter
2008-06-03 13:43 . 2007-08-18 11:54 380,928 --a------ C:\WINDOWS\system32\ac3filter.acm
2008-06-01 10:44 . 2008-06-01 10:44 8,502 -rahs---- C:\WINDOWS\system32\AngAntiVirus.vbs
2008-05-31 13:03 . 2004-08-04 00:56 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2008-05-31 13:03 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-05-31 13:03 . 2004-08-03 22:58 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2008-05-31 13:03 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2008-05-30 19:09 . 2008-05-30 19:09 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-05-29 12:00 . 2008-05-29 12:00 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-05-29 12:00 . 2003-09-15 11:15 137,824 --a------ C:\WINDOWS\system32\drivers\aksifdh.sys
2008-05-29 12:00 . 2003-09-15 11:15 62,456 --a------ C:\WINDOWS\system32\drivers\AksUp.sys
2008-05-29 11:59 . 2008-06-16 08:25 <DIR> d-------- C:\Program Files\SourceNDP
2008-05-29 11:59 . 2008-05-29 12:00 <DIR> d-------- C:\Program Files\Common Files\Unisys
2008-05-29 11:59 . 2001-05-10 00:01 729,088 --a------ C:\WINDOWS\system32\_ISource21.dll
2008-05-29 11:59 . 2001-11-09 09:37 172,032 --a------ C:\WINDOWS\system32\psImage.ocx
2008-05-28 20:10 . 2008-05-28 20:10 <DIR> d-------- C:\Documents and Settings\Abbas\Application Data\Talkback
2008-05-28 20:10 . 2008-05-28 20:10 0 --a------ C:\WINDOWS\nsreg.dat
2008-05-26 23:51 . 2008-05-26 23:52 <DIR> d-------- C:\Program Files\Trickshot
2008-05-24 13:12 . 2008-06-07 02:09 <DIR> d-------- C:\Documents and Settings\Abbas\Application Data\LimeWire
2008-05-21 16:55 . 2008-06-14 22:26 <DIR> d-------- C:\_Souq_
2008-05-21 09:16 . 2008-05-21 09:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-05-21 08:54 . 2007-02-20 16:04 2,463,976 --a------ C:\WINDOWS\system32\NPSWF32.dll
2008-05-21 08:54 . 2007-02-20 16:04 190,696 --a------ C:\WINDOWS\system32\NPSWF32_FlashUtil.exe
2008-05-21 08:46 . 2008-05-21 08:46 <DIR> d-------- C:\Program Files\Bonjour
2008-05-21 08:40 . 2008-05-21 08:40 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-05-21 00:32 . 2008-05-21 00:32 <DIR> d--h----- C:\WINDOWS\PIF
2008-05-20 23:47 . 2008-05-20 23:47 <DIR> d-------- C:\Documents and Settings\Abbas\Application Data\Windows Desktop Search
2008-05-20 23:43 . 2008-05-20 23:43 <DIR> d-------- C:\Program Files\Windows Desktop Search
2008-05-20 23:21 . 2008-05-21 03:17 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-05-20 23:21 . 2008-05-21 08:57 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-05-20 18:18 . 2008-05-20 18:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Azureus
2008-05-20 18:18 . 2008-06-16 07:56 <DIR> d-------- C:\Documents and Settings\Abbas\Application Data\Azureus
2008-05-20 18:14 . 2008-05-20 18:14 <DIR> d-------- C:\Program Files\CONEXANT
2008-05-20 17:58 . 2008-05-20 17:58 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\TeamViewer
2008-05-20 17:08 . 2008-05-20 17:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-05-20 17:02 . 2008-05-27 22:21 <DIR> d-------- C:\Documents and Settings\Abbas\Application Data\DivX
2008-05-20 17:02 . 2004-08-03 23:37 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-05-20 16:59 . 2008-05-20 18:37 <DIR> d-------- C:\Program Files\Azureus
2008-05-20 16:57 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-05-20 16:56 . 2008-05-20 16:57 <DIR> d-------- C:\Program Files\Java
2008-05-20 16:49 . 2008-05-20 16:49 <DIR> d-------- C:\Program Files\IrfanView
2008-05-20 16:45 . 2008-05-20 16:45 <DIR> d-------- C:\Program Files\Yahoo!
2008-05-20 16:41 . 2008-05-20 16:41 <DIR> d-------- C:\Program Files\Common Files\Java
2008-05-20 16:40 . 2008-04-23 08:16 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-05-20 16:40 . 2007-04-17 13:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-05-20 16:40 . 2007-03-08 09:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-05-20 16:40 . 2008-04-23 08:16 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-05-20 16:40 . 2008-04-23 08:16 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-05-20 16:40 . 2008-04-23 08:16 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-05-20 16:40 . 2008-04-23 08:16 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-05-20 16:40 . 2008-04-23 08:16 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-05-20 16:40 . 2008-04-22 11:39 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-05-20 16:39 . 2008-05-20 16:57 <DIR> d-------- C:\Program Files\LimeWire
2008-05-20 16:36 . 2008-05-20 16:36 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\TeamViewer
2008-05-20 16:36 . 2008-06-13 22:50 <DIR> d-------- C:\Program Files\TeamViewer3
2008-05-20 16:36 . 2008-05-27 13:59 <DIR> d-------- C:\Documents and Settings\Abbas\Application Data\TeamViewer
2008-05-20 16:35 . 2008-05-20 16:35 <DIR> d-------- C:\Documents and Settings\Abbas\temp
2008-05-20 16:24 . 2008-05-20 16:24 <DIR> d-------- C:\Program Files\Google
2008-05-20 16:23 . 2008-05-20 16:23 <DIR> d-------- C:\Program Files\GPLGS
2008-05-20 16:18 . 2008-05-20 16:18 <DIR> d-------- C:\Program Files\DivX
2008-05-20 16:18 . 2008-05-20 16:18 <DIR> d-------- C:\Program Files\Acro Software
2008-05-20 16:13 . 2008-05-20 16:13 <DIR> d-------- C:\Program Files\Microsoft Works
2008-05-20 16:09 . 2008-05-20 16:10 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-05-20 16:08 . 2008-05-20 16:08 <DIR> dr-h----- C:\MSOCache
2008-05-20 16:08 . 2008-05-26 08:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-20 16:08 . 2006-03-17 04:38 28,672 --------- C:\WINDOWS\system32\verclsid.exe
2008-05-20 16:02 . 2008-05-21 23:53 <DIR> d-------- C:\Program Files\Avast4
2008-05-20 16:01 . 2006-06-14 12:47 172,416 --a------ C:\WINDOWS\system32\drivers\kmixer.sys
2008-05-20 16:00 . 2008-05-20 16:00 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2008-05-20 16:00 . 2008-05-20 16:00 <DIR> d-------- C:\Program Files\Analog Devices
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-20 12:00 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-05-20 11:59 --------- d-----w C:\Program Files\Synaptics
2008-05-20 11:56 --------- d-----w C:\Program Files\Lenovo
2008-05-20 11:40 --------- d-----w C:\Program Files\microsoft frontpage
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
.
CODE
<pre>
----a-w 246,864 2007-02-21 14:41:06 C:\_Souq_\Products\Ebooks\Temp\82 New Ebooks With Resale\Atkins\Optimal Nutrition Versus Atkins Diet .exe
</pre>
----a-w 246,864 2007-02-21 14:41:06 C:\_Souq_\Products\Ebooks\Temp\82 New Ebooks With Resale\Atkins\Optimal Nutrition Versus Atkins Diet .exe
</pre>
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-08-30 17:43 4670704]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:37 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2007-04-25 00:41 110592]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-04-25 00:41 512000]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2007-04-25 00:41 925696]
"avast!"="C:\PROGRA~1\Avast4\ashDisp.exe" [2008-05-16 03:19 79224]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-08-09 16:32 135168]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2007-08-09 16:32 155648]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2007-08-09 16:32 131072]
"CertStoreInit"="C:\WINDOWS\system32\CertStoreInit" [ ]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2007-02-05 15:39 294400]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Desktop Search.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Desktop Search.lnk
backup=C:\WINDOWS\pss\Windows Desktop Search.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
--a------ 2007-01-02 01:22 3739648 C:\Program Files\Google\Google Talk\googletalk.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 20:24 1694208 C:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-10 15:27 385024 C:\Program Files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-12-14 03:42 144784 C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-16 03:20]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-16 03:16]
R2 TeamViewer;TeamViewer 3;"C:\Program Files\TeamViewer3\TeamViewer_Host.exe" -service []
R2 Unisys_CAPI_TSManager;Unisys Source NDP Manager Service;C:\Program files\SourceNDP\bin\SourceNDPManager.exe [2007-03-06 07:56]
R3 tapvpn;TAP VPN Adapter;C:\WINDOWS\system32\DRIVERS\tapvpn.sys [2008-01-24 01:25]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d7b91ebd-2ae5-11dd-9fc0-0018deb00d10}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe AngAntiVirus.vbs
*Newly Created Service* - CATCHME
*Newly Created Service* - DMADMIN
*Newly Created Service* - DMSERVER
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-16 08:46:06
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-06-16 8:47:06
ComboFix-quarantined-files.txt 2008-06-16 04:46:46
Pre-Run: 9,216,483,328 bytes free
Post-Run: 9,909,202,944 bytes free
212 --- E O F --- 2008-06-12 06:58:49
The only file I can't find any details on is this:
C:\WINDOWS\system32\psImage.ocx
Can you locate it and right-click > Properties to check for any company name or other info.
C:\WINDOWS\system32\psImage.ocx
Can you locate it and right-click > Properties to check for any company name or other info.
The company name for C:\WINDOWS\system32\psImage.ocx is showing as Unisys. Officially, I use a software for Source NDP machines on my laptop which is Unisys make. So i guess this file is related to that, it should be safe.
And the homepage problem persists.
And the homepage problem persists
.
Run an online scan at BitDefender.
You need to save the scan report at the end. Please follow the instructions here for saving the report. Attach it to your reply.
You need to save the scan report at the end. Please follow the instructions here for saving the report. Attach it to your reply.
Hi HKed,
Apologies for being away for a long time. Yes, this actually worked out. The bitdefender scan deleted the C:\Windows\System32\AngAntivirus.vbs file and now I can change back the home page to anything I want. So we know that the culprit was this file.
Thanks for a lot for all your timely efforts. You are just GREAT !!!!
Regards,
Abbas.
Apologies for being away for a long time. Yes, this actually worked out. The bitdefender scan deleted the C:\Windows\System32\AngAntivirus.vbs file and now I can change back the home page to anything I want. So we know that the culprit was this file.
Thanks for a lot for all your timely efforts. You are just GREAT !!!!
Regards,
Abbas.
Hi Abbas...it's a strange one, that AngAntivirus.vbs file. Haven't come across it before. Any info on it comes from Indonesian forums.
Anyway, glad to hear your problem is solved. On to the next one.
Anyway, glad to hear your problem is solved. On to the next one.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.