We’ve got a cracking Easter offer
SAVE 60%

Win32:Trojan-gen. {UPX!} iexplore.exe (logs enclosed)

Posted 9/29/2007 4:09 PM
#54398
User avatar

aRny Member

Date Joined Nov 2016
Total Posts: 9
Hi team,

I searched google and found lotsa similar problems with this trojan logged on these forums going back 2 years, wow! Anyhow.. I got no clue how this virus came about but my avast4 scan picked it up today, infecting my iexplore.exe (not iexplorer.exe)

I deleted the file (through the virus scan popup) but on another scan afterwards (since i'm anal like that and want to check everything!) it popped up under my system restore volume AS WELL (so now got it in 2 places and un-removeable) ... "D:\System Volume Information\_restore{BF4936BA-7853-4802-B0A5-C139F93EF3B3}\RP162\A0041440.exe" file.

I've followed all the guidance threads and sticky notes, so below is a copy/paste of my logs (together with direct uploaded links if too much spam)

1. [2]ComboFix Log[/2] - Direct link: https://eazi.nl/matt/ComboFix_log.txt
2. [2]Root Log[/2] - Direct Link: https://eazi.nl/matt/rootlog.txt
3. [2]Virus Waning Log[/2] - Direct Link: https://eazi.nl/matt/virusWarning.log
4. [2]HijackThis Log[/2] - Direct Link: https://eazi.nl/matt/hijackthis.log


[3]ComboFix Log[/3] - Direct link: https://eazi.nl/matt/ComboFix_log.txt

ComboFix 07-09-21.2 - "Matt" 2007-09-29 16:17:16.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.655 [GMT 1:00]
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-08-28 to 2007-09-29 )))))))))))))))))))))))))))))))
.

2007-09-29 16:16 51,200 --a------ D:\WINDOWS\NirCmd.exe
2007-09-29 16:02 d-------- D:\Program Files\CCleaner
2007-09-29 15:55 d-------- D:\Program Files\PC Registry Cleaner
2007-09-29 12:09 d-------- D:\HJT
2007-09-23 23:19 d-------- D:\Program Files\PowerArchiver
2007-09-23 21:45 d-------- D:\Program Files\ESE
2007-09-18 15:03 d-------- D:\WINDOWS\system32\GroupPolicy
2007-09-08 21:08 d-------- D:\Program Files\WS_FTP
2007-09-06 15:45 d-------- D:\DOCUME~1\Matt\APPLIC~1\dvdcss
2007-09-04 14:42 d-------- D:\DOCUME~1\ALLUSE~1\APPLIC~1\FLEXnet
2007-09-04 14:26 d-------- D:\DOCUME~1\ALLUSE~1\APPLIC~1\ALM
2007-09-04 14:20 2,463,976 --a------ D:\WINDOWS\system32\NPSWF32.dll
2007-09-04 14:20 190,696 --a------ D:\WINDOWS\system32\NPSWF32_FlashUtil.exe
2007-09-04 14:16 d-------- D:\Program Files\Bonjour
2007-09-04 14:13 d-------- D:\Program Files\Common Files\Macrovision Shared
2007-09-01 21:56 63,488 --a------ D:\WINDOWS\system32\unam4ie.exe
2007-09-01 21:56 4,608 --a------ D:\WINDOWS\system32\w95inf32.dll
2007-09-01 21:56 38,160 --a------ D:\WINDOWS\system32\LMRTREND.dll
2007-09-01 21:56 2,272 --a------ D:\WINDOWS\system32\w95inf16.dll
2007-09-01 21:56 194,320 --a------ D:\WINDOWS\system32\qcut.dll
2007-09-01 21:56 182,032 --a------ D:\WINDOWS\system32\dxtmsft3.dll
2007-09-01 21:56 10,240 --a------ D:\WINDOWS\system32\vidx16.dll
2007-09-01 21:55 d-------- D:\DOCUME~1\Matt\WINDOWS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-29 16:01 --------- d-------- D:\Program Files\Common Files\Wise Installation Wizard
2007-09-29 12:56 --------- d-------- D:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-09-29 12:32 --------- d-------- D:\DOCUME~1\Matt\APPLIC~1\Azureus
2007-09-29 09:46 --------- d-------- D:\Program Files\Avast4
2007-09-28 21:13 --------- d-------- D:\Program Files\mIRC
2007-09-28 21:11 --------- d-------- D:\Program Files\Azureus
2007-09-19 12:41 --------- d-------- D:\DOCUME~1\ALLUSE~1\APPLIC~1\Microsoft Help
2007-09-18 16:03 --------- d-------- D:\Program Files\MSN Messenger
2007-09-16 21:06 --------- d-------- D:\DOCUME~1\Matt\APPLIC~1\teamspeak2
2007-09-10 15:52 --------- d-------- D:\Program Files\rK's DemoWatcher
2007-09-07 20:09 --------- d-------- D:\Program Files\NT Registry Optimizer
2007-09-07 20:09 --------- d-------- D:\Program Files\MagicISO
2007-09-07 20:09 --------- d-------- D:\Program Files\GameSpy Arcade
2007-09-06 11:09 801144 --a------ D:\WINDOWS\system32\aswBoot.exe
2007-09-06 11:05 94416 --a------ D:\WINDOWS\system32\drivers\aswmon2.sys
2007-09-06 11:05 92848 --a------ D:\WINDOWS\system32\drivers\aswmon.sys
2007-09-06 11:03 23152 --a------ D:\WINDOWS\system32\drivers\aswRdr.sys
2007-09-06 11:02 42912 --a------ D:\WINDOWS\system32\drivers\aswTdi.sys
2007-09-06 11:00 95608 --a------ D:\WINDOWS\system32\AvastSS.scr
2007-09-06 11:00 26624 --a------ D:\WINDOWS\system32\drivers\aavmker4.sys
2007-08-28 14:27 --------- d--h----- D:\Program Files\InstallShield Installation Information
2007-08-28 14:26 --------- d-------- D:\DOCUME~1\Matt\APPLIC~1\Creative
2007-08-28 14:25 --------- d-------- D:\Program Files\BitLord
2007-08-28 14:24 --------- d-------- D:\Program Files\Audible
2007-08-26 17:16 --------- d-------- D:\Program Files\UserCtrlSetup2007
2007-08-26 17:16 --------- d-------- D:\Program Files\Common Files\Tray
2007-08-26 17:16 --------- d-------- D:\Program Files\Common Files\System Shared
2007-08-26 17:16 --------- d-------- D:\DOCUME~1\ALLUSE~1\APPLIC~1\System
2007-08-25 15:37 --------- d-------- D:\Program Files\Microsoft Bootvis
2007-08-25 14:43 --------- d-------- D:\Program Files\Diskeeper Corporation
2007-08-25 14:43 --------- d-------- D:\DOCUME~1\ALLUSE~1\APPLIC~1\Diskeeper Corporation
2007-08-25 13:19 --------- d-------- D:\DOCUME~1\ALLUSE~1\APPLIC~1\ATI
2007-08-25 12:38 --------- d-------- D:\Program Files\ATI Technologies
2007-08-18 13:35 --------- d-------- D:\DOCUME~1\ALLUSE~1\APPLIC~1\Azureus
2007-08-16 19:27 413696 --a------ D:\WINDOWS\system32\wrap_oal.dll
2007-08-16 19:27 110592 --a------ D:\WINDOWS\system32\OpenAL32.dll
2007-08-16 19:27 --------- d-------- D:\Program Files\OpenAL
2007-08-16 16:30 --------- d-------- D:\Program Files\DVD Decrypter
2007-08-16 16:26 --------- d-------- D:\Program Files\VLC
2007-08-16 16:26 --------- d-------- D:\DOCUME~1\Matt\APPLIC~1\vlc
2007-08-14 21:14 --------- d-------- D:\Program Files\Windows Live
2007-08-14 21:14 --------- d-------- D:\Program Files\Messenger Plus! Live
2007-08-10 16:19 56360 --a------ D:\WINDOWS\system32\WBHELP2.DLL
2007-08-06 17:01 --------- d-------- D:\Program Files\MagicDisc
2007-08-06 16:38 --------- d-------- D:\Program Files\Infogrames
2007-08-04 16:34 --------- d-------- D:\DOCUME~1\ALLUSE~1\APPLIC~1\pixelStorm
2007-08-04 15:21 --------- d-------- D:\Program Files\AOL Games
2007-08-04 15:21 --------- d-------- D:\DOCUME~1\ALLUSE~1\APPLIC~1\Trymedia
2007-08-02 18:32 --------- d-------- D:\Program Files\QuickTime
2007-08-02 18:32 --------- d-------- D:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
2007-08-02 18:31 --------- d-------- D:\Program Files\Apple Software Update
2007-08-02 18:31 --------- d-------- D:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-07-30 19:19 92504 --a------ D:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ D:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ D:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ D:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ D:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 203096 --a--c--- D:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ D:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ D:\WINDOWS\system32\wups.dll
2007-07-30 19:18 207736 --a--c--- D:\WINDOWS\system32\muweb.dll
2007-07-28 06:44 45296 --a------ D:\WINDOWS\system32\drivers\ativvpxx.vp
2007-07-28 04:37 8237056 --a------ D:\WINDOWS\system32\atioglx2.dll
2007-07-28 04:31 344064 --a------ D:\WINDOWS\system32\ATIDEMGX.dll
2007-07-28 04:30 269312 --a------ D:\WINDOWS\system32\ati2dvag.dll
2007-07-28 04:30 2371584 --a------ D:\WINDOWS\system32\drivers\ati2mtag.sys
2007-07-28 04:24 307200 --a------ D:\WINDOWS\system32\atiiiexx.dll
2007-07-28 04:23 143360 --a------ D:\WINDOWS\system32\atipdlxx.dll
2007-07-28 04:23 122880 --a------ D:\WINDOWS\system32\Oemdspif.dll
2007-07-28 04:22 43520 --a------ D:\WINDOWS\system32\ati2edxx.dll
2007-07-28 04:22 26112 --a------ D:\WINDOWS\system32\Ati2mdxx.exe
2007-07-28 04:22 118784 --a------ D:\WINDOWS\system32\ati2evxx.dll
2007-07-28 04:21 483328 --a------ D:\WINDOWS\system32\ati2evxx.exe
2007-07-28 04:20 53248 --a------ D:\WINDOWS\system32\ATIDDC.DLL
2007-07-28 04:12 3067712 --a------ D:\WINDOWS\system32\ati3duag.dll
2007-07-28 04:06 176128 --a------ D:\WINDOWS\system32\atiok3x2.dll
2007-07-28 04:01 1550208 --a------ D:\WINDOWS\system32\ativvaxx.dll
2007-07-28 03:50 5435392 --a------ D:\WINDOWS\system32\atioglxx.dll
2007-07-28 03:47 266240 --a------ D:\WINDOWS\system32\atikvmag.dll
2007-07-28 03:46 17408 --a------ D:\WINDOWS\system32\atitvo32.dll
2007-07-28 03:45 49152 --a------ D:\WINDOWS\system32\drivers\ati2erec.dll
2007-07-28 03:40 450560 --a------ D:\WINDOWS\system32\ati2cqag.dll
2007-07-27 21:05 593920 --------- D:\WINDOWS\system32\ati2sgag.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTStartup"="D:\Program Files\Creative\Splash Screen\CTEaxSpl.exe" [2001-12-20 02:00]
"Dimondback"="D:\Program Files\Razer\Diamondback\razerhid.exe" [2007-02-14 12:15]
"\\MUM\EPSON Stylus Photo R240 Series"="D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAHE.exe" [2005-04-25 05:00]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="D:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:56]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=
"NoResolveSearch"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"MaxRecentDocs"=11 (0xb)
"NoSMHelp"=01000000
"NoRecentDocsNetHood"=1 (0x1)
"NoRecentDocsHistory"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=D:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=D:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Synchronizer.lnk]
path=D:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Synchronizer.lnk
backup=D:\WINDOWS\pss\Adobe Acrobat Synchronizer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=D:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=D:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=D:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=D:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
"G:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe_ID0EYTHM]
D:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AudCtrl]
RunDll32 AudCtrl.dll,RCMonitor

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]
D:\PROGRA~1\Avast4\ashDisp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Explorer]
D:\WINDOWS\iexplore.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
"D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"D:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVMixerTray]
"D:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"D:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
"D:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"D:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinFast Schedule]
D:\Program Files\WinFast\WFTVFM\WFWIZ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"UleadBurningHelper"=2 (0x2)
"idsvc"=3 (0x3)
"usnjsvc"=3 (0x3)
"Creative Service for CDROM Access"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"WinVNC4"=2 (0x2)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"Microsoft Office Groove Audit Service"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
"Diskeeper"=3 (0x3)
"avast! Web Scanner"=3 (0x3)
"avast! Mail Scanner"=3 (0x3)
"avast! Antivirus"=2 (0x2)
"aswUpdSv"=2 (0x2)
"Adobe Version Cue CS3"=3 (0x3)
"Bonjour Service"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"DAEMON Tools"="D:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"UpdReg"=D:\WINDOWS\UpdReg.EXE

R2 BT848;WinFast VC100 WDM Video Capture;D:\WINDOWS\system32\drivers\wf2kvcap.sys
R2 Tv2kXbar;WinFast VC100 WDM Crossbar;D:\WINDOWS\system32\drivers\wf2kxbar.sys
R3 Razerlow;Razerlow USB Filter Driver;D:\WINDOWS\system32\Drivers\Razerlow.sys
R3 sbext;Sound Blaster Extigy Audio Driver;D:\WINDOWS\system32\DRIVERS\sbext.sys
S3 UxTuneUp;TuneUp Design Expansion;D:\WINDOWS\System32\svchost.exe -k netsvcs

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2007-09-14 23:53:46 D:\WINDOWS\Tasks\1-Click Maintenance.job"
- D:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
"2007-09-28 18:51:25 D:\WINDOWS\Tasks\User_Feed_Synchronization-{6F62BC3F-237D-40B1-BF1B-17292E0730E1}.job"
- D:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, https://www.gmer.net
Rootkit scan 2007-09-29 16:18:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTStartup = D:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run???h??????s?????\?w? ?w???????w???w4???????.??w4???????4???TA?s4????????&2???A~??A~????????\???\???????????U?A~??A~\???\???????(+`??????C@?\???\??????s????\??????s\????&2?A??s?&2??C@?x???`|?w\?????@

scanning hidden files ...

D:\WINDOWS\WindowsShell.Manifest
D:\WINDOWS\WindowsUpdate.log
D:\WINDOWS\winhelp.exe
D:\WINDOWS\winhlp32.exe
D:\WINDOWS\wininit.ini
D:\WINDOWS\winnt.bmp
D:\WINDOWS\winnt256.bmp
D:\WINDOWS\WinSxS
D:\WINDOWS\WMSysPr9.prx
D:\WINDOWS\WMSysPrx.prx
D:\WINDOWS\WS_FTP.CNV
D:\WINDOWS\WS_FTP.EXT
D:\WINDOWS\Zapotec.bmp
D:\WINDOWS\_default.pif

scan completed successfully
hidden files: 14

**************************************************************************

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"\\\\MUM\\EPSON Stylus Photo R240 Series"="D:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATIAHE.EXE /P36 \"\\\\MUM\\EPSON Stylus Photo R240 Series\" /O6 \"USB002\" /M \"Stylus Photo R240\""
.
Completion time: 2007-09-29 16:18:38
.
--- E O F ---



[3]Root Log[/3] - Direct Link: https://eazi.nl/matt/rootlog.txt

********************************* ROOTCHK-(21-09-07)-LOG, by ejvindh
29/09/2007 16:15:12.40

The rootkits that are detected by this tool were not found.

********************************* ROOTCHK-LOG-end


catchme 0.3.1160 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, https://www.gmer.net
Rootkit scan 2007-09-29 16:15:13
Windows 5.1.2600 Service Pack 2
scanning hidden processes ...

scanning hidden services & system hive ...
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:cb36ac9b
"s2"=dword:d3fe51db
"h0"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="D:\Program Files\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:f8,0d,82,a2,92,7c,4f,d0,6a,64,75,ac,fc,30,1b,3b,27,66,03,3a,65,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,8a,fd,7d,dc,13,1b,d0,7e,9e,aa,b7,bf,7a,7a,28,91,ac,..
"khjeh"=hex:2d,b8,1e,0d,22,81,1d,e1,9a,5f,e7,9b,ef,04,d9,10,20,96,9c,52,a2,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:ef,f1,96,5a,d3,85,d5,a9,56,fe,e7,40,ef,7b,b9,ed,9b,62,b5,ef,11,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="D:\Program Files\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:f8,0d,82,a2,92,7c,4f,d0,6a,64,75,ac,fc,30,1b,3b,27,66,03,3a,65,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,8a,fd,7d,dc,13,1b,d0,7e,9e,aa,b7,bf,7a,7a,28,91,ac,..
"khjeh"=hex:2d,b8,1e,0d,22,81,1d,e1,9a,5f,e7,9b,ef,04,d9,10,20,96,9c,52,a2,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:ef,f1,96,5a,d3,85,d5,a9,56,fe,e7,40,ef,7b,b9,ed,9b,62,b5,ef,11,..

scanning hidden registry entries ...

scanning hidden files ...
D:\WINDOWS\WindowsShell.Manifest
D:\WINDOWS\WindowsUpdate.log
D:\WINDOWS\winhelp.exe
D:\WINDOWS\winhlp32.exe
D:\WINDOWS\wininit.ini
D:\WINDOWS\winnt.bmp
D:\WINDOWS\winnt256.bmp
D:\WINDOWS\WinSxS
D:\WINDOWS\WMSysPr9.prx
D:\WINDOWS\WMSysPrx.prx
D:\WINDOWS\WS_FTP.CNV
D:\WINDOWS\WS_FTP.EXT
D:\WINDOWS\Zapotec.bmp
D:\WINDOWS\_default.pif

hidden processes: 0
hidden services: 0
hidden files: 14



[3]Virus Waning Log[/3] - Direct Link: https://eazi.nl/matt/virusWarning.log

13/09/2007 17:09:27 1189699767 Matt 2820 Sign of "Win32:Adware-gen. [Adw]" has been found in "G:\XP My Documents\My Documents\My Received Files\MDL_1.2.0211.rar\MDL_1.2.0211.exe\{tmp}\MDLAds.exe" file.
29/09/2007 10:24:13 1191057853 Matt 3008 Sign of "Win32:Trojan-gen. {UPX!}" has been found in "D:\WINDOWS\iexplore.exe" file.
29/09/2007 13:31:30 1191069090 Matt 3008 Sign of "Win32:Trojan-gen. {UPX!}" has been found in "D:\System Volume Information\_restore{BF4936BA-7853-4802-B0A5-C139F93EF3B3}\RP162\A0041440.exe" file.
29/09/2007 13:39:50 1191069590 Matt 3008 Sign of "Win32:Trojan-gen. {UPX!}" has been found in "D:\WINDOWS\iexplore.exe" file.



[3]HijackThis Log[/3] - Direct Link: https://eazi.nl/matt/hijackthis.log

Logfile of HijackThis v1.99.1
Scan saved at 16:31:44, on 29/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\MsPMSPSv.exe
D:\Program Files\Razer\Diamondback\razerhid.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Razer\Diamondback\razertra.exe
D:\Program Files\Razer\Diamondback\razerofa.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\WINDOWS\explorer.exe
D:\HJT\alternativ.exe
D:\WINDOWS\system32\NOTEPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - D:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [CTStartup] D:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [Dimondback] D:\Program Files\Razer\Diamondback\razerhid.exe
O4 - HKLM\..\Run: [\\MUM\EPSON Stylus Photo R240 Series] D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAHE.EXE /P36 "\\MUM\EPSON Stylus Photo R240 Series" /O6 "USB002" /M "Stylus Photo R240"
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Append to existing PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Look up in Mr&Check... - D:\Documents and Settings\Matt\Application Data\TuneUp Software\TuneUp Utilities\Web\tumrcheck.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O10 - Unknown file in Winsock LSP: d:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - https://sympatico.zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - https://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - https://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - https://sympatico.zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - https://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - https://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - https://sympatico.zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - https://transfers.ds.microsoft.com/FTM/TransferSource/grTransferCtrl.cab
O16 - DPF: {82FFA573-38AA-482A-99AD-91F697B91631} (Installer.InstallControl) - https://www.file2you.net/applet.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - https://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - https://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {CAC181B0-4D70-402D-B571-C596A47D0CE0} (CBankshotZoneCtrl Class) - https://sympatico.zone.msn.com/bingame/zpagames/zpa_pool.cab56649.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - https://sympatico.zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - https://www.creative.com/su/ocx/15029/CTPID.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - D:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - D:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - D:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - D:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: WgaLogon - D:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - D:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe


-------------------

NOTE
I've already run utilt programs such as ccleaner, spybot S&D and tuneup utilities 2007

Reading back, I have full faith in your abilities to get me back on track and patched up. I look forward to a speedy recovery :yeah:

Matt

[EDIT]

Ohh.. and if you know how to remove that "bonjour" service (mdnsnsp.dll), would be helpful.. I tried previous stuff with LPS fix etc.. but didn't work, it comes part of Adobe CS3 (incase you are not aware), however there is no "user preference" to uninstall this apple (ipod?) service..

Also, I don't use onenote (as seen in a log above) and nor do I wish to have 'grooveLocalGWS' (office shit) & 'livecall' (msn shit) running.. is there a way in your methods to loose these pesty buggars too?

I have downloaded other programs to aid, (such as Dr Delete, MicroWorld AV, Advanced Process Termination) but await your intel before doing anything that may fuck my PC up
Posted 9/29/2007 6:29 PM
#54402
User avatar

aRny Member

Date Joined Nov 2016
Total Posts: 9
I've run a deep scan of MVAV (MicroWorld Anti-virus) which I saw you suggest to someone else in an older thread, below are the results.

I should also mention that I have not 'ticked' and cleaned anything on my system using the hijackthis.exe utility software, i will specifically only await your advice before doing so. Please suggest all entries for me to remove that are obsolete, null, such shit as the bonjour service and ofcourse my virus's :(

Ohh and anything that should be done in safemode, please specifically mention coz i'm a bit blonde at times :D

[3]MVAV Scan log[/3] (Only copied details from "virus log infomation" section, click link for full log details.. 11mb BIG)
- Direct link: https://eazi.nl/matt/MWAV.LOG

note
I've highlighted those entries red which are the most obvious, and those green I know to be clean, rest i'm uncertain of
--------------

[red]File D:\WINDOWS\DOWNLO~1\INSTAL~1.OCX infected by "Trojan-Downloader.Win32.VB.bgk" Virus! Action Taken: No Action Taken.[/red]

[green]File D:\PROGRA~1\RealVNC\VNC4\WinVNC4.exe tagged as "not-a-virus:RemoteAdmin.Win32.WinVNC.4". No Action Taken.[/green]

[red]Object "grokster Spyware/Adware" found in File System! Action Taken: No Action Taken.[/red]
[red]Object "trojan-downloader.bat.ftp.ab Trojan-Downloader" found in File System! Action Taken: No Action Taken.[/red]
[red]Object "trojan-downloader.bat.ftp.ab Trojan-Downloader" found in File System! Action Taken: No Action Taken.[/red]
[red]Object "trojan-downloader.bat.ftp.ab Trojan-Downloader" found in File System! Action Taken: No Action Taken.[/red]

Entry "HKCU\Software\Netscape\Netscape Navigator\User Trusted External Applications" refers to invalid object "TYPE0". Action Taken: No Action Taken.
Entry "HKCU\Software\Netscape\Netscape Navigator\User Trusted External Applications" refers to invalid object "D:\Program Files\Audible\Bin\adhelper.exe". Action Taken: No Action Taken.
Entry "HKCU\Software\Netscape\Netscape Navigator\User Trusted External Applications" refers to invalid object "". Action Taken: No Action Taken.

[green]File D:\Program Files\mIRC\mirc.exe tagged as "not-a-virus:Client-IRC.Win32.mIRC.612". No Action Taken.
File D:\Program Files\mIRC\mirc.zip/mirc.exe tagged as "not-a-virus:Client-IRC.Win32.mIRC.612". No Action Taken.
File D:\Program Files\RealVNC\VNC4\VNC4.zip/vncviewer.exe tagged as "not-a-virus:RemoteAdmin.Win32.WinVNC.4". No Action Taken.
File D:\Program Files\RealVNC\VNC4\vncconfig.exe tagged as "not-a-virus:RemoteAdmin.Win32.WinVNC.4". No Action Taken.
File D:\Program Files\RealVNC\VNC4\vncviewer.exe tagged as "not-a-virus:RemoteAdmin.Win32.WinVNC.4". No Action Taken.
File D:\Program Files\RealVNC\VNC4\winvnc4.exe tagged as "not-a-virus:RemoteAdmin.Win32.WinVNC.4". No Action Taken.
File D:\Program Files\RealVNC\VNC4\wm_hooks.dll tagged as "not-a-virus:RemoteAdmin.Win32.WinVNC.4". No Action Taken.[/green]

[red]File D:\System Volume Information\_restore{BF4936BA-7853-4802-B0A5-C139F93EF3B3}\RP163\A0041520.exe//PE_Patch.UPX//UPX infected by "Trojan-Spy.Win32.VB.qq" Virus! Action Taken: No Action Taken.
File D:\WINDOWS\Downloaded Program Files\installer.ocx infected by "Trojan-Downloader.Win32.VB.bgk" Virus! Action Taken: No Action Taken.[/red]

^^ the only thing I believe that last entry can be when looking in the DIR is: Installer.InstallControl - https://www.file2you.net/applet.cab, which can be seen in HJT log aswell.

-------------------

This scan took 57 minutes, so I'd preferbly not wish to do this ever so often, please try and help me, hope someone can lend a hand over the weekend?

Matt
Posted 9/30/2007 11:25 AM
#54425
User avatar

aRny Member

Date Joined Nov 2016
Total Posts: 9
Hi touch,

I know you were sleeping last night, but I couldn't wait and had to do something with my PC,
So hopefully I done right but still want your gudiance and reassurance in to anything else I can possibly do?

It had infected my system restore, d:volume map etc.. so I do a boot scan selected on "delete" rather than repair or disinfect, which id did do so.. woohoo! I then got in to windows, turned off my system restore (which i believe deletes all saved restore points and files?) and about to do another scan with esCan (which is same as MCAV but full version)

Will you need to see my HJT log again?

thanks in advance matey
Posted 10/1/2007 5:36 AM
#54449
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12974
Hello :smile:







Please download Free Version of Superantispyware

[color=#22229c>https://www.superantispyware.com/superantispywarefreevspro.html[/b]



Install it using the Standard Install option. (You will be asked for your e-mail address, it is safe to give it.

close the program





Download and install DrWebCureit:

[color=#22229c>https://spywareinfo.dk/download/drweb-cureit.exe[/url]



to your desktop.







Please print out or copy this page to Notepad as you will be in Safe Mode and unable to refer to this page.[/color]
[/b]







Reboot to Safe mode

















Doubleclick the "drweb-cureit.exe" and click "ok" in the prompt window that will open , asking "start the express scan now".

It will first make a quick scan of your system, let it clean what it find, and when it says "done"

Click on the green screwdriver-

Actions Tab- Adware-Dialers-Riskware-Hacktools, use dropdown menu and select -Delete

Click on the drive(s) you want to scan . A red dot will mark the selected drive(s) . Then hit the green arrow in lower right corner It will now scan your drive(s), say yes to all



After the scan, in the Dr.Web CureIt menu on top, click file and choose save report list

Save the report to your desktop. The report will be called DrWeb.csv

Close Dr.Web Cureit.



Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.

After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.









Start Superantispyware.

Hit - Scan Your Computer - button

Click on the drive(s) you want to scan. Put a check in - Perform Complete Scan, then next,

it will scan now. When scan have finished, put a checkmark with all items it found. Next, after cleaning, allow it to Reboot







Start Superantispyware again –

Click Preferences and then click the statistics/logs tab.

Click the dated log and press view log and a text file will appear.







Post this log along with fresh hijackthis log, Dr.Web log and tell how things are running ?






















[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />
[/color]
Do not PM me with logfiles. They will be deleted.


Posted 10/1/2007 6:19 PM
#54464
User avatar

aRny Member

Date Joined Nov 2016
Total Posts: 9
about to try it now, many thanks for getting back to me

will let you know how it goes shortly..

P.S My Explorer windows have lately being hanging, the likes of control panel are sometimes in-accessible, hopefully this fixes such problems aswell..

Matt
Posted 10/1/2007 8:46 PM
#54469
User avatar

aRny Member

Date Joined Nov 2016
Total Posts: 9
Okay,

I ran the programs in safe mode as suggested, rebooting where applicable.
Below are the logs as requested.

note: My HJT.log may vary quite differently since last time, as i installed ad-aware 2007 pro & spywareblaster for example.

I believe after disabling and deleting my system restore and doing the boot scan on Sunday removed the virus (which seemed to be that keylogger

installer.ocx file in the D:windows\downloaded program files\ folder) as since then i've had no trace..

But as i said in my last reply, my computer often hangs in windows explorer, trying to access a hard drive and/or control panel.. often taking several

attempts for it not to "time out" and have to go to Ctrl+Alt+Del to end the process..

Soo on that note, I hope all below HJT log helps solve this problem, either subject to the previous virus installed.. or a seperate matter ? :S


P.S
Upon Rebooting back in to windows, my PC hung big time, so I removed/stopped all the following items from running in safe mode and booted back

services unticked:

ad-aware 2007 service
avast! antivirus
avast! mail scanner
avast! web scanner
diskeeper
eScan Monitor service


Startup Items unticked:

ashDisp (avast)


I'll definately be uninstalling eScan, MWAV and spywareblaster.. I'll stick to avast4, superantispyware, ccleaner and ad-aware. Incase this helps you?

Thanks alot,
Matt

[3]DrWeb_log-1.csv[/3] (main scan highlighted issues - you can see detailed scan description lower down)[/b]

instscan.exe;D:\Program Files\eScan;Probably BACKDOOR.Trojan;; <-- eCan files all belong to full version of MWAV virus scan...
mailinst.exe;D:\Program Files\eScan;Probably BACKDOOR.Trojan;;
MAILSCAN.EXE;D:\Program Files\eScan;Probably WIN.MAIL.WORM.Virus;;
mailscan.ini;D:\Program Files\eScan;Probably SCRIPT.Virus;;
SPOOLER.EXE;D:\Program Files\eScan;Probably BACKDOOR.Trojan;;

mirc.exe;D:\Program Files\mIRC;Program.mIRC.612;; <-- I know this is clean, a chat program www.mirc.com


[3]DrWeb FULL log[/3]
[Scan path] D:\
D:\Documents and Settings\Administrator\Local Settings\temp\RarSFX0\dwebio32.dll packed by ASPACK
D:\Documents and Settings\Administrator\Local Settings\temp\RarSFX0\dwebllio.dll packed by ASPACK
D:\Documents and Settings\Administrator\Local Settings\temp\RarSFX0\setup.exe packed by BINARYRES
D:\Documents and Settings\Administrator\Local Settings\temp\RarSFX1\dwebio32.dll packed by ASPACK
D:\Documents and Settings\Administrator\Local Settings\temp\RarSFX1\dwebllio.dll packed by ASPACK
D:\Documents and Settings\Administrator\Local Settings\temp\RarSFX1\setup.exe packed by BINARYRES
>D:\Documents and Settings\Matt\Application Data\TuneUp Software\TuneUp Utilities\Web\gbacklinks.htm\JScript.Encode.0 packed by ENCODED SCRIPT
>D:\Documents and Settings\Matt\Application Data\TuneUp Software\TuneUp Utilities\Web\gcache.htm\JScript.Encode.0 packed by ENCODED SCRIPT
>D:\Documents and Settings\Matt\Application Data\TuneUp Software\TuneUp Utilities\Web\gsearch.htm\JScript.Encode.0 packed by ENCODED SCRIPT
>D:\Documents and Settings\Matt\Application Data\TuneUp Software\TuneUp Utilities\Web\gsimilar.htm\JScript.Encode.0 packed by ENCODED SCRIPT
>D:\Documents and Settings\Matt\Application Data\TuneUp Software\TuneUp Utilities\Web\tuarch.htm\JScript.Encode.0 packed by ENCODED SCRIPT
>D:\Documents and Settings\Matt\Application Data\TuneUp Software\TuneUp Utilities\Web\tumrcheck.htm\JScript.Encode.0 packed by ENCODED SCRIPT
>D:\Documents and Settings\Matt\Application Data\TuneUp Software\TuneUp Utilities\Web\tuofinw.htm\JScript.Encode.0 packed by ENCODED SCRIPT
>D:\Documents and Settings\Matt\Application Data\TuneUp Software\TuneUp Utilities\Web\tutrans.htm\JScript.Encode.0 packed by ENCODED SCRIPT
>D:\Documents and Settings\Matt\Application Data\TuneUp Software\TuneUp Utilities\Web\tuzoomin.htm\JScript.Encode.0 packed by ENCODED SCRIPT
>D:\Documents and Settings\Matt\Application Data\TuneUp Software\TuneUp Utilities\Web\tuzoomout.htm\JScript.Encode.0 packed by ENCODED SCRIPT
D:\Documents and Settings\Matt\Desktop\Monopoly\ikernel.ex_ packed by MS COMPRESS
D:\Documents and Settings\Matt\Local Settings\Application Data\Mozilla\Firefox\Profiles\ews0pcmw.default\Cache\FF71BAA8d01 packed by UPX
>D:\Documents and Settings\Matt\Local Settings\Application Data\Mozilla\Firefox\Profiles\ews0pcmw.default\Cache\FF71BAA8d01 packed by PESTUB
D:\HJT\alternativ.exe packed by UPX
D:\NVIDIA\nForceWin2KXP\4.62A\AudioUtl\ikernel.ex_ packed by MS COMPRESS
D:\NVIDIA\nForceWin2KXP\5.11\AudioUtl\ikernel.ex_ packed by MS COMPRESS
D:\Program Files\Common Files\Java\Update\Base Images\jre1.6.0.b105\patch-jre1.6.0_02.b06\patchjre.exe packed by BINARYRES
D:\Program Files\Creative\SBExtigy\Program\CTZAPXX.exe packed by BINARYRES
>D:\Program Files\DAEMON Tools\daemon.dll\data001 packed by PECRYPT
>D:\Program Files\DAEMON Tools\daemon.dll\data002 packed by PESTUB
D:\Program Files\DVD Decrypter\DVDDecrypter.exe packed by UPX
D:\Program Files\eScan\avpMWrap.exe packed by UPX
D:\Program Files\eScan\bh.exe packed by UPX
D:\Program Files\eScan\bpcheck.exe packed by UPX
D:\Program Files\eScan\CLEANDB.EXE packed by UPX
D:\Program Files\eScan\debuginf.exe packed by UPX
D:\Program Files\eScan\FRIGHTS.EXE packed by UPX
D:\Program Files\eScan\GETVLIST.EXE packed by UPX
D:\Program Files\eScan\initoreg.exe packed by UPX
D:\Program Files\eScan\instscan.exe packed by UPX
>D:\Program Files\eScan\instscan.exe probably infected with BACKDOOR.Trojan
D:\Program Files\eScan\instserv.exe packed by UPX
D:\Program Files\eScan\inst_tsp.exe packed by UPX
D:\Program Files\eScan\killmon.exe packed by UPX
D:\Program Files\eScan\killproc.e32 packed by UPX
D:\Program Files\eScan\killproc.exe packed by UPX
D:\Program Files\eScan\launch.exe packed by UPX
D:\Program Files\eScan\linkgen.exe packed by UPX
D:\Program Files\eScan\MAILDISP.EXE packed by UPX
D:\Program Files\eScan\mailinst.exe packed by UPX
>D:\Program Files\eScan\mailinst.exe probably infected with BACKDOOR.Trojan
D:\Program Files\eScan\mailremv.exe packed by UPX
D:\Program Files\eScan\MAILSCAN.EXE packed by UPX
>D:\Program Files\eScan\MAILSCAN.EXE probably infected with WIN.MAIL.WORM.Virus
D:\Program Files\eScan\mailscan.ini probably infected with SCRIPT.Virus
D:\Program Files\eScan\MSG.EXE packed by UPX
D:\Program Files\eScan\MWAVSCAN.COM packed by UPX
D:\Program Files\eScan\MWAVSCAN.EXE packed by UPX
D:\Program Files\eScan\RELOAD.EXE packed by UPX
D:\Program Files\eScan\REMSERV.EXE packed by UPX
D:\Program Files\eScan\restserv.exe packed by UPX
D:\Program Files\eScan\RP.EXE packed by UPX
D:\Program Files\eScan\RUNFILE.EXE packed by UPX
D:\Program Files\eScan\scanremv.exe packed by UPX
D:\Program Files\eScan\setpriv.exe packed by UPX
D:\Program Files\eScan\sfx.exe packed by UPX
D:\Program Files\eScan\SMTPSEND.EXE packed by UPX
D:\Program Files\eScan\SPOOLER.EXE packed by UPX
>D:\Program Files\eScan\SPOOLER.EXE probably infected with BACKDOOR.Trojan
D:\Program Files\eScan\sporder.exe packed by UPX
D:\Program Files\eScan\TaskSchdl.dll packed by UPX
D:\Program Files\eScan\TRAYCSER.EXE packed by UPX
D:\Program Files\eScan\TRAYISER.EXE packed by UPX
D:\Program Files\eScan\TRAYSSER.EXE packed by UPX
D:\Program Files\eScan\unins000.exe packed by BINARYRES
D:\Program Files\eScan\unregx.exe packed by UPX
D:\Program Files\eScan\VIEWTCP.EXE packed by BINARYRES
D:\Program Files\eScan\SETUP\uninstall.exe packed by UPX
D:\Program Files\eScan\Vista\avpmapp.exe packed by UPX
D:\Program Files\eScan\Vista\escanmon.exe packed by UPX
D:\Program Files\eScan\Vista\Moninter.dll packed by UPX
D:\Program Files\GameSpy Arcade\fpupdate.exe packed by ASPACK
D:\Program Files\GameSpy Arcade\UNWISE.EXE packed by BINARYRES
D:\Program Files\InstallShield Installation Information\{DE4CF159-4AD2-4754-BDA0-5FB088C8B58B}\ISSetup.dll packed by UPX
D:\Program Files\Internet Explorer\hmmapi.dll packed by PESTUB
D:\Program Files\K-Lite Codec Pack\filters\MACDec.dll packed by UPX
D:\Program Files\K-Lite Codec Pack\filters\MonkeySource.ax packed by UPX
D:\Program Files\K-Lite Codec Pack\filters\mp3Source.ax packed by UPX
D:\Program Files\K-Lite Codec Pack\tools\mmview.exe packed by UPX
D:\Program Files\K-Lite Codec Pack\tools\StatsReader.exe packed by UPX
D:\Program Files\K-Lite Codec Pack\tools\VobSubStrip.exe packed by UPX
D:\Program Files\Lavasoft\Ad-Aware 2007\PKArchive84cb.dll packed by PKLITE32
D:\Program Files\Lavasoft\Ad-Aware 2007\Registration\plus_12_months.prg packed by BINARYRES
D:\Program Files\Lavasoft\Ad-Aware 2007\Registration\plus_18_months.prg packed by BINARYRES
D:\Program Files\Lavasoft\Ad-Aware 2007\Registration\plus_24_months.prg packed by BINARYRES
D:\Program Files\Lavasoft\Ad-Aware 2007\Registration\plus_36_months.prg packed by BINARYRES
D:\Program Files\Lavasoft\Ad-Aware 2007\Registration\plus_corporate.prg packed by BINARYRES
D:\Program Files\Lavasoft\Ad-Aware 2007\Registration\plus_home_office.prg packed by BINARYRES
D:\Program Files\Lavasoft\Ad-Aware 2007\Registration\professional_12_months.prg packed by BINARYRES
D:\Program Files\Lavasoft\Ad-Aware 2007\Registration\professional_18_months.prg packed by BINARYRES
D:\Program Files\Lavasoft\Ad-Aware 2007\Registration\professional_24_months.prg packed by BINARYRES
D:\Program Files\Lavasoft\Ad-Aware 2007\Registration\professional_36_months.prg packed by BINARYRES
D:\Program Files\Lavasoft\Ad-Aware 2007\Registration\professional_corporate.prg packed by BINARYRES
D:\Program Files\MagicDisc\MagicDisc.exe packed by UPX
D:\Program Files\MagicDisc\UNWISE.EXE packed by BINARYRES
D:\Program Files\MagicISO\MagicISO.exe packed by UPX
D:\Program Files\MagicISO\miso.exe packed by UPX
D:\Program Files\MagicISO\misosh.dll packed by UPX
D:\Program Files\MagicISO\UNWISE.EXE packed by BINARYRES
D:\Program Files\Messenger Plus! Live\Scripts\SendTo\_sendfile.exe packed by UPX
D:\Program Files\Microsoft Bootvis\BootVis.exe packed by BINARYRES
D:\Program Files\Microsoft Office\Office12\ADDINS\OTKLOADR.DLL packed by BINARYRES
D:\Program Files\mIRC\mirc.exe is a riskware program Program.mIRC.612 - user denied deletion
D:\Program Files\NT Registry Optimizer\NTREGOPT.EXE packed by UPX
D:\Program Files\PowerArchiver\POWERARC.EXE packed by PESTUB
D:\Program Files\PowerArchiver\UNACEV2.DLL packed by PESTUB
D:\Program Files\PowerArchiver\SFXS\PACABSFX.DAT packed by UPX
D:\Program Files\PowerArchiver\SFXS\PAPAESFX.DAT packed by UPX
D:\Program Files\PowerArchiver\SFXS\PASZIPSFX.DAT packed by UPX
>D:\Program Files\PowerArchiver\SFXS\PASZIPSFX.DAT packed by BINARYRES
>>D:\Program Files\PowerArchiver\SFXS\PASZIPSFX.DAT packed by UPX
D:\Program Files\PowerArchiver\SFXS\PAZIPSFX.DAT packed by UPX
D:\Program Files\QuickTime\QTPlugin.ocx packed by BINARYRES
D:\Program Files\QuickTime\QTSystem\QuickTimeEssentials.Resources\QuickTimeEssentials.qtr packed by BINARYRES
>D:\Program Files\QuickTime\QTSystem\QuickTimeEssentials.Resources\QuickTimeEssentials.qtr packed by BINARYRES
D:\Program Files\TuneUp Utilities 2007\AppInitialization.bpl packed by PESTUB
D:\Program Files\TuneUp Utilities 2007\aprdlgs60.bpl packed by PESTUB
D:\Program Files\TuneUp Utilities 2007\Charts.bpl packed by PESTUB
D:\Program Files\TuneUp Utilities 2007\cmCommon.bpl packed by PESTUB
D:\Program Files\TuneUp Utilities 2007\cmDisplay.bpl packed by PESTUB
D:\Program Files\TuneUp Utilities 2007\cmNetwork.bpl packed by PESTUB
D:\Program Files\TuneUp Utilities 2007\cmSystem.bpl packed by PESTUB
D:\Program Files\TuneUp Utilities 2007\cmWizards.bpl packed by PESTUB
D:\Program Files\TuneUp Utilities 2007\CommonForms.bpl packed by PESTUB
D:\Program Files\TuneUp Utilities 2007\cxLibraryVCLD6.bpl packed by PESTUB
D:\Program Files\TuneUp Utilities 2007\DEC.bpl packed by PESTUB
D:\Program Files\TuneUp Utilities 2007\dxBarD6.bpl packed by PESTUB
D:\Program Files\TuneUp Utilities 2007\dxBarExtItemsD6.bpl packed by PESTUB
D:\Program Files\TuneUp Utilities 2007\dxComnD6.bpl packed by PESTUB
D:\Program Files\TuneUp Utilities 2007\dxDockingD6.bpl packed by PESTUB
D:\Program Files\TuneUp Utilities 2007\dxThemeD6.bpl packed by PESTUB
D:\Program Files\TuneUp Utilities 2007\ehs_d6.bpl packed by PESTUB
D:\Program Files\TuneUp Utilities 2007\GR32_D6.bpl packed by PESTUB
D:\Program Files\TuneUp Utilities 2007\HexEdit.bpl packed by PESTUB
D:\Program Files\TuneUp Utilities 2007\Html.bpl packed by PESTUB
D:\Program Files\TuneUp Utilities 2007\IcsDel60.bpl packed by PESTUB
D:\Program Files\TuneUp Utilities 2007\IEControl.bpl packed by PESTUB
D:\Program Files\TuneUp Utilities 2007\Indicators.bpl packed by PESTUB
D:\Program Files\TuneUp Utilities 2007\Internet.bpl packed by PESTUB
D:\Program Files\TuneUp Utilities 2007\MainControls.bpl packed by PESTUB
D:\Program Files\TuneUp Utilities 2007\MSI_D6.bpl packed by PESTUB
D:\Program Files\TuneUp Utilities 2007\ntrtl60.bpl packed by PESTUB
D:\Program Files\TuneUp Utilities 2007\RegExp.bpl packed by PESTUB
D:\Program Files\TuneUp Utilities 2007\SmallUnits.bpl packed by PESTUB
D:\Program Files\TuneUp Utilities 2007\stiderc.bpl packed by PESTUB
D:\Program Files\TuneUp Utilities 2007\SysControls.bpl packed by PESTUB
D:\Program Files\TuneUp Utilities 2007\SysInfo.bpl packed by PESTUB
D:\Program Files\TuneUp Utilities 2007\ThemeManager.bpl packed by PESTUB
D:\Program Files\TuneUp Utilities 2007\Traces.bpl packed by PESTUB
D:\Program Files\TuneUp Utilities 2007\TUDiskCleanerClass.bpl packed by PESTUB
D:\Program Files\TuneUp Utilities 2007\TUIcoEngineerDirTree.bpl packed by PESTUB
D:\Program Files\TuneUp Utilities 2007\TUIEInstVer.bpl packed by PESTUB
D:\Program Files\TuneUp Utilities 2007\TUShredder.bpl packed by PESTUB
D:\Program Files\TuneUp Utilities 2007\VisControls.bpl packed by PESTUB
D:\Program Files\TuneUp Utilities 2007\XMLComponents.bpl packed by PESTUB
D:\RECYCLER\S-1-5-21-842925246-1336601894-725345543-1003\Dd1.exe packed by UPX
>D:\RECYCLER\S-1-5-21-842925246-1336601894-725345543-1003\Dd1.exe packed by PESTUB
D:\WINDOWS\catchme.exe packed by UPX
D:\WINDOWS\inst_tsp.exe packed by UPX
D:\WINDOWS\killproc.exe packed by UPX
D:\WINDOWS\sporder.exe packed by UPX
D:\WINDOWS\$NtUninstallWMFDist11$\spuninst\wpdinstallutil.dll packed by PESTUB
D:\WINDOWS\erdnt\subs\ERDNT.EXE packed by UPX
>D:\WINDOWS\erdnt\subs\ERDNT.EXE packed by UPX
D:\WINDOWS\ServicePackFiles\i386\ccdecode.sys packed by PESTUB
D:\WINDOWS\system32\audiodev.dll packed by PESTUB
D:\WINDOWS\system32\cewmdm.dll packed by PESTUB
D:\WINDOWS\system32\debug.exe packed by EXEPACK
D:\WINDOWS\system32\divx.dll packed by PECOMPACT
D:\WINDOWS\system32\edit.com packed by EXEPACK
D:\WINDOWS\system32\edlin.exe packed by EXEPACK
D:\WINDOWS\system32\exe2bin.exe packed by EXEPACK
D:\WINDOWS\system32\fastopen.exe packed by EXEPACK
>D:\WINDOWS\system32\fastopen.exe packed by COM2EXE
D:\WINDOWS\system32\html.iec packed by PESTUB
D:\WINDOWS\system32\LAPRXY.dll packed by PESTUB
D:\WINDOWS\system32\mem.exe packed by EXEPACK
D:\WINDOWS\system32\MRT.exe packed by BINARYRES
>D:\WINDOWS\system32\MRT.exe packed by BINARYRES
D:\WINDOWS\system32\mspmsp.dll packed by PESTUB
D:\WINDOWS\system32\nlsfunc.exe packed by EXEPACK
D:\WINDOWS\system32\qasf.dll packed by PESTUB
D:\WINDOWS\system32\share.exe packed by EXEPACK
>D:\WINDOWS\system32\share.exe packed by COM2EXE
D:\WINDOWS\system32\wmdmps.dll packed by PESTUB
D:\WINDOWS\system32\WudfSvc.dll packed by PESTUB
D:\WINDOWS\system32\dllcache\cewmdm.dll packed by PESTUB
D:\WINDOWS\system32\dllcache\debug.exe packed by EXEPACK
D:\WINDOWS\system32\dllcache\edlin.exe packed by EXEPACK
D:\WINDOWS\system32\dllcache\exe2bin.exe packed by EXEPACK
D:\WINDOWS\system32\dllcache\fastopen.exe packed by EXEPACK
>D:\WINDOWS\system32\dllcache\fastopen.exe packed by COM2EXE
D:\WINDOWS\system32\dllcache\hmmapi.dll packed by PESTUB
D:\WINDOWS\system32\dllcache\laprxy.dll packed by PESTUB
D:\WINDOWS\system32\dllcache\mem.exe packed by EXEPACK
D:\WINDOWS\system32\dllcache\mspmsp.dll packed by PESTUB
D:\WINDOWS\system32\dllcache\nlsfunc.exe packed by EXEPACK
D:\WINDOWS\system32\dllcache\share.exe packed by EXEPACK
>D:\WINDOWS\system32\dllcache\share.exe packed by COM2EXE
D:\WINDOWS\system32\dllcache\wmdmps.dll packed by PESTUB
D:\WINDOWS\system32\drivers\ccdecode.sys packed by PESTUB
D:\WINDOWS\system32\drivers\k600cr.sys packed by PESTUB
D:\WINDOWS\system32\drivers\k750cr.sys packed by PESTUB
D:\WINDOWS\system32\drivers\v800cr.sys packed by PESTUB
D:\WINDOWS\system32\drivers\w550cr.sys packed by PESTUB
D:\WINDOWS\system32\drivers\w600cr.sys packed by PESTUB
D:\WINDOWS\system32\drivers\w800cr.sys packed by PESTUB
D:\WINDOWS\system32\drivers\w810cr.sys packed by PESTUB
D:\WINDOWS\system32\drivers\w900cr.sys packed by PESTUB
D:\WINDOWS\system32\drivers\z3f2cr.sys packed by PESTUB
D:\WINDOWS\system32\drivers\z520cr.sys packed by PESTUB
D:\WINDOWS\system32\drivers\z800cr.sys packed by PESTUB
D:\WINDOWS\system32\DRVSTORE\k510mdmw_29f37670bf5839e457b807d5fe931f9681e5e5b7\k510cr.sys packed by PESTUB
D:\WINDOWS\system32\DRVSTORE\k510obxw_4290c8169fd5f3f64a2aec2b8bd140f90144791f\k510cr.sys packed by PESTUB
D:\WINDOWS\system32\DRVSTORE\k510sdmw_dfcde6d624a21cca1b1fe424267b306d87ec5280\k510cr.sys packed by PESTUB
D:\WINDOWS\system32\DRVSTORE\k600mdmw_e19dbf1c141e9f53d336190c0bac2017d09527cc\k600cr.sys packed by PESTUB
D:\WINDOWS\system32\DRVSTORE\k600obxw_544957cea92ffabd68a9120a8c0accf37e342ab0\k600cr.sys packed by PESTUB
D:\WINDOWS\system32\DRVSTORE\k600sdmw_675fcd620f5c308ecad6c1b697d236c2fa9b79d2\k600cr.sys packed by PESTUB
D:\WINDOWS\system32\DRVSTORE\k750mdmw_a686f4b37cc7e33af27a91972f84f609ba2b1c73\k750cr.sys packed by PESTUB
D:\WINDOWS\system32\DRVSTORE\k750obxw_b6529b5b8f8b3d0b523c1b59f562515bcc9a301a\k750cr.sys packed by PESTUB
D:\WINDOWS\system32\DRVSTORE\k750sdmw_4956777425e371d02e5bb7f92e7041dc2afa371c\k750cr.sys packed by PESTUB
D:\WINDOWS\system32\DRVSTORE\v800mdmw_52a3e02f2481f993b94a72741e829d1504831fcd\v800cr.sys packed by PESTUB
D:\WINDOWS\system32\DRVSTORE\v800obxw_b386c4d0894f0d6a3516a67ada767b8ba223ac67\v800cr.sys packed by PESTUB
D:\WINDOWS\system32\DRVSTORE\v800sdmw_8cb6e7b15043fb4a8976b61de7881df27517ef24\v800cr.sys packed by PESTUB
D:\WINDOWS\system32\DRVSTORE\w550mdmw_155482e7e55df597206a7d0b4bd43bd62684e5dd\w550cr.sys packed by PESTUB
D:\WINDOWS\system32\DRVSTORE\w600mdmw_1c3c30107df53eae54b74686a6e8f4e5aed3e443\w600cr.sys packed by PESTUB
D:\WINDOWS\system32\DRVSTORE\w700mdmw_4fbee709cda3dc6ae7e6ee25a896ae6975137264\W700cr.sys packed by PESTUB
D:\WINDOWS\system32\DRVSTORE\w700obxw_d39d6e0d0896387b611933687df988f0e0e96358\W700cr.sys packed by PESTUB
D:\WINDOWS\system32\DRVSTORE\w700sdmw_fc685b295aa7ca47ef46a4a08c077a96ae0fe91b\W700cr.sys packed by PESTUB
D:\WINDOWS\system32\DRVSTORE\w800mdmw_0da26fc493941513a4c768eac92aa00b306e2590\w800cr.sys packed by PESTUB
D:\WINDOWS\system32\DRVSTORE\w800obxw_014d3a30070f317df47d02cdef6732bfe11c2247\w800cr.sys packed by PESTUB
D:\WINDOWS\system32\DRVSTORE\w800sdmw_52acc6d2c254f74020549727bf34bb7941e0c0b6\w800cr.sys packed by PESTUB
D:\WINDOWS\system32\DRVSTORE\w810mdmw_0bfd58f44be28989a9fb32bf6b064ced549d04b5\w810cr.sys packed by PESTUB
D:\WINDOWS\system32\DRVSTORE\w810obxw_d045ec4f539af2bd3ac1262b67e2ff4d18a63d99\w810cr.sys packed by PESTUB
D:\WINDOWS\system32\DRVSTORE\w810sdmw_4fbd832a66fa44975e6a1999a17f07e15ca668bb\w810cr.sys packed by PESTUB
D:\WINDOWS\system32\DRVSTORE\w900mdmw_90932cb2543b32cbed4e0bc2c3770ed450157bf7\w900cr.sys packed by PESTUB
D:\WINDOWS\system32\DRVSTORE\w900obxw_0e4c0e31d6475770edfd1870908b5c4c7a27f6cd\w900cr.sys packed by PESTUB
D:\WINDOWS\system32\DRVSTORE\w900sdmw_29a2e5b331f007667257bc3a492448aa5412b7fe\w900cr.sys packed by PESTUB
D:\WINDOWS\system32\DRVSTORE\z520mdmw_e7c347162e16943ccb9fd999dd13c9386bfac43d\z520cr.sys packed by PESTUB
D:\WINDOWS\system32\DRVSTORE\z520obxw_1775df8ab6f50291db10a5e8971e87950ba0eb0c\z520cr.sys packed by PESTUB
D:\WINDOWS\system32\DRVSTORE\z520sdmw_00d3f40169de920ac43d88aa6ef98245dbb4f4a1\z520cr.sys packed by PESTUB
D:\WINDOWS\system32\DRVSTORE\z525mdmw_bcf80df43817a6e2ff54119c6253b27fe7dcad13\z525cr.sys packed by PESTUB
D:\WINDOWS\system32\DRVSTORE\z525obxw_28beeef3e5e976d190c8b7611e2a302af561302e\z525cr.sys packed by PESTUB
D:\WINDOWS\system32\DRVSTORE\z525sdmw_4739e4159e316047f5f452cb07b092efe246ceea\z525cr.sys packed by PESTUB
D:\WINDOWS\system32\DRVSTORE\z530mdmw_ed2cd1341cd36120ce066d4ca433d5d6e86bd7cf\z530cr.sys packed by PESTUB
D:\WINDOWS\system32\DRVSTORE\z530obxw_fd421c2424ae65a119abc16012ca2153897d4825\z530cr.sys packed by PESTUB
D:\WINDOWS\system32\DRVSTORE\z530sdmw_7ce664b8b6f578872dc59e086511b18a66b49ca3\z530cr.sys packed by PESTUB
D:\WINDOWS\system32\DRVSTORE\z800mdmw_ee30ac0900ed0ba0341d8c8cbf48308c879e73f4\z800cr.sys packed by PESTUB
D:\WINDOWS\system32\DRVSTORE\z800obxw_2998c412471a915ca1e2dcfdc9608f2f40454caf\z800cr.sys packed by PESTUB

[Scan path] G:\
G:\Games\AOT\System\ESE.dll packed by PESTUB
G:\Games\AOT\System\dll backup\ESE.dll packed by ULTRAPROTECT
>G:\Games\AOT\System\dll backup\ESE.dll - decompression error
G:\Games\AOT\System\movie unreal\iplpx.dll packed by UPX
G:\Games\AOT\System\movie unreal\MovieUnreal436.exe packed by UPX
G:\Games\UT2004\Manual\AdbeRdr60_enu_full.exe packed by UPX
G:\Games\Worms\GfxUpdate.exe packed by UPX
G:\Important\D- Desktop Bkup\Desktop\Monopoly\ikernel.ex_ packed by MS COMPRESS
G:\Important\Game inis\Tactical Ops\acp.exe packed by PESTUB
G:\Important\Game inis\Tactical Ops\dll backup\ESE.dll packed by ULTRAPROTECT
>G:\Important\Game inis\Tactical Ops\dll backup\ESE.dll - decompression error
G:\Important\Game inis\Tactical Ops\ese\ESE.dll packed by ULTRAPROTECT
>G:\Important\Game inis\Tactical Ops\ese\ESE.dll - decompression error
G:\Important\[ EVERYTHING YOU NEED AFTER A FORMAT\Other\Folder2Iso_v1.4\Folder2Iso_v1.4.exe packed by UPX
G:\Important\[ EVERYTHING YOU NEED AFTER A FORMAT\Other\Power Achiver 2007\powarc1020.exe packed by UPX
G:\Important\[ EVERYTHING YOU NEED AFTER A FORMAT\XP\Communication Applications\Teamspeak2\TeamSpeak.exe packed by UPX
G:\Important\[ EVERYTHING YOU NEED AFTER A FORMAT\XP\Drivers\Razer-Diamond\6.01\ISSetup.dll packed by UPX
G:\Important\[ EVERYTHING YOU NEED AFTER A FORMAT\XP\Drivers\Razer-Diamond\DB_v6.02_eng\ISSetup.dll packed by UPX
G:\Important\[ EVERYTHING YOU NEED AFTER A FORMAT\XP\Other\MovieUnreal\iplpx.dll packed by UPX
G:\Important\[ EVERYTHING YOU NEED AFTER A FORMAT\XP\Other\MovieUnreal\MovieUnreal436.exe packed by UPX
G:\Important\[ EVERYTHING YOU NEED AFTER A FORMAT\XP\Repair & Clean\Advanced Process Termination 2.10\apt.exe packed by PECOMPACT
G:\Important\[ EVERYTHING YOU NEED AFTER A FORMAT\XP\Repair & Clean\AFT Cleaner 3\ATF-Cleaner.exe packed by UPX
G:\Important\[ EVERYTHING YOU NEED AFTER A FORMAT\XP\Repair & Clean\Combo fix\ComboFix.exe packed by UPX
G:\Important\[ EVERYTHING YOU NEED AFTER A FORMAT\XP\Repair & Clean\Dr Delete\DrDeleteExeandSourceRARSFX.exe packed by UPX
>G:\Important\[ EVERYTHING YOU NEED AFTER A FORMAT\XP\Repair & Clean\Dr Delete\DrDeleteExeandSourceRARSFX.exe packed by PESTUB
G:\Important\[ EVERYTHING YOU NEED AFTER A FORMAT\XP\Repair & Clean\HiJackthis 1.0\alternativ.exe packed by UPX
G:\Important\[ EVERYTHING YOU NEED AFTER A FORMAT\XP\Repair & Clean\LSP fix 1.0\LSPfix.exe packed by UPX
>G:\Important\[ EVERYTHING YOU NEED AFTER A FORMAT\XP\Repair & Clean\WinSock XP fix 1.0\WinsockxpFix.exe\data002 packed by PKLITE32
G:\Important\[ EVERYTHING YOU NEED AFTER A FORMAT\XP\Security Programs\Anti-Virus\Avast 4 Home (Trial)\setupeng.exe packed by UPX
G:\Important\[ EVERYTHING YOU NEED AFTER A FORMAT\XP\XP Tweaks\DriverCleaner.exe packed by UPX
G:\Important\[ EVERYTHING YOU NEED AFTER A FORMAT\XP\XP Tweaks\Refresh Rate-Force\ReForce.exe packed by UPX
G:\Important\[ EVERYTHING YOU NEED AFTER A FORMAT\XP\XP Tweaks\TuneUp Software\PDXKG.exe packed by FSG
G:\My Documents\Downloads\ubcd34-basic.exe packed by UPX
G:\My Documents\Torrent Downloads\[ Programs ]\Acronis.Disk.Director.Suite.10.0.0.2117\acronis.products.keygen\Keygen.exe packed by UPX
G:\My Documents\Torrent Downloads\[ Programs ]\Tuneup.Utilities.2007+Keygen.[English].PROPER-Tek-One\CRACK\keygen.exe packed by UPX
G:\Program Files\Adobe\Adobe Bridge CS3\browser\opera.dll packed by ASPACK
G:\Program Files\Adobe\Adobe Bridge CS3\browser\OUniAnsi.dll packed by ASPACK
G:\Program Files\Adobe\Adobe Device Central CS3\Required\Opera\Opera.dll packed by ASPACK
G:\Program Files\Adobe\Adobe Device Central CS3\Required\Opera\ouniansi.dll packed by ASPACK
G:\Program Files\Adobe\Adobe Device Central CS3\Required\Opera\spellcheck.dll packed by ASPACK
G:\Program Files\Adobe\Adobe Illustrator CS3\Cool Extras\Sample Files\Sample Art\SVG\Daily Soccer Report\Daily_Soccer_Report.svgz packed by ZLIB
G:\Program Files\Adobe\Adobe Illustrator CS3\Cool Extras\Sample Files\Sample Art\SVG\Media Player\Media_Player.svgz packed by ZLIB
G:\Program Files\Adobe\Adobe InDesign CS3\ALDFSR32.RSL packed by PESTUB
G:\Program Files\Adobe\Adobe InDesign CS3\ALDVMR32.RSL packed by PESTUB
G:\RECYCLER\S-1-5-21-842925246-1336601894-725345543-1003\Dg1.exe packed by UPX
>G:\RECYCLER\S-1-5-21-842925246-1336601894-725345543-1003\Dg1.exe packed by PESTUB
G:\XP My Documents\My Documents\powarc1001.exe packed by UPX

-----------------------------------------------------------------------------
Scan statistics
-----------------------------------------------------------------------------
Objects scanned: 242739
Infected objects found: 0
Objects with modifications found: 0
Suspicious objects found: 5
Adware programs found: 0
Dialer programs found: 0
Joke programs found: 0
Riskware programs found: 1
Hacktool programs found: 0
Cured: 0
Deleted: 0
Renamed: 0
Moved: 0
Ignored: 0
Scan speed: 591 Kb/s
Scan time: 01:02:33
-----------------------------------------------------------------------------


[3]SuperAntiSpyware Log[/3]

SUPERAntiSpyware Scan Log
https://www.superantispyware.com

Generated 10/01/2007 at 09:11 PM

Application Version : 3.9.1008

Core Rules Database Version : 3259
Trace Rules Database Version: 1270

Scan type : Complete Scan
Total Scan Time : 00:20:58

Memory items scanned : 197
Memory threats detected : 0
Registry items scanned : 6341
Registry threats detected : 0
File items scanned : 38238
File threats detected : 0


[3]HJT Log (01-10-07)[/3]

Logfile of HijackThis v1.99.1
Scan saved at 21:47:01, on 01/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\MsPMSPSv.exe
D:\Program Files\Razer\Diamondback\razerhid.exe
D:\WINDOWS\system32\RunDll32.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
D:\Program Files\Razer\Diamondback\razertra.exe
D:\Program Files\Razer\Diamondback\razerofa.exe
D:\WINDOWS\System32\svchost.exe
D:\HJT\alternativ.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - D:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows

Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [CTStartup] D:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [Dimondback] D:\Program Files\Razer\Diamondback\razerhid.exe
O4 - HKLM\..\Run: [AudCtrl] RunDll32 AudCtrl.dll,RCMonitor
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: Append to existing PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://G:\Program Files\Adobe\Acrobat

8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://G:\Program Files\Adobe\Acrobat

8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://G:\Program Files\Adobe\Acrobat

8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Look up in Mr&Check... - D:\Documents and Settings\Matt\Application Data\TuneUp Software\TuneUp Utilities\Web\tumrcheck.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O10 - Unknown file in Winsock LSP: d:\program files\bonjour\mdnsnsp.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\mwtsp.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\mwtsp.dll
O10 - Unknown file in Winsock LSP: d:\windows\system32\mwtsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - https://sympatico.zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - https://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - https://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - https://sympatico.zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - https://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - https://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - https://sympatico.zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - https://transfers.ds.microsoft.com/FTM/TransferSource/grTransferCtrl.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - https://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - https://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {CAC181B0-4D70-402D-B571-C596A47D0CE0} (CBankshotZoneCtrl Class) - https://sympatico.zone.msn.com/bingame/zpagames/zpa_pool.cab56649.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - https://sympatico.zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - https://www.creative.com/su/ocx/15029/CTPID.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - D:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - D:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - D:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - D:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - D:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - D:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
Posted 10/2/2007 7:51 AM
#54479
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12974
Please run a free online scan with Kaspersky AntiVirus (works only with MS Internet Explorer 5.0 or higher).
First, please close all other open programs, including any non-essential programs running in your System Tray (do NOT close your antivirus or firewall).
Go to https://www.kaspersky.com/virusscanner and click the "Kaspersky Online Scanner" button (NOT "Kaspersky File Scanner").



  • In the new window that opens, click the "Accept" button to accept the user agreement, install the ActiveX control, and download the program.
  • When you get the Windows dialog asking if you want to install this software, click the "Install" button.
  • When the "Update progress" line changes to "Ready" and the "NEXT <!--coloro:green--><!--/coloro-->-><!--colorc--><!--/colorc-->" button lights up with a green arrow, click it.
  • Click on the "Scan Settings" button, and in the next window select the "<!--coloro:red--><!--/coloro-->extended<!--colorc--><!--/colorc-->" database, and click Ok.
    * Under "Please select a target to scan:", click My Computer[/u] to start the scan.

    *

When the scan is finished, click the "Save as Text" button, and save the file as kavscan.txt to your Desktop, close the Kaspersky On-line Scanner window, and post the text in kavscan.txt in your next reply.

[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />
[/color]
Do not PM me with logfiles. They will be deleted.


Posted 10/3/2007 4:42 PM
#54539
User avatar

aRny Member

Date Joined Nov 2016
Total Posts: 9
Hi Touch,

I done as you said, took nearly 3 hours to complete the full system extended scan, but very thorough and worth recommended to anyone,

I just want to say, I KNOW the below 2 files are infected beforehand, I work on an anti-cheat project for a Unreal Tournament engine based game and we have to deal with such cheats that are fake or ridden with backdoors / trojans, however they have not been 'executed' on this machine what so ever

[green]G:\Important\TOST stuff\Misc Files\ESE stuff\Cheats\aRny\Public Cheats\AoT v3.40\Other\DLL Loader.rar/DLL Loader.exe Infected: HackTool.Win32.Injecter.e skipped
G:\Important\TOST stuff\Misc Files\ESE stuff\Cheats\aRny\Public Cheats\AoT v3.40\Other\DLL Loader.rar RAR: infected - 1 [/green]

(Also, DrWeb quarantined vnc.exe & mwaser.exe which all other scans see as clean and remote tools - silly program)

For the remainder, again nothing logged other than remote admin (vnc) and chat programs such as mirc. All of which are clean.

I Presume my HJT log came back clean which is why you suggested this scan, is it at all possible my control panel and explorer windows hang up from time to time due to a registry setting or service conflict?

You're the expert, please tell me what you see from the HJT and other logs presented which could be the cause of this problem :(

[3]KasPerSky LOG[/3] Direct Link: https://eazi.nl/matt/kaspersky-log.html

KASPERSKY ONLINE SCANNER REPORT

Tuesday, October 02, 2007 9:36:33 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.1
Kaspersky Anti-Virus database last update: 2/10/2007
Kaspersky Anti-Virus database records: 426364


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\
E:\
F:\
G:\
H:\

Scan Statistics
Total number of scanned objects 188807
Number of viruses found 3
Number of infected objects 31
Number of suspicious objects 0
Duration of the scan process 02:48:10

Infected Object Name Virus Name Last Action
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

D:\Documents and Settings\Administrator\DoctorWeb\Quarantine\winvnc4.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped

D:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

D:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

D:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

D:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

D:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

D:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

D:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

D:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\ews0pcmw.default\cert8.db Object is locked skipped

D:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\ews0pcmw.default\history.dat Object is locked skipped

D:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\ews0pcmw.default\key3.db Object is locked skipped

D:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\ews0pcmw.default\parent.lock Object is locked skipped

D:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\ews0pcmw.default\search.sqlite Object is locked skipped

D:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\ews0pcmw.default\urlclassifier2.sqlite Object is locked skipped

D:\Documents and Settings\Matt\Cookies\index.dat Object is locked skipped

D:\Documents and Settings\Matt\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

D:\Documents and Settings\Matt\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

D:\Documents and Settings\Matt\Local Settings\Application Data\Mozilla\Firefox\Profiles\ews0pcmw.default\Cache\_CACHE_001_ Object is locked skipped

D:\Documents and Settings\Matt\Local Settings\Application Data\Mozilla\Firefox\Profiles\ews0pcmw.default\Cache\_CACHE_002_ Object is locked skipped

D:\Documents and Settings\Matt\Local Settings\Application Data\Mozilla\Firefox\Profiles\ews0pcmw.default\Cache\_CACHE_003_ Object is locked skipped

D:\Documents and Settings\Matt\Local Settings\Application Data\Mozilla\Firefox\Profiles\ews0pcmw.default\Cache\_CACHE_MAP_ Object is locked skipped

D:\Documents and Settings\Matt\Local Settings\History\History.IE5\index.dat Object is locked skipped

D:\Documents and Settings\Matt\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped

D:\Documents and Settings\Matt\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

D:\Documents and Settings\Matt\NTUSER.DAT Object is locked skipped

D:\Documents and Settings\Matt\ntuser.dat.LOG Object is locked skipped

D:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

D:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

D:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

D:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

D:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.612 skipped

D:\Program Files\mIRC\mirc.zip/mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.612 skipped

D:\Program Files\mIRC\mirc.zip ZIP: infected - 1 skipped

D:\Program Files\RealVNC\VNC4\VNC4.zip/vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped

D:\Program Files\RealVNC\VNC4\VNC4.zip/winvnc4.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped

D:\Program Files\RealVNC\VNC4\VNC4.zip/wm_hooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped

D:\Program Files\RealVNC\VNC4\VNC4.zip ZIP: infected - 3 skipped

D:\Program Files\RealVNC\VNC4\vncconfig.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped

D:\Program Files\RealVNC\VNC4\vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped

D:\Program Files\RealVNC\VNC4\wm_hooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped

D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

D:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

D:\WINDOWS\SchedLgU.Txt Object is locked skipped

D:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

D:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

D:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

D:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped

D:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped

D:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

D:\WINDOWS\system32\config\default Object is locked skipped

D:\WINDOWS\system32\config\default.LOG Object is locked skipped

D:\WINDOWS\system32\config\Internet.evt Object is locked skipped

D:\WINDOWS\system32\config\ODiag.evt Object is locked skipped

D:\WINDOWS\system32\config\OSession.evt Object is locked skipped

D:\WINDOWS\system32\config\SAM Object is locked skipped

D:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

D:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

D:\WINDOWS\system32\config\SECURITY Object is locked skipped

D:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

D:\WINDOWS\system32\config\software Object is locked skipped

D:\WINDOWS\system32\config\software.LOG Object is locked skipped

D:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

D:\WINDOWS\system32\config\system Object is locked skipped

D:\WINDOWS\system32\config\system.LOG Object is locked skipped

D:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped

D:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped

D:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped

D:\WINDOWS\system32\h323log.txt Object is locked skipped

D:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped

D:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

D:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

D:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

D:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

D:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

D:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

D:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

D:\WINDOWS\WindowsUpdate.log Object is locked skipped

E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

F:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.612 skipped

F:\Program Files\mIRC\mirc.zip/mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.612 skipped

F:\Program Files\mIRC\mirc.zip ZIP: infected - 1 skipped

F:\Program Files\VNC4\vncconfig.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped

F:\Program Files\VNC4\vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped

F:\Program Files\VNC4\winvnc4.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped

F:\Program Files\VNC4\wm_hooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped

F:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fc1e3851f429ea606d6ff1e01a5229f1_ce457f64-f6f8-4080-87d4-63e4ff889488 Object is locked skipped

F:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\ffe19485761d473106b81887c4b2961d_ce457f64-f6f8-4080-87d4-63e4ff889488 Object is locked skipped

F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

F:\Users\Matty\AppData\Local\Microsoft\CardSpace\CardSpace.db Object is locked skipped

F:\Users\Matty\AppData\Local\Microsoft\CardSpace\CardSpace.db.shadow Object is locked skipped

F:\Users\Matty\AppData\Local\Temp\~DF7450.tmp Object is locked skipped

F:\Users\Matty\AppData\Local\Temp\~DF7455.tmp Object is locked skipped

F:\Users\Matty\AppData\Local\Temp\~DF7E36.tmp Object is locked skipped

F:\Users\Matty\AppData\Local\Temp\~DF7E3B.tmp Object is locked skipped

F:\Windows\CSC\v2.0.6\pq Object is locked skipped

F:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl Object is locked skipped

G:\Important\TOST stuff\Misc Files\ESE stuff\Cheats\aRny\Public Cheats\AoT v3.40\Other\DLL Loader.rar/DLL Loader.exe Infected: HackTool.Win32.Injecter.e skipped

G:\Important\TOST stuff\Misc Files\ESE stuff\Cheats\aRny\Public Cheats\AoT v3.40\Other\DLL Loader.rar RAR: infected - 1 skipped

G:\My Documents\Downloads\vnc-4_1_2-x86_win32.exe/file1 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped

G:\My Documents\Downloads\vnc-4_1_2-x86_win32.exe/file2 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped

G:\My Documents\Downloads\vnc-4_1_2-x86_win32.exe/file3 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped

G:\My Documents\Downloads\vnc-4_1_2-x86_win32.exe/file5 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped

G:\My Documents\Downloads\vnc-4_1_2-x86_win32.exe Inno: infected - 4 skipped

G:\My Documents\Downloads\vnc-4_1_2-x86_win32.zip/vnc-4_1_2-x86_win32.exe/file1 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped

G:\My Documents\Downloads\vnc-4_1_2-x86_win32.zip/vnc-4_1_2-x86_win32.exe/file2 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped

G:\My Documents\Downloads\vnc-4_1_2-x86_win32.zip/vnc-4_1_2-x86_win32.exe/file3 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped

G:\My Documents\Downloads\vnc-4_1_2-x86_win32.zip/vnc-4_1_2-x86_win32.exe/file5 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped

G:\My Documents\Downloads\vnc-4_1_2-x86_win32.zip/vnc-4_1_2-x86_win32.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped

G:\My Documents\Downloads\vnc-4_1_2-x86_win32.zip ZIP: infected - 5 skipped

G:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.
Posted 10/5/2007 9:22 AM
#54598
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12974
[3]It did´nt find what I´ve hoped -[/3]

[3] [/3]

[3] [/3]

Download and install: https://www.filehippo.com/download_ccleaner/
For a basic version of CCleaner with no Yahoo Toolbar, select the second or third install option as follows:
Even if you selected Option 2 or 3, if you do not want the Yahoo Toolbar installed:
Uncheck "Add CCleaner Yahoo! Toolbar", as it is checked by default during CCleaner Setup

[3] [/3]

[3] [/3]

Download AVG Anti-Spyware from HERE. Save the file to your desktop so you can locate it. Double-click the AVG Anti-Spyware icon on the desktop launch the set up program.
The installation will require a restart of the computer.



Launch AVG Anti-Spyware to update to the latest definition files.
On the main screen select the "Update" icon
Click "Start Update". The update will start and a progress bar will show the updates being installed.
If you have problems with the updater, you can use this link to manually update AVG Anti-Spyware -- AVG manual updates



AVG Anti-Spyware Settings
Select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
In the Settings screen click "Recommended actions" and then select "Quarantine".
Under "Reports"
Select "Automatically generate report after every scan"
DE-Select "Only if threats were found"

[3] [/3]

Open Ccleaner.



1.[3] [/3]

[3] [/3]

Lauch AVG Anti-Spyware by double-clicking the icon on the desktop.

IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning,
it may interfere with the scanning proccess.

Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan"

AVG Anti-Spyware will now begin the scanning process. Be patient as this may take a little time.

While scanning AVG Anti-Spyware will list any infections found on the left side.

When the scan is completed, the recommended action should be set to Quarantine.
If not, click Recommended Action and set it there. Click the Apply all actions button.
AVG Anti-Spyware will display "All actions have been applied" on the right side.

Click on "Save Report", then "Save Report As".
This will create a text file.
Make sure you know where to find this file again (like on the Desktop).

Close AVG Anti-Spyware.

[3] [/3]

[3] [/3]

[3]Reboot normally.[/3]

[3] [/3]

[3]Post AVG log along with fresh hijackthis log[/3]

[3] [/3]

[3] [/3]

[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />
[/color]
Do not PM me with logfiles. They will be deleted.


Posted 10/5/2007 1:28 PM
#54609
User avatar

aRny Member

Date Joined Nov 2016
Total Posts: 9
Hi thanks for your quick response,


I use CCleaner on a regular basis, (hence my anal tendancies :p ) so have done everything you suggested regarding that point, as for AVG i'll get that running tonight and post an update to you soon as



Can't thank you enough for your time and efforts :yeah:

Matt
  • Unread posts or replies
  • No unread posts or replies
  • Unread Posts (Read Only Forum)
  • No Unread Posts (Read Only Forum)

Forum Information

Currently it is Saturday, April 20, 2019, 10:46 AM (GMT +2)
There are a total of 61,703 posts in 13,610 threads.
In the last 3 days there were 3 new threads and 4 reply posts.

Who's online

This forum has 38,475 registered members. Please welcome our newest member, roy.
There are currently no users on-line.
We use cookies to ensure that we give you the best experience on our website. By continuing to browse, we are assuming that you have no objection in accepting cookies. You can change your cookie settings at any time.