AV8 - Did we catch it b4 it infected us??

January 19, 2011 at 10:52:15
Specs: Windows XP
A grey (microsoft type) window popped up stating that AV8 detected an infection on my husband's computer. Thinking it was a message from Avast, our real-time security program, we click OK to continue. Several boxes popped up with warnings about infections, and said that we should click on 'Start Protection' button to erase all threats. At that point we realized that it might be a scam, and did not click further.

Malwarebytes was already installed on his system, so we minimized the AV8SCAN window and updated and ran Malwarebytes successfully. Scan completed, and no malicious items were detected. We were able to do this without rebooting.

We are now not sure if we are infected or not because we did not click on the 'Start Protection' button, which we are guessing is what triggers the actual AV8 download. What other steps do we need to take to insure that we are not infected?


See More: AV8 - Did we catch it b4 it infected us??

Report •


#1
January 19, 2011 at 11:49:03
you are still infected because you actually clicked on the fake program:
http://www.computing.net/howtos/sho...

You may want to use in this order
rkill.exe
tdss killer
Malwarebytes in full scan

If the above does not fix the problem use these other 2 cleaners
Trojan Remover
Hitman Pro
Fix all they find.

Some HELP in posting on Computing.net plus free progs and instructions Cheers


Report •

#2
January 19, 2011 at 13:37:44
A grey (microsoft type) window popped up stating that AV8 detected an infection on my husband's computer. Thinking it was a message from Avast, our real-time security program, we click OK to continue. Several boxes popped up with warnings about infections, and said that we should click on 'Start Protection' button to erase all threats. At that point we realized that it might be a scam, and did not click further.

Malwarebytes was already installed on his system, so we minimized the AV8SCAN window and updated and ran Malwarebytes successfully. Scan completed, and no malicious items were detected. We were able to do this without rebooting.

We are still not sure if we are infected or not because we did not click on the 'Start Protection' button, which we are guessing is what triggers the actual AV8 download. malwarebytes full scan came up clean. spybot full scan came up clean. avast full scan came up clean. hitman pro came up clean. i am attaching a hijack this log, which had no items checked. is it possible that we are not infected?

hijack this log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:59:39 AM, on 1/19/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Elements Organizer 8.0\ElementsOrganizerSyncAgent.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\eHome\ehmsas.exe
K:\HijackThis.exe
C:\WINDOWS\system32\HPZinw12.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [IDTSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PhotoshopElements8SyncAgent] C:\Program Files\Adobe\Elements Organizer 8.0\ElementsOrganizerSyncAgent.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...
O17 - HKLM\System\CCS\Services\Tcpip\..\{8FCE4629-6C37-4CF3-A1EB-E2E165B8D9BD}: NameServer = 192.168.2.1
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Adobe Active File Monitor V8 (AdobeActiveFileMonitor8.0) - Adobe Systems Incorporated - C:\Program Files\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - C:\WINDOWS\system32\STacSV.exe

--
End of file - 6168 bytes


Report •

#3
January 19, 2011 at 13:49:54
Thinking it was a message from Avast, our real-time security program, we click OK to continue.

That means you clicked on it.

did you try trojan remover yet?
use that and fix all it finds.

Some HELP in posting on Computing.net plus free progs and instructions Cheers


Report •

Related Solutions

#4
January 19, 2011 at 14:06:18
ran rkill - it deleted a file called
c:\windows\system32\HPZinw12.exe
does this seem malicious? what is it?

Report •

#5
January 19, 2011 at 14:14:23
you are not answering my questions.
rkill only STOPS active malware

Some HELP in posting on Computing.net plus free progs and instructions Cheers


Report •

#6
January 19, 2011 at 15:46:28
thanks. just ran trojan remover 6.8.2. it did not find/fix anything. log is attached.

***** NORMAL SCAN FOR ACTIVE MALWARE *****
Trojan Remover Ver 6.8.2.2598. For information, email support@simplysup.com
[Unregistered version]
Scan started at: 3:38:36 PM 19 Jan 2011
Using Database v7644
Operating System: Windows XP Media Center Edition (SP3) [Build: 5.1.2600]
File System: NTFS
UserData directory: C:\Documents and Settings\Alan\Application Data\Simply Super Software\Trojan Remover\
Database directory: C:\Documents and Settings\All Users\Application Data\Simply Super Software\Trojan Remover\Data\
Logfile directory: C:\Documents and Settings\Alan\My Documents\Simply Super Software\Trojan Remover Logfiles\
Program directory: C:\Program Files\Trojan Remover\
Running with Administrator privileges

************************************************************

************************************************************
3:38:36 PM: ----- SCANNING FOR ROOTKIT SERVICES -----
No hidden Services were detected.

************************************************************
3:38:37 PM: Scanning -----WINDOWS REGISTRY-----
--------------------
Checking HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon
This key's "Shell" value calls the following program(s):
Key value: [Explorer.exe]
File: Explorer.exe
C:\WINDOWS\Explorer.exe
1033728 bytes
Created: 8/10/2004 3:00 AM
Modified: 4/13/2008 4:12 PM
Company: Microsoft Corporation
----------
This key's "Userinit" value calls the following program(s):
Key value: [C:\WINDOWS\system32\userinit.exe,]
File: C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\system32\userinit.exe
26112 bytes
Created: 8/10/2004 3:00 AM
Modified: 4/13/2008 4:12 PM
Company: Microsoft Corporation
----------
This key's "System" value appears to be blank
----------
This key's "System" value appears to be blank
----------
This key's "UIHost" value calls the following program:
Key value: [logonui.exe]
File: logonui.exe
C:\WINDOWS\system32\logonui.exe
514560 bytes
Created: 8/10/2004 3:00 AM
Modified: 4/13/2008 4:12 PM
Company: Microsoft Corporation
----------
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
--------------------
Checking HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
Value Name: run
The Data Value for this entry appears to be blank
--------------------
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value Name: ehTray
Value Data: C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\ehome\ehtray.exe
64512 bytes
Created: 1/22/2010 8:35 AM
Modified: 8/5/2005 1:56 PM
Company: Microsoft Corporation
--------------------
Value Name: IDTSysTrayApp
Value Data: sttray.exe
C:\WINDOWS\sttray.exe
405504 bytes
Created: 1/22/2010 1:07 PM
Modified: 9/5/2007 9:24 PM
Company: IDT, Inc.
--------------------
Value Name: SigmatelSysTrayApp
Value Data: stsystra.exe
C:\WINDOWS\stsystra.exe
339968 bytes
Created: 1/22/2010 8:45 PM
Modified: 3/22/2005 5:20 PM
Company: SigmaTel, Inc.
--------------------
Value Name: AdaptecDirectCD
Value Data: "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
684032 bytes
Created: 12/17/2002 12:28 PM
Modified: 12/17/2002 12:28 PM
Company: Roxio
--------------------
Value Name: avast5
Value Data: C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
3396624 bytes
Created: 2/2/2010 8:15 PM
Modified: 1/13/2011 12:47 AM
Company: AVAST Software
--------------------
Value Name: HP Software Update
Value Data: C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
54576 bytes
Created: 12/8/2008 3:50 PM
Modified: 12/8/2008 3:50 PM
Company: Hewlett-Packard
--------------------
Value Name: Adobe Reader Speed Launcher
Value Data: "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
35760 bytes
Created: 6/19/2010 6:04 PM
Modified: 6/19/2010 6:04 PM
Company: Adobe Systems Incorporated
--------------------
Value Name: Adobe ARM
Value Data: "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
932288 bytes
Created: 12/11/2009 3:57 PM
Modified: 9/21/2010 10:37 AM
Company: Adobe Systems Incorporated
--------------------
Value Name:
Value Data:
Blank entry: []
--------------------
Value Name: ArcSoft Connection Service
Value Data: C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
207424 bytes
Created: 2/17/2010 10:10 AM
Modified: 10/27/2010 7:17 PM
Company: ArcSoft Inc.
--------------------
Value Name: TrojanScanner
Value Data: C:\Program Files\Trojan Remover\Trjscan.exe /boot
C:\Program Files\Trojan Remover\Trjscan.exe
1233856 bytes
Created: 1/19/2011 3:34 PM
Modified: 11/24/2010 3:26 PM
Company: Simply Super Software
--------------------
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
This Registry Key appears to be empty
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
This Registry Key appears to be empty
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce
This Registry Key appears to be empty
--------------------
Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Value Name: SpybotSD TeaTimer
Value Data: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe - entry is globally excluded
--------------------
Value Name: MSMSGS
Value Data: "C:\Program Files\Messenger\msmsgs.exe" /background
C:\Program Files\Messenger\msmsgs.exe
1695232 bytes
Created: 1/22/2010 8:35 AM
Modified: 4/13/2008 4:12 PM
Company: Microsoft Corporation
--------------------
Value Name: ctfmon.exe
Value Data: C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\ctfmon.exe
15360 bytes
Created: 8/10/2004 3:00 AM
Modified: 4/13/2008 4:12 PM
Company: Microsoft Corporation
--------------------
Value Name: PhotoshopElements8SyncAgent
Value Data: C:\Program Files\Adobe\Elements Organizer 8.0\ElementsOrganizerSyncAgent.exe
C:\Program Files\Adobe\Elements Organizer 8.0\ElementsOrganizerSyncAgent.exe
1893728 bytes
Created: 9/6/2009 5:07 AM
Modified: 9/6/2009 5:07 AM
Company: Adobe Systems Incorporated
--------------------
--------------------
Checking HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
This Registry Key appears to be empty
--------------------
Checking HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
This Registry Key appears to be empty
--------------------
Checking HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
This Registry Key appears to be empty

************************************************************
3:38:41 PM: Scanning -----SHELLEXECUTEHOOKS-----
ValueName: {AEB6717E-7E19-11d0-97EE-00C04FD91972}
File: shell32.dll - this file is expected and has been left in place
----------

************************************************************
3:38:41 PM: Scanning -----HIDDEN REGISTRY ENTRIES-----
Taskdir check completed
----------
No Hidden File-loading Registry Entries found
----------

************************************************************
3:38:41 PM: Scanning -----ACTIVE SCREENSAVER-----
ScreenSaver: C:\WINDOWS\System32\logon.scr
C:\WINDOWS\System32\logon.scr
220672 bytes
Created: 8/10/2004 3:00 AM
Modified: 4/13/2008 4:12 PM
Company: Microsoft Corporation
--------------------

************************************************************
3:38:42 PM: Scanning ----- REGISTRY ACTIVE SETUP KEYS -----

************************************************************
3:38:42 PM: Scanning ----- SERVICEDLL REGISTRY KEYS -----
Key: getPlusHelper
Path: C:\Program Files\NOS\bin\getPlus_Helper.dll
C:\Program Files\NOS\bin\getPlus_Helper.dll
67360 bytes
Created: 2/4/2010 9:04 PM
Modified: 1/25/2010 10:02 AM
Company: NOS Microsystems Ltd.
--------------------
Key: HidServ
%SystemRoot%\System32\hidserv.dll - file is globally excluded (file cannot be found)
--------------------

************************************************************
3:38:43 PM: Scanning ----- SERVICES REGISTRY KEYS -----
Key: ACDaemon
ImagePath: C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
113152 bytes
Created: 2/17/2010 10:10 AM
Modified: 3/18/2010 10:19 AM
Company: ArcSoft Inc.
----------
Key: AdobeActiveFileMonitor8.0
ImagePath: C:\Program Files\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe
169312 bytes
Created: 9/6/2009 5:06 AM
Modified: 9/6/2009 5:06 AM
Company: Adobe Systems Incorporated
----------
Key: atapi
ImagePath: system32\DRIVERS\atapi.sys
C:\WINDOWS\system32\DRIVERS\atapi.sys
96512 bytes
Created: 8/10/2004 3:00 AM
Modified: 4/13/2008 10:40 AM
Company: Microsoft Corporation
----------
Key: avast! Antivirus
ImagePath: "C:\Program Files\Alwil Software\Avast5\AvastSvc.exe"
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
40384 bytes
Created: 2/2/2010 8:15 PM
Modified: 1/13/2011 12:47 AM
Company: AVAST Software
----------
Key: ehRecvr
ImagePath: C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehRecvr.exe
237568 bytes
Created: 1/22/2010 8:35 AM
Modified: 10/9/2006 4:16 PM
Company: Microsoft Corporation
----------
Key: ehSched
ImagePath: C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\eHome\ehSched.exe
102912 bytes
Created: 1/22/2010 8:35 AM
Modified: 8/5/2005 1:56 PM
Company: Microsoft Corporation
----------
Key: FLEXnet Licensing Service
ImagePath: "C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe"
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
867080 bytes
Created: 8/10/2010 1:15 PM
Modified: 8/10/2010 1:15 PM
Company: Acresso Software Inc.
----------
Key: grmnusb
ImagePath: system32\drivers\grmnusb.sys
C:\WINDOWS\system32\drivers\grmnusb.sys
9344 bytes
Created: 5/29/2010 2:55 PM
Modified: 4/17/2009 7:48 PM
Company: GARMIN Corp.
----------
Key: HSFHWAZL
ImagePath: system32\DRIVERS\HSFHWAZL.sys
C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys
201600 bytes
Created: 7/22/2005 11:01 AM
Modified: 7/22/2005 11:01 AM
Company: Conexant Systems, Inc.
----------
Key: iastor
ImagePath: system32\DRIVERS\iaStor.sys
C:\WINDOWS\system32\DRIVERS\iaStor.sys
250880 bytes
Created: 4/26/2006 4:23 AM
Modified: 4/26/2006 4:23 AM
Company: Intel Corporation
----------
Key: STacSV
ImagePath: C:\WINDOWS\system32\STacSV.exe
C:\WINDOWS\system32\STacSV.exe
204800 bytes
Created: 1/22/2010 1:07 PM
Modified: 9/5/2007 9:25 PM
Company: IDT, Inc.
----------
Key: STHDA
ImagePath: system32\drivers\sthda.sys
C:\WINDOWS\system32\drivers\sthda.sys
1047816 bytes
Created: 9/5/2007 9:25 PM
Modified: 11/16/2005 3:36 PM
Company: SigmaTel, Inc.
----------
Key: SwPrv
ImagePath: C:\WINDOWS\system32\dllhost.exe /Processid:{E9F403BC-FB01-46A4-A8D4-107F037627F6}
C:\WINDOWS\system32\dllhost.exe
5120 bytes
Created: 8/10/2004 3:00 AM
Modified: 4/13/2008 4:12 PM
Company: Microsoft Corporation
----------

************************************************************
3:38:51 PM: Scanning -----VXD ENTRIES-----

************************************************************
3:38:51 PM: Scanning ----- WINLOGON\NOTIFY DLLS -----

************************************************************
3:38:51 PM: Scanning ----- CONTEXTMENUHANDLERS -----
Key: avast
CLSID: {472083B0-C522-11CF-8763-00608CC02F24}
Path: C:\Program Files\Alwil Software\Avast5\ashShell.dll
C:\Program Files\Alwil Software\Avast5\ashShell.dll
120712 bytes
Created: 2/2/2010 8:15 PM
Modified: 1/13/2011 12:47 AM
Company: AVAST Software
----------

************************************************************
3:38:51 PM: Scanning ----- FOLDER\COLUMNHANDLERS -----

************************************************************
3:38:51 PM: Scanning ----- BROWSER HELPER OBJECTS -----

************************************************************
3:38:51 PM: Scanning ----- SHELLSERVICEOBJECTS -----

************************************************************
3:38:51 PM: Scanning ----- SHAREDTASKSCHEDULER ENTRIES -----

************************************************************
3:38:51 PM: Scanning ----- IMAGEFILE DEBUGGERS -----
No "Debugger" entries found.

************************************************************
3:38:51 PM: Scanning ----- APPINIT_DLLS -----
The AppInit_DLLs value is blank or does not exist

************************************************************
3:38:52 PM: Scanning ----- SECURITY PROVIDER DLLS -----

************************************************************
3:38:52 PM: Scanning ------ COMMON STARTUP GROUP ------
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
The Common Startup Group attempts to load the following file(s) at boot time:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
-HS- 84 bytes
Created: 1/22/2010 12:25 AM
Modified: 1/22/2010 8:41 AM
Company: [no info]
--------------------
HP Digital Imaging Monitor.lnk - links to C:\PROGRA~1\HP\DIGITA~1\bin\hpqtra08.exe
C:\PROGRA~1\HP\DIGITA~1\bin\hpqtra08.exe
288472 bytes
Created: 2/19/2006 4:21 AM
Modified: 2/19/2006 4:21 AM
Company: Hewlett-Packard Development Company, L.P.
--------------------
HP Photosmart Premier Fast Start.lnk - links to C:\PROGRA~1\HP\DIGITA~1\bin\hpqthb08.exe
C:\PROGRA~1\HP\DIGITA~1\bin\hpqthb08.exe
73728 bytes
Created: 2/10/2006 7:56 AM
Modified: 2/10/2006 7:56 AM
Company: Hewlett-Packard Development Company, L.P.
--------------------
Kodak EasyShare software.lnk - links to C:\PROGRA~1\Kodak\KODAKE~1\bin\EASYSH~1.EXE
C:\PROGRA~1\Kodak\KODAKE~1\bin\EASYSH~1.EXE
323584 bytes
Created: 1/27/2010 9:40 AM
Modified: 1/27/2010 9:40 AM
Company: Eastman Kodak Company
--------------------
Microsoft Office.lnk - links to C:\PROGRA~1\MICROS~2\Office10\OSA.EXE
C:\PROGRA~1\MICROS~2\Office10\OSA.EXE
83360 bytes
Created: 2/13/2001 1:01 AM
Modified: 2/13/2001 1:01 AM
Company: Microsoft Corporation
--------------------

************************************************************
3:38:53 PM: Scanning ------ USER STARTUP GROUPS ------
--------------------
Checking Startup Group for: Alan
[C:\Documents and Settings\Alan\START MENU\PROGRAMS\STARTUP]
The Startup Group for Alan attempts to load the following file(s):
C:\Documents and Settings\Alan\START MENU\PROGRAMS\STARTUP\desktop.ini
-HS- 84 bytes
Created: 1/22/2010 8:48 AM
Modified: 1/22/2010 8:41 AM
Company: [no info]
----------

************************************************************
3:38:53 PM: Scanning ----- SCHEDULED TASKS -----
Taskname: EasyShare Registration Task
File: C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registration_8.2.30.1.sxt
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registration_8.2.30.1.sxt
876544 bytes
Created: 2/17/2010 9:56 AM
Modified: 2/17/2010 9:56 AM
Company: Eastman Kodak Company
Parameters: C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registration_8.2.30.1.sxt _RegistrationOffer@16
Schedule: At 9:56 AM every 14 days, starting 2/17/2010
Next Run Time: 2/2/2011 9:56:00 AM
Status: Ready
Creator: Alan
Comments:
----------
Taskname: GoogleUpdateTaskMachineCore
File: C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
136176 bytes
Created: 4/25/2010 8:38 AM
Modified: 4/25/2010 8:37 AM
Company: Google Inc.
Parameters: /c
Schedule: Multiple schedule times
Next Run Time: 1/19/2011 9:53:00 PM
Status: Ready
Creator: Alan
Comments: Keeps your Google software up to date. If this task is disabled or stopped, your Google software will not be kept up to date, meaning security vulnerabilities that may arise cannot be fixed and features may not work. This task uninstalls itself when there is no Google software using it.
----------
Taskname: GoogleUpdateTaskMachineUA
File: C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
136176 bytes
Created: 4/25/2010 8:38 AM
Modified: 4/25/2010 8:37 AM
Company: Google Inc.
Parameters: /ua /installsource scheduler
Schedule: Every 1 hour(s) from 9:53 PM for 24 hour(s) every day, starting 10/19/2010
Next Run Time: 1/19/2011 3:53:00 PM
Status: Ready
Creator: Alan
Comments: Keeps your Google software up to date. If this task is disabled or stopped, your Google software will not be kept up to date, meaning security vulnerabilities that may arise cannot be fixed and features may not work. This task uninstalls itself when there is no Google software using it.
----------
Taskname: WebReg officejet 6300 series
File: C:\Program Files\HP\Digital Imaging\bin\hpqwrg.exe
C:\Program Files\HP\Digital Imaging\bin\hpqwrg.exe
313048 bytes
Created: 2/19/2006 5:09 AM
Modified: 2/19/2006 5:09 AM
Company: Hewlett-Packard Development Company, L.P.
Parameters: "officejet 6300 series"
Schedule: At 5:39 AM every day, starting 1/26/2011
Next Run Time: 1/26/2011 5:39:00 AM
Status: Ready
Creator: Alan
Comments:
----------

************************************************************
3:38:54 PM: Scanning ----- SHELLICONOVERLAYIDENTIFIERS -----

************************************************************
3:38:54 PM: Scanning ----- DEVICE DRIVER ENTRIES -----
Value: msacm.l3acm
File: l3codecx.acm
C:\WINDOWS\system32\l3codecx.acm
-R- 135168 bytes
Created: 7/2/1999 1:00 AM
Modified: 7/2/1999 1:00 AM
Company: Fraunhofer Institut Integrierte Schaltungen IIS
----------
Value: vidc.LEAD
File: LCODCCMP.DLL
LCODCCMP.DLL - [file not found to scan]
----------

************************************************************
3:38:54 PM: ----- ADDITIONAL CHECKS -----
PE386 rootkit checks completed
----------
Winlogon registry rootkit checks completed
----------
Heuristic checks for hidden files/drivers completed
----------
Layered Service Provider entries checks completed
----------
Windows Explorer Policies checks completed
----------
Checking autorun.inf in J:\
J:\autorun.inf
-H- 71 bytes
Created: 4/1/2008 1:53 PM
Modified: 4/1/2008 1:53 PM
Company: [no info]
J:\autorun.inf open entry: [wd_windows_tools\WDSetup.exe]
J:\wd_windows_tools\WDSetup.exe
1760476 bytes
Created: 6/19/2008 12:46 PM
Modified: 6/19/2008 12:46 PM
Company: Western Digital Corporation
----------
--------------------
Desktop Wallpaper: C:\WINDOWS\web\wallpaper\Bliss.bmp
C:\WINDOWS\web\wallpaper\Bliss.bmp
1440054 bytes
Created: 1/22/2010 8:40 AM
Modified: 1/22/2010 8:40 AM
Company: [no info]
----------
Web Desktop Wallpaper: %SystemRoot%\web\wallpaper\Bliss.bmp
C:\WINDOWS\web\wallpaper\Bliss.bmp
1440054 bytes
Created: 1/22/2010 8:40 AM
Modified: 1/22/2010 8:40 AM
Company: [no info]
----------
DNS Server information:
Interface: Intel(R) PRO/100 VE Network Connection
NameServers: 192.168.2.1
Checks for rogue DNS NameServers completed
----------
Additional checks completed

************************************************************
3:39:03 PM: Scanning ----- RUNNING PROCESSES -----

C:\WINDOWS\System32\smss.exe
50688 bytes
Created: 8/10/2004 3:00 AM
Modified: 4/13/2008 4:12 PM
Company: Microsoft Corporation
--------------------
C:\WINDOWS\system32\winlogon.exe
507904 bytes
Created: 8/10/2004 3:00 AM
Modified: 4/13/2008 4:12 PM
Company: Microsoft Corporation
--------------------
C:\WINDOWS\system32\services.exe
110592 bytes
Created: 8/10/2004 3:00 AM
Modified: 2/6/2009 3:11 AM
Company: Microsoft Corporation
--------------------
C:\WINDOWS\system32\lsass.exe
13312 bytes
Created: 8/10/2004 3:00 AM
Modified: 4/13/2008 4:12 PM
Company: Microsoft Corporation
--------------------
C:\WINDOWS\system32\Ati2evxx.exe
380928 bytes
Created: 1/22/2010 7:19 AM
Modified: 8/4/2005 1:02 AM
Company: ATI Technologies Inc.
--------------------
C:\WINDOWS\system32\svchost.exe
14336 bytes
Created: 8/10/2004 3:00 AM
Modified: 4/13/2008 4:12 PM
Company: Microsoft Corporation
--------------------
C:\WINDOWS\System32\svchost.exe - file already scanned
--------------------
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe - file already scanned
--------------------
C:\WINDOWS\ehome\ehtray.exe - file already scanned
--------------------
C:\WINDOWS\stsystra.exe - file already scanned
--------------------
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe - file already scanned
--------------------
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe - file already scanned
--------------------
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe - file already scanned
--------------------
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe - file already scanned
--------------------
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
-RHS- 2260480 bytes
Created: 1/24/2010 12:04 AM
Modified: 3/5/2009 4:07 PM
Company: Safer-Networking Ltd.
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe - no action taken on this file
--------------------
C:\Program Files\Messenger\msmsgs.exe - file already scanned
--------------------
C:\WINDOWS\system32\ctfmon.exe - file already scanned
--------------------
C:\Program Files\Adobe\Elements Organizer 8.0\ElementsOrganizerSyncAgent.exe - file already scanned
--------------------
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
288472 bytes
Created: 2/19/2006 4:21 AM
Modified: 2/19/2006 4:21 AM
Company: Hewlett-Packard Development Company, L.P.
--------------------
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
323584 bytes
Created: 1/27/2010 9:40 AM
Modified: 1/27/2010 9:40 AM
Company: Eastman Kodak Company
--------------------
C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
139264 bytes
Created: 2/19/2006 5:29 AM
Modified: 2/19/2006 5:29 AM
Company: Hewlett-Packard Development Company, L.P.
--------------------
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
479232 bytes
Created: 2/10/2006 7:56 AM
Modified: 2/10/2006 7:56 AM
Company: Hewlett-Packard Development Company, L.P.
--------------------
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
239320 bytes
Created: 2/19/2006 5:24 AM
Modified: 2/19/2006 5:24 AM
Company: Hewlett-Packard Development Company, L.P.
--------------------
C:\WINDOWS\system32\spoolsv.exe
58880 bytes
Created: 8/10/2004 3:00 AM
Modified: 8/17/2010 5:17 AM
Company: Microsoft Corporation
--------------------
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe - file already scanned
--------------------
C:\Program Files\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe - file already scanned
--------------------
C:\WINDOWS\eHome\ehRecvr.exe - file already scanned
--------------------
C:\WINDOWS\eHome\ehSched.exe - file already scanned
--------------------
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
322120 bytes
Created: 6/19/2003 11:25 PM
Modified: 6/19/2003 11:25 PM
Company: Microsoft Corporation
--------------------
C:\WINDOWS\system32\svchost.exe - file already scanned
--------------------
C:\WINDOWS\system32\dllhost.exe
5120 bytes
Created: 8/10/2004 3:00 AM
Modified: 4/13/2008 4:12 PM
Company: Microsoft Corporation
--------------------
C:\WINDOWS\eHome\ehmsas.exe
46592 bytes
Created: 1/22/2010 8:35 AM
Modified: 8/5/2005 1:56 PM
Company: Microsoft Corporation
--------------------
C:\WINDOWS\explorer.exe - file already scanned
--------------------
C:\Documents and Settings\Alan\Application Data\Simply Super Software\Trojan Remover\gmq2B9.exe
FileSize: 3761072
[This is a Trojan Remover component]
--------------------

************************************************************
3:39:07 PM: Checking HOSTS file
No malicious entries were found in the HOSTS file

************************************************************
------ INTERNET EXPLORER HOME/START/SEARCH SETTINGS ------
HKLM\Software\Microsoft\Internet Explorer\Main\"Start Page":
http://go.microsoft.com/fwlink/?Lin...
HKLM\Software\Microsoft\Internet Explorer\Main\"Local Page":
C:\WINDOWS\system32\blank.htm
HKLM\Software\Microsoft\Internet Explorer\Main\"Search Page":
http://go.microsoft.com/fwlink/?Lin...
HKLM\Software\Microsoft\Internet Explorer\Main\"Default_Page_URL":
http://go.microsoft.com/fwlink/?Lin...
HKLM\Software\Microsoft\Internet Explorer\Main\"Default_Search_URL":
http://go.microsoft.com/fwlink/?Lin...
HKLM\Software\Microsoft\Internet Explorer\Search\"CustomizeSearch":
http://ie.search.msn.com/{SUB_RFC17...
HKLM\Software\Microsoft\Internet Explorer\Search\"SearchAssistant":
http://ie.search.msn.com/{SUB_RFC17...
HKCU\Software\Microsoft\Internet Explorer\Main\"Start Page":
http://www.microsoft.com/isapi/redi...
HKCU\Software\Microsoft\Internet Explorer\Main\"Local Page":
C:\WINDOWS\system32\blank.htm
HKCU\Software\Microsoft\Internet Explorer\Main\"Search Page":
http://www.microsoft.com/isapi/redi...

************************************************************
=== NO CHANGES HAVE BEEN MADE TO YOUR SYSTEM FILES ===
Scan completed at: 3:39:07 PM 19 Jan 2011
Total Scan time: 00:00:30
************************************************************



Report •

#7
January 19, 2011 at 20:12:14
run combofix:
http://www.bleepingcomputer.com/com...
follow the guide and you should be fine

Some HELP in posting on Computing.net plus free progs and instructions Cheers


Report •


Ask Question