[b]It’s not an adware . It’s called HTML: Malware-gen that’s downloading something to my computer
I already have Avast and it’s always updated. I don’t know where I got this virus/worm. Avast can detect it when it tries to download something and stops it but when I scan to try to remove it, it can’t be detected.
how can i remove this virus? 
sorry for my english[/b]
Although you don’t give much information, I believe this was detected by the Web Shield provider. If so the alert would only have given one option, to abort connection (see image example), that stops the file being downloaded. So it 'won’t appear on your system, that is why you can’t find it.
But this letter shows at the opening yahoo messenger, IE7 or Firefox
That isn’t relevant to whether the virus that avast is alerting on got on to your system.
What is likely is that there is an undetected or hidden trojan on your system that is trying to connect to a web page and download more malware. So as soon as you connect to the internet it tries to download.
What is your Firewall (it should be capable of blocking unauthorised outbound Internet Connections) ?
If you haven’t already got this software (freeware), download, install, update and run it, preferably in safe mode.
If using winXP or Vista SUPERantispyware On-Demand only in free version.
thanks for your help 
No problem, let us know how you get on with the SAS scan.
Welcome to the forums.
Once again I do not know what to do
Please post a HijackThis! log.
(Instructions and screen shots on the page linked to.)
You have nothing to do in respect of that alert, avast’s web shield, intercepted it and stopped it from being downloaded, it isn’t on your system. But you do have to identify why the attempts to download it are made, Frank’s suggestion of HJT is a good one to see what is running on your system.
Have you downloaded and run SuperAntiSpyware (the blue text is a link) as I suggested ?
In the image I also noticed a Red shield with an X on it, which I believe is the Windows Security Center alerting you to either your AV (unlikely) or Firewall (probably) being disabled ?
If your firewall is disabled there would be nothing to stop files being downloaded to your system.
This is the file (hijackthis)
http://www.zshare.net/download/9744765c76cc50/
If your firewall is disabled there would be nothing to stop files being downloaded to your system
no my firewall is enable
http://b.imagehost.org/0353/Unt2.jpg
Here it is for others to look at:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:22:14 PM, on 3/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Yahoo!\Messenger\yupdater.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Documents and Settings\Calypso\Desktop\HiJackThis.exe
O4 - HKLM..\Run: [IMJPMIG8.1] “C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE” /Spoil /RemAdvDef /Migration32
O4 - HKLM..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM..\Run: [Ins3DT] F:\INSTALL4\INS3DT.EXE
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [Yahoo! Pager] “C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe” -quiet
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra ‘Tools’ menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
This entry is suspicious:
O4 - HKLM..\Run: [Ins3DT] F:\INSTALL4\INS3DT.EXE
What is F:? A USB drive?
The log seems a bit short, which is suspicious.
It would be worth trying the new avast anti-rootkit tool:
http://forum.avast.com/index.php?topic=33753.0
Also, try some online scans. (Disable avast! while scanning.)
Well the WSC is reporting something that it monitors is disabled/out of date, etc. What does it say when you double click it (it will show what it is monitoring) ?
If you have a modem/router/firewall it is entirely possible that the WSC doesn’t detect it. The other issue is that most hardware router/firewalls don’t provide any outbound protection/monitoring. It should be capable of blocking unauthorised outbound Internet Connections.
Any malware that manages to get past your defences will have free reign to connect to the internet to either download more of the same, pass your personal data (sensitive or otherwise, user names, passwords, keylogger retrieved data, etc.) or open a backdoor to your computer, so outbound protection is essential.
You are running HJT from the desktop and it should be in its own folder, it can be installed to any location C:\HJT for example.
C:\Documents and Settings\Calypso\Desktop\HiJackThis.exe
Follow DavidR’s instruction on moving hijackthis.exe to it’s own folder. While you are doing that, rename hijackthis.exe to calypso.exe. Then rerun the scan and post the results. You may discover a vundo infection.
If you have firewall you can try to block any (IN and OUT) traffic with 222.216.28.25.
This IP corresponds to (at least) the following
g.asdafdgfgf.com
u.asdafdgfgf.com
t.asdafdgfgf.com
x.asdafdgfgf.com
Previously the similar problems were with ads.adslooks.info and fly.1234214.info
It is not the problem of your PC, but the example of ARPSpoofing in the local net. Somewhere in the local net infected PC is present. This PC substitutes MAC-address in the router table (may be in arp tables of other PC too) and intercepts http traffic inserting scripts etc.
P.S. I have deal with the similar ads.js case yesterday and today.
If you have firewall you can try to block any (IN and OUT) traffic with 222.216.28.25. This IP corresponds to (at least) the following g.asdafdgfgf.com u.asdafdgfgf.com t.asdafdgfgf.com x.asdafdgfgf.com Previously the similar problems were with ads.adslooks.info and fly.1234214.info It is not the problem of your PC, but the example of ARPSpoofing in the local net. Somewhere in the local net infected PC is present. This PC substitutes MAC-address in the router table (may be in arp tables of other PC too) and intercepts http traffic inserting scripts etc.P.S. I have deal with the similar ads.js case yesterday and today.
so what can i do to stopped him ? ???
You will have to find the downloader, if that is what it is. Download this, it may show up in this scan.
Please download Deckard’s System Scanner (DSS) and save it to your Desktop.
[*]Close all other windows before proceeding.
[*]Double-click on dss.exe and follow the prompts.
[*]When it has finished, dss will open two Notepads main.txt and extra.txt – please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.
– System Information ----------------------------------------------------------
Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English
CPU 0: Intel(R) Celeron(R) CPU 2.53GHz
Percentage of Memory in Use: 50%
Physical Memory (total/avail): 511.23 MiB / 251.54 MiB
Pagefile Memory (total/avail): 1249.84 MiB / 970.29 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1882.45 MiB
A: is Removable (Unformatted)
C: is Fixed (NTFS) - 9.77 GiB total, 6.28 GiB free.
D: is Fixed (NTFS) - 29.3 GiB total, 0.43 GiB free.
E: is Fixed (NTFS) - 35.45 GiB total, 3.73 GiB free.
F: is CDROM (No Media)
\.\PHYSICALDRIVE0 - WDC WD800BB-00JHC0 - 74.53 GiB - 3 partitions
\PARTITION0 (bootable) - Installable File System - 9.77 GiB - C:
\PARTITION1 - Extended w/Extended Int 13 - 64.76 GiB - D: - E:
– Security Center -------------------------------------------------------------
AUOptions is disabled.
Windows Internal Firewall is enabled.
FirstRunDisabled is set.
AV: avast! antivirus 4.8.1169 [VPS 080331-0] v4.8.1169 (ALWIL Software)
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
“%windir%\system32\sessmgr.exe”=“%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019”
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
“%windir%\system32\sessmgr.exe”=“%windir%\system32\sessmgr.exe::enabled:@xpsp2res.dll,-22019"
“C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe”="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe::Enabled:Yahoo! Messenger”
“C:\Program Files\Yahoo!\Messenger\YServer.exe”=“C:\Program Files\Yahoo!\Messenger\YServer.exe::Enabled:Yahoo! FT Server"
“C:\Program Files\ExtraTools\ExtraDNS\ExtraDNS.dll”="C:\Program Files\ExtraTools\ExtraDNS\ExtraDNS.dll::Enabled:ExtraDNS”
– Environment Variables -------------------------------------------------------
ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\CALYPS0\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=CALYPSO
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\CALYPS0
LOGONSERVER=\CALYPSO
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 1, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0401
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\CALYPS0\LOCALS~1\Temp
TMP=C:\DOCUME~1\CALYPS0\LOCALS~1\Temp
USERDOMAIN=CALYPSO
USERNAME=CALYPS0
USERPROFILE=C:\Documents and Settings\CALYPS0
windir=C:\WINDOWS
– User Profiles ---------------------------------------------------------------
CALYPS0 I[/I]
– Add/Remove Programs ---------------------------------------------------------
→ rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
avast! Antivirus → C:\Program Files\Alwil Software\Avast4\aswRunDll.exe “C:\Program Files\Alwil Software\Avast4\Setup\setiface.dll”,RunSetup
ExtraDNS → C:\PROGRA~1\EXTRAT~1\ExtraDNS\UNWISE.EXE C:\PROGRA~1\EXTRAT~1\ExtraDNS\INSTALL.LOG
FLV Player 1.3.3 → “C:\Program Files\FLVPlayer\uninstall.exe”
Internet Download Manager → C:\Program Files\Internet Download Manager\Uninstall.exe
jetAudio → RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information{DF8195AF-8E6F-4487-A0EE-196F7E3F4B8A}\Setup.exe” -l0x9
Microsoft Office FrontPage 2003 → MsiExec.exe /I{90170409-6000-11D3-8CFE-0150048383C9}
SLD Codec Pack → C:\Program Files\SLD Codec Pack\uninstall.exe
SoundMAX → RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information{F0A37341-D692-11D4-A984-009027EC0A9C}\Setup.exe”
SwitchSniffer → RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup “C:\Program Files\InstallShield Installation Information{B9AEF567-6DD3-4B30-BCC6-E88829BEDE98}\setup.exe” -l0x9
Technitium MAC Address Changer v4.5 → C:\Program Files\Technitium\TMACv4.5\Uninstall.exe
WinRAR archiver → C:\Program Files\WinRAR\uninstall.exe
Yahoo! Messenger → C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG
– Application Event Log -------------------------------------------------------
Event Record #/Type147 / Warning
Event Submitted/Written: 03/31/2008 02:27:55 PM
Event ID/Source: 1001 / MsiInstaller
Event Description:
Detection of product ‘{90170409-6000-11D3-8CFE-0150048383C9}’, feature ‘FPThemes’ failed during request for component ‘{A5D133C1-589D-48AB-9DCF-1A13E8A13AD5}’
Event Record #/Type145 / Warning
Event Submitted/Written: 03/31/2008 02:27:40 PM
Event ID/Source: 1001 / MsiInstaller
Event Description:
Detection of product ‘{90170409-6000-11D3-8CFE-0150048383C9}’, feature ‘ThemesAdditionalFiles’ failed during request for component ‘{AB846F53-F041-11D3-95B9-0080C76FAB72}’
Event Record #/Type144 / Warning
Event Submitted/Written: 03/31/2008 01:52:08 PM
Event ID/Source: 5603 / WinMgmt
Event Description:
A provider, OffProv11, has been registered in the WMI namespace, Root\MSAPPS11, but did not specify the HostingModel property. This provider will be run using the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests. Ensure that provider has been reviewed for security behavior and update the HostingModel property of the provider registration to an account with the least privileges possible for the required functionality.
Event Record #/Type143 / Warning
Event Submitted/Written: 03/31/2008 01:52:08 PM
Event ID/Source: 5603 / WinMgmt
Event Description:
A provider, OffProv11, has been registered in the WMI namespace, Root\MSAPPS11, but did not specify the HostingModel property. This provider will be run using the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests. Ensure that provider has been reviewed for security behavior and update the HostingModel property of the provider registration to an account with the least privileges possible for the required functionality.
Event Record #/Type141 / Warning
Event Submitted/Written: 03/31/2008 01:10:03 PM
Event ID/Source: 5603 / WinMgmt
Event Description:
A provider, OffProv11, has been registered in the WMI namespace, Root\MSAPPS11, but did not specify the HostingModel property. This provider will be run using the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests. Ensure that provider has been reviewed for security behavior and update the HostingModel property of the provider registration to an account with the least privileges possible for the required functionality.
– Security Event Log ----------------------------------------------------------
No Errors/Warnings found.
– System Event Log ------------------------------------------------------------
Event Record #/Type490 / Warning
Event Submitted/Written: 03/31/2008 06:11:43 PM
Event ID/Source: 1007 / Dhcp
Event Description:
Your computer has automatically configured the IP address for the Network
Card with network address 005029031625. The IP address being used is 169.254.236.7.
Event Record #/Type489 / Warning
Event Submitted/Written: 03/31/2008 05:41:44 PM
Event ID/Source: 1007 / Dhcp
Event Description:
Your computer has automatically configured the IP address for the Network
Card with network address 005029031625. The IP address being used is 169.254.236.7.
Event Record #/Type452 / Warning
Event Submitted/Written: 03/31/2008 00:09:40 PM
Event ID/Source: 1007 / Dhcp
Event Description:
Your computer has automatically configured the IP address for the Network
Card with network address 005029031625. The IP address being used is 169.254.236.7.
Event Record #/Type451 / Warning
Event Submitted/Written: 03/31/2008 00:09:35 PM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 005029031625. The following
error occurred:
%%121.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.
Event Record #/Type448 / Warning
Event Submitted/Written: 03/31/2008 11:50:06 AM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.
– End of Deckard’s System Scanner: finished at 2008-03-31 21:13:08 ------------
[/td][/tr]
and this is main.txt
– System Restore --------------------------------------------------------------
Successfully created a Deckard’s System Scanner Restore Point.
– Last 5 Restore Point(s) –
11: 2008-03-31 19:09:53 UTC - RP11 - Deckard’s System Scanner Restore Point
10: 2008-03-31 17:57:08 UTC - RP10 - Installed SwitchSniffer
9: 2008-03-31 11:09:11 UTC - RP9 - Installed Microsoft Office FrontPage 2003
8: 2008-03-30 19:00:55 UTC - RP8 - Installed jetAudio
7: 2008-03-30 17:29:53 UTC - RP7 - Restore Operation
– First Restore Point –
1: 2008-03-29 22:23:34 UTC - RP1 - System Checkpoint
Backed up registry hives.
Performed disk cleanup.
– HijackThis (run as CALYPS0.exe) ---------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:11:40 م, on 31/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\ExtraTools\ExtraDNS\ExtraDNS.dll
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\JetAudio\JetAudio.exe
C:\Documents and Settings\CALYPS0\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\CALYPS0.exe
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O4 - HKLM..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [IMJPMIG8.1] “C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE” /Spoil /RemAdvDef /Migration32
O4 - HKLM..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKCU..\Run: [Yahoo! Pager] “C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE” -quiet
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKUS\S-1-5-19..\RunOnce: [nlsf] cmd.exe /C move /Y “%SystemRoot%\System32\syssetub.dll” “%SystemRoot%\System32\syssetup.dll” (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-19..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-20..\RunOnce: [nlsf] cmd.exe /C move /Y “%SystemRoot%\System32\syssetub.dll” “%SystemRoot%\System32\syssetup.dll” (User ‘NETWORK SERVICE’)
O4 - HKUS\S-1-5-18..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’)
O4 - HKUS\S-1-5-18..\RunOnce: [nlsf] cmd.exe /C move /Y “%SystemRoot%\System32\syssetub.dll” “%SystemRoot%\System32\syssetup.dll” (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’)
O4 - HKUS.DEFAULT..\RunOnce: [nlsf] cmd.exe /C move /Y “%SystemRoot%\System32\syssetub.dll” “%SystemRoot%\System32\syssetup.dll” (User ‘Default user’)
O4 - Global Startup: ExtraDNS.lnk = C:\Program Files\ExtraTools\ExtraDNS\ExtraDNS.exe
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra ‘Tools’ menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip..{009B2296-ED33-4EFF-930B-139924474D6F}: NameServer = 127.0.0.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 127.0.0.1 149.174.211.5
O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 127.0.0.1,149.174.211.5
O17 - HKLM\System\CS1\Services\Tcpip..{009B2296-ED33-4EFF-930B-139924474D6F}: NameServer = 127.0.0.1
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 127.0.0.1 149.174.211.5
O17 - HKLM\System\CS2\Services\VxD\MSTCP: NameServer = 127.0.0.1,149.174.211.5
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 127.0.0.1,149.174.211.5
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 127.0.0.1 149.174.211.5
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
–
End of file - 5272 bytes
– File Associations -----------------------------------------------------------
All associations okay.
– Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------
R3 NPF (Netgroup Packet Filter) - c:\windows\system32\drivers\npf.sys <Not Verified; CACE Technologies; WinPcap Netgroup Packet Filter Driver>
– Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------
All services whitelisted.
– Device Manager: Disabled ----------------------------------------------------
Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: RAID Controller
Device ID: PCI\VEN_1039&DEV_0180&SUBSYS_810E1043&REV_01\3&267A616A&0&28
Manufacturer:
Name: RAID Controller
PNP Device ID: PCI\VEN_1039&DEV_0180&SUBSYS_810E1043&REV_01\3&267A616A&0&28
Service:
– Files created between 2008-02-29 and 2008-03-31 -----------------------------
2008-03-31 21:11:31 0 d-------- C:\Program Files\Trend Micro
2008-03-31 19:57:12 208896 --a------ C:\WINDOWS\system32\wpcap.dll <Not Verified; Politecnico di Torino; WinPcap wpcap.dll>
2008-03-31 19:57:12 61440 --a------ C:\WINDOWS\system32\WanPacket.dll <Not Verified; CACE Technologies; WinPcap low level NetMon wrapper library>
2008-03-31 19:57:12 53299 --a------ C:\WINDOWS\system32\pthreadVC.dll
2008-03-31 19:57:12 81920 --a------ C:\WINDOWS\system32\packet.dll <Not Verified; CACE Technologies; WinPcap low level packet library>
2008-03-31 19:57:11 32512 --a------ C:\WINDOWS\system32\drivers\npf.sys <Not Verified; CACE Technologies; WinPcap Netgroup Packet Filter Driver>
2008-03-31 19:57:08 0 d-------- C:\Program Files\NextSecurity.NET
2008-03-31 19:35:50 72704 --a------ C:\WINDOWS\system32\Odbctl32.dll <Not Verified; Microsoft Corporation; Microsoft Open Database Connectivity>
2008-03-31 19:35:49 430080 --a------ C:\WINDOWS\system32\Msrepl35.dll <Not Verified; Microsoft Corporation; Microsoft® Access>
2008-03-31 19:35:49 252176 --a------ C:\WINDOWS\system32\Msrd2x35.dll <Not Verified; Microsoft Corporation; Microsoft® Jet>
2008-03-31 19:35:49 1056768 --a------ C:\WINDOWS\system32\Msjet35.dll <Not Verified; Microsoft Corporation; Microsoft® Jet>
2008-03-31 19:35:48 24848 --a------ C:\WINDOWS\system32\Msjter35.dll <Not Verified; Microsoft Corporation; Microsoft® Jet>
2008-03-31 19:35:48 123664 --a------ C:\WINDOWS\system32\Msjint35.dll <Not Verified; Microsoft Corporation; Microsoft® Jet>
2008-03-31 19:35:45 0 d-------- C:\Program Files\ExtraTools
2008-03-31 18:12:36 0 d-------- C:\Program Files\FLVPlayer
2008-03-31 13:06:53 0 dr-h----- C:\MSOCache
2008-03-31 11:10:52 0 d-------- C:\Program Files\Technitium
2008-03-31 11:10:45 102912 --a------ C:\WINDOWS\system32\VB6STKIT.DLL <Not Verified; Microsoft Corporation; Microsoft® Visual Basic for Windows>
2008-03-30 21:22:48 0 d-------- C:\Program Files\SLD Codec Pack
2008-03-30 21:05:36 0 d-------- C:\Documents and Settings\CALYPS0\Application Data\COWON
2008-03-30 21:00:55 0 d-------- C:\Program Files\JetAudio
2008-03-30 19:46:59 0 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-03-30 19:35:42 30208 --a------ C:\WINDOWS\system32\wdmioctl.dll <Not Verified; Analog Devices Inc.; Analog Devices Inc. wdmioctl>
2008-03-30 19:35:42 1285632 --a------ C:\WINDOWS\system32\SMMedia.dll <Not Verified; Analog Devices; SoundMAX Integrated Digital Audio>
2008-03-30 19:35:41 978944 --a------ C:\WINDOWS\SynthCoreA.Dll <Not Verified; Analog Devices, Inc.; SoundMAX Wavetable>
2008-03-30 19:35:41 380928 --a------ C:\WINDOWS\SynCor.exe <Not Verified; Analog Devices, Inc.; SynthCore>
2008-03-30 19:35:40 45056 --a------ C:\WINDOWS\system32\SynthCore11Resources.dll <Not Verified; Analog Devices, Inc.; Analog Devices, Inc. SynthCore11Resources>
2008-03-30 19:35:40 40820 --a------ C:\WINDOWS\system32\Syncor11.dll <Not Verified; SoundMAX; Staccato Systems SynthCore R2.0 Synthesizer>
2008-03-30 19:35:40 49152 --a------ C:\WINDOWS\system32\S11thk32.dll <Not Verified; SoundMAX; Staccato Systems SynthCore R2.0 Synthesizer>
2008-03-30 19:35:39 765952 --a------ C:\WINDOWS\system\crlds3d.dll <Not Verified; Sensaura Ltd; Sensaura 3DPA>
2008-03-30 19:35:36 45056 --a------ C:\WINDOWS\system32\CleanUp.exe <Not Verified; adi; adi CleanUp>
2008-03-30 19:35:35 44 --a------ C:\WINDOWS\system32\msssc.dll
2008-03-30 19:35:35 49152 --a------ C:\WINDOWS\system32\DSndUp.exe <Not Verified; Analog Devices Inc.; adi DSndUp>
2008-03-30 19:35:30 0 d-------- C:\Program Files\Common Files\InstallShield
2008-03-30 19:35:25 5824 --a------ C:\WINDOWS\system32\drivers\ASUSHWIO.SYS
2008-03-30 13:17:08 0 d-------- C:\Documents and Settings\CALYPS0\Application Data\BitDefender
2008-03-30 13:16:10 0 d-------- C:\Documents and Settings\All Users\Application Data\BitDefender
2008-03-30 11:57:25 0 d-------- C:\Program Files\Common Files\BitDefender
2008-03-30 10:38:17 0 d-------- C:\Documents and Settings\CALYPS0\UserData
2008-03-30 10:35:20 0 d-------- C:\Documents and Settings\CALYPS0\Application Data\IDM
2008-03-30 10:35:18 0 d-------- C:\Documents and Settings\CALYPS0\Application Data\DMCache
2008-03-30 10:35:15 0 d-------- C:\Program Files\Internet Download Manager
2008-03-30 02:10:49 0 d–hs---- C:\WINDOWS\Installer
2008-03-30 02:10:48 0 d-------- C:\Program Files\Common Files\ODBC
2008-03-30 02:10:45 0 dr------- C:\Program Files
2008-03-30 02:10:45 0 d-------- C:\Program Files\Common Files
2008-03-30 02:10:45 0 d-------- C:\Program Files\Common Files\SpeechEngines
2008-03-30 02:10:20 34816 --a------ C:\WINDOWS\system32\irclass.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-30 02:10:20 137216 --a------ C:\WINDOWS\system32\EqnClass.Dll <Not Verified; Equinox Systems Inc.; Equinox Multiport Serial Coinstaller>
2008-03-30 02:10:18 33280 --a------ C:\WINDOWS\system32\batt.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-30 02:10:18 69120 --a------ C:\WINDOWS\NOTEPAD.EXE <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-30 02:10:06 0 d–h----- C:\Documents and Settings\Default User\Templates
2008-03-30 02:10:06 0 dr------- C:\Documents and Settings\Default User\Start Menu
2008-03-30 02:10:06 0 dr-h----- C:\Documents and Settings\Default User\SendTo
2008-03-30 02:10:06 0 d–h----- C:\Documents and Settings\Default User\Recent
2008-03-30 02:10:06 0 d–h----- C:\Documents and Settings\Default User\PrintHood
2008-03-30 02:10:06 0 d–h----- C:\Documents and Settings\Default User\NetHood
2008-03-30 02:10:06 0 d-------- C:\Documents and Settings\Default User\My Documents
2008-03-30 02:10:06 0 dr-h----- C:\Documents and Settings\Default User\Local Settings
2008-03-30 02:10:06 0 d-------- C:\Documents and Settings\Default User\Favorites
2008-03-30 02:10:06 0 d-------- C:\Documents and Settings\Default User\Desktop
2008-03-30 02:10:06 0 d—s---- C:\Documents and Settings\Default User\Cookies
2008-03-30 02:10:06 0 d–h----- C:\Documents and Settings\All Users\Templates
2008-03-30 02:10:06 0 dr------- C:\Documents and Settings\All Users\Start Menu
2008-03-30 02:10:06 0 d-------- C:\Documents and Settings\All Users\Favorites
2008-03-30 02:10:06 0 dr------- C:\Documents and Settings\All Users\Documents
2008-03-30 02:10:06 0 d-------- C:\Documents and Settings\All Users\Desktop
2008-03-30 02:08:14 0 d-------- C:\WINDOWS\system32\CatRoot2
2008-03-30 02:08:14 0 d-------- C:\WINDOWS\system32\CatRoot
2008-03-30 02:08:09 0 dr-h----- C:\Documents and Settings\Default User\Application Data
2008-03-30 02:08:09 0 d—s---- C:\Documents and Settings\Default User\Application Data\Microsoft
2008-03-30 02:08:09 0 dr-h----- C:\Documents and Settings\All Users\Application Data
2008-03-30 02:08:09 0 d—s---- C:\Documents and Settings\All Users\Application Data\Microsoft
