Scanning Report 09 January 2008 04:04:49 - 04:15:33 Computer name: YOUR-8925166B39 Scanning type: Perform full computer check Target: C:\ D:\ + system + rootkits Result: 3 malware found *** Scanning aborted by user *** Trojan-Downloader.Win32.Agent.bnm (virus) * C:\WINDOWS\system32\mstscex.0ll Action: FAILED * C:\WINDOWS\system32\oleauth32.0ll Action: FAILED * C:\WINDOWS\system32\drivers\kcp.0ys Action: FAILED Statistics Scanned: * Files: 23410 * Not scanned: 13 Result: * Viruses: 3 * Spyware: 0 * Suspicious items: 0 * Riskware: 0 Actions: * Disinfected: 0 * Renamed: 0 * Deleted: 0 * Quarantined: 0 * Failed: 3 Boot Sectors: * Scanned: 1 * Infected: 0 * Suspicious items: 0 * Disinfected: 0 Files not scanned: * Cannot open file (click here for more info) C:\HIBERFIL.SYS * Cannot open file (click here for more info) C:\PAGEFILE.SYS * Cannot open file (click here for more info) C:\WINDOWS\TEMP\AVP1F8.TMP * Cannot open file (click here for more info) C:\WINDOWS\TEMP\FLA1F1.TMP * Cannot open file (click here for more info) C:\WINDOWS\TEMP\PERFLIB_PERFDATA_83C.DAT * Cannot open a file in archive C:\WINDOWS\SYSTEM32\BIOS1.ROM * Cannot open file (click here for more info) C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT * Cannot open file (click here for more info) C:\WINDOWS\SYSTEM32\CONFIG\SAM * Cannot open file (click here for more info) C:\WINDOWS\SYSTEM32\CONFIG\SECURITY * Cannot open file (click here for more info) C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM * Cannot open file (click here for more info) C:\WINDOWS\SYSTEM32\CATROOT2\EDB.LOG * Cannot open file (click here for more info) C:\WINDOWS\SYSTEM32\CATROOT2\TMP.EDB * Cannot open file (click here for more info) C:\WINDOWS\SOFTWAREDISTRIBUTION\EVENTCACHE\{7598CE4E-AFD0-4A9D-8BD3-A0F4C6CFC60C}.BIN Options Definitions version: * Viruses: 2008-01-09_01 * Spyware: 2008-01-09_01 Scanning Engines: * F-Secure AVP: 7.00.171, 2008-01-09 * F-Secure Libra: 2.04.01, 2008-01-09 * F-Secure Orion: 1.02.37, 2008-01-09 * F-Secure Draco: 1.00.35, 2007-11-28 * F-Secure BlackLight: 1.00.64 Scanning options: * Scan all files * Scan inside archives Actions: * Viruses: Ask after scan * Spyware: Ask after scan * Show suspicious items after a full computer check Error information "Cannot open file" error occurred: The "Cannot open file" error message means that the scanner was unable to open a file and that this file was not scanned. You can normally ignore this error message as there are many reasons for this message that do not imply a security threat, including: * The file was a system file. System files are protected by the operation system by design. You can ignore this message in this case. * You do not have permission to read the file. To scan the file, log in with a user account with sufficient permissions (for example the computer's administrator account) and rescan. * The file was in use by an application when the scan was performed. To scan this file, close all applications and rescan. Logfile of Trend Micro HijackThis v2.0.0 (BETA) Scan saved at 4:36:31 AM, on 1/9/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Digital Media Reader\shwiconem.exe C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\ehome\ehtray.exe C:\Program Files\AIM\AIM Pro\aimpro.exe C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\Charter High-Speed Security Suite\Common\FSM32.EXE C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\cisvc.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsgk32st.exe C:\Program Files\Charter High-Speed Security Suite\Common\FSMA32.EXE C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\FSGK32.EXE C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe C:\Program Files\Charter High-Speed Security Suite\Common\FSMB32.EXE C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS C:\Program Files\Charter High-Speed Security Suite\Common\FCH32.EXE C:\Program Files\Charter High-Speed Security Suite\Common\FAMEH32.EXE C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsqh.exe C:\Program Files\Charter High-Speed Security Suite\FSPC\fspc.exe C:\Program Files\Charter High-Speed Security Suite\FSGUI\fsguidll.exe C:\Program Files\Charter High-Speed Security Suite\FSAUA\program\fsaua.exe C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fssm32.exe C:\Program Files\Charter High-Speed Security Suite\FWES\Program\fsdfwd.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\eHome\ehmsas.exe C:\Program Files\Charter High-Speed Security Suite\FSAUA\program\fsus.exe C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsav32.exe C:\WINDOWS\system32\cidaemon.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Owner\Desktop\HiJackThis_v2.0.0.0.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" BOOT O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [AIMPro] "C:\Program Files\AIM\AIM Pro\aimpro.exe" O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Charter High-Speed Security Suite\Common\FSM32.EXE" /splash O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Charter High-Speed Security Suite\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1199750174859 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1199751401250 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - Unknown owner - C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsgk32st.exe O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\FSAUA\program\fsaua.exe O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\FWES\Program\fsdfwd.exe O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\Common\FSMA32.EXE O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS -- End of file - 5916 bytes
try a online scan here; ESET online scanner: http://www.eset.com/onlinescan/ uses Internet Explorer only check "YES" to accept terms click start button allow the ActiveX component to install click the start button. the Scanner will update. check both "Remove found threats" and "Scan unwanted applications" when done you can find the scan log at:C:\Program Files\EsetOnlineScanner\log.txt
# version=4 # OnlineScanner.ocx=1.0.0.56 # OnlineScannerDLLA.dll=1, 0, 0, 51 # OnlineScannerDLLW.dll=1, 0, 0, 51 # OnlineScannerUninstaller.exe=1, 0, 0, 49 # vers_standard_module=2790 (20080114) # vers_arch_module=1.061 (20080110) # vers_adv_heur_module=1.064 (20070717) # EOSSerial=89984b3a350a8d4daf7e177fdb3790ed # end=finished # remove_checked=true # unwanted_checked=false # utc_time=2008-01-14 11:01:51 # local_time=2008-01-14 03:01:51 (-0800, Pacific Standard Time) # country="United States" # osver=5.1.2600 NT Service Pack 2 # scanned=368023 # found=1 # scan_time=5607 C:\WINDOWS\system32\drivers\kcp.0ys Win32/Agent.NHJ trojan (unable to clean - deleted) 00000000000000000000000000000000
