Avast WEBforum

Other => Viruses and worms => Topic started by: St.Anger_561_ on April 17, 2009, 11:32:28 PM

Title: KillAV.KI {TRJ} JS:FakeAV-K[TRJ], TRJ[GEN], avast not updatind, Sad But True
Post by: St.Anger_561_ on April 17, 2009, 11:32:28 PM
Hello, I am having some issues with my cpu.  I hope someone can help me, please!!   :'(

Recently my avast would not update, it kept saying "Package was broken" when I attempted to update, hence I updated by downloading update file from avast website.  My cpu subsequently has been having all kinds of problems.  My webbrowsers keep crashing (both firefox and ie) although it does not happen everytime I am on the internet.  It is extremely annoying!!!!!    >:(

Also sometimes my browser will do this:  when I do a google search and click on a website, my browser seems like it is redirected to another site pertaining to my search terms and I have to click back on my browser to get to the site that I clicked on from my websearch, if that makes sense.   >:(

Further more once I do update avast manually, I run a scan and it found nothing, but then I ran a bootscan and it found the following:

JS: FakeAV-F [trJ]
JS: FakeAV-G [trJ]
TRJ[GEN]

There are files that Avast deleted on the bootscan, however I am STILL having the issues with the browser and avast not updating automatically, I have to manually download update from avast website directly.

Also during the bootscan it told me that my avast4/data/report/aswboot.txt  - Installer archinve is corrupted, whatever that means....   >:(

And during the boot scan I have two zip files that came up with Error 42125 (ziparchive is corrupted)  >:(   >:( 

I tried to manually delete these files using this awesome Eraser program that I have, but when I right click for some reason it will not come up when I am in those particular folders, if that makes sense.     >:(   

I also was getting a windows error for Win32:GenericHostServices, any ideas? 

I sent that error report to microsoft, whatever that meessage means.     >:(

Finally I will be posting some logs below, lets start with this one....

avast! Virus Cleaner Tool - version 1.0.211 Unicode

Creating log file: C:\Documents and Settings\All Users\Documents\ShareNetVideo\aswclnr.log

4/17/2009, 1:32:08 AM
Memory scanning started...
No virus body found in memory.
Memory scanning finished (7.2s).
----------
Files scanning started...
C:\Documents and Settings\Cecilia Canyas\Application Data\Mozilla\Firefox\Profiles\qzsfvoya.default\sessionstore.js... file could not be scanned!
C:\Documents and Settings\Cecilia Canyas\Local Settings\Temporary Internet Files\Content.IE5\OS5M5D38\bc_2.0.4[1].js... file could not be scanned!
C:\Documents and Settings\Levent Canyas\Application Data\Mozilla\Firefox\Profiles\0yyypzpn.default\places.sqlite-journal... file could not be scanned!
C:\Program Files\Alwil Software\Avast4\Setup\part-vps-7110800.vpu... file could not be scanned!
C:\System Volume Information\tracking.log... file could not be scanned!
C:\WINDOWS\Temp\TMP0000002A25C1339356D519AC... file could not be scanned!
No virus body found.
Files scanning finished  (101792 files, 0 infected, 2257.1s).
Drives scanned: C:
----------

Of the above files I went to the website www.virustotal.com and of the 6 files that could not be scanned, they all said 0 bytes received when I tried to upload (which is odd because the last file under WINDOW\TEMP it showed me it was a 512kb file)  >:(  >:(  EXCEPT I was able to upload the files for places.sqlite-journal and virustotal had a 0/40 hit and also the tracking.log file I was able to upload and it had a 0/39 hit, so I guess that is good..?   ???

Below is an avast log from the bootscan, I believe:

04/09/2009 23:49
Scan of all local drives

File C:\Documents and Settings\All Users\Documents\ShareNetVideo\MusicManager.exe.part\$INSTDIR\Downloads\selectrebatessetup_tx1003.exe\[Embedded_R#1d700] is infected by Win32:Trojan-gen {Other}, Deleted
File C:\Documents and Settings\Cecilia Canyas\Local Settings\Temp\GLB99.tmp\Wise0003.bin Error 42146 {Installer archive is corrupted.}
File C:\Documents and Settings\Cecilia Canyas\Local Settings\Temp\GLBE.tmp\Wise0003.bin Error 42146 {Installer archive is corrupted.}
File C:\Documents and Settings\Cecilia Canyas\Local Settings\Temporary Internet Files\Content.IE5\87Q6JUEE\3[1].htm is infected by JS:FakeAV-K [trj], Deleted
File C:\Documents and Settings\Cecilia Canyas\Local Settings\Temporary Internet Files\Content.IE5\91FWE2BQ\flist000[1].js is infected by JS:FakeAV-G [trj], Deleted
File C:\Documents and Settings\Levent Canyas\My Documents\Bro\Road_Trip_March_2004.zip\Caught ya (Large).JPG Error 42125 {ZIP archive is corrupted.}
File C:\Documents and Settings\Levent Canyas\My Documents\Bro\Road_Trip_March_20042.zip\Melissa and I (Large).JPG Error 42125 {ZIP archive is corrupted.}
Number of searched folders: 11318
Number of tested files: 956097
Number of infected files: 3


Title: Re: JS:FakeAV-K[TRJ] , -F, -G [TRJ], TRJ[GEN], help please!!! avast will not update
Post by: St.Anger_561_ on April 17, 2009, 11:38:42 PM
Finally I am running a current hijackthislog:

Logfile of HijackThis v1.99.1
Scan saved at 5:33:30 PM, on 4/17/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Levent Canyas\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://hometabl.bellsouth.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
Title: Re: JS:FakeAV-K[TRJ] , -F, -G [TRJ], TRJ[GEN], help please!!! avast will not update
Post by: St.Anger_561_ on April 17, 2009, 11:39:29 PM
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [avast!] "C:\Program Files\Alwil Software\Avast4\ashDisp.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://help.bellsouth.net/sdccommon/download/tgctlcm.cab
O16 - DPF: {02CA9974-B6AC-497E-A371-73580432B0F6} (Eyeball Video Message Control) - http://imlive.com/ChatSource/gVideoContol.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,81/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by124fd.bay124.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1145927023781
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (Yahoo! MailTo) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,19/mcgdmgr.cab
O16 - DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} (Java Plug-in 1.4.2) -
O16 - DPF: {CE74A05D-ED12-473A-97F8-85FB0E2F479F} (dlControl.UserControl1) - http://www.livemetallica.com/nugster/dlControl.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{8ED412C0-6CA1-43D5-A584-2A41E154CB5A}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{B7F3EB81-4190-41B1-8527-EAC21B3079E9}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220 208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220 208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 208.67.220.220 208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220 208.67.222.222
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE



I have used this forum before, a long time ago, when  I had a similar problem with TROJANS, but I do not remember how I resolved it, other then that I think Avast is the best antivirus and it was the only one that could help me before, now I am very  :-\  and  >:( and  ???

My thought was to ininstall avast and try another antivirus program, but honestly I really would rather not do this because I still have faith.   :)

I appreciate your time, knowledge, guidance, and expertise and I look forward to hearing from anyone and am open to most any suggestion to resolve this matter (besides a system restore or a wipe of the hard drive).

Thank you,

St.Anger 561  >:(


Title: Re: JS:FakeAV-K[TRJ] , -F, -G [TRJ], TRJ[GEN], help please!!! avast will not update
Post by: St.Anger_561_ on April 17, 2009, 11:44:13 PM
almost immediately after my last post I got this error again:

Generic Host Process for Win32 Services has encountered an error and needs to close   >:( >:( >:(

I am a college graduate, but computers are not my area of expertise
Title: Re: JS:FakeAV-K[TRJ] , -F, -G [TRJ], TRJ[GEN], help please!!! avast will not update
Post by: !Donovan on April 18, 2009, 12:21:06 AM
Quote from: St.Anger_561_
Also sometimes my browser will do this:  when I do a google search and click on a website, my browser seems like it is redirected to another site pertaining to my search terms and I have to click back on my browser to get to the site that I clicked on from my websearch, if that makes sense.

That can be fixed by editing the hosts file. (Unless the virus rechanges the host file every few seconds...)

:Instructions For Windows XP:
1. Goto "C:\WINDOWS\system32\drivers\etc" on your computer.
2. Open the hosts file in notepad.
3. Delete everything in the file.
4. (Maybe, don't close but save it and type like "#A" so maybe the virus can't modify it)
5. Try opening Internet Explorer and search (Maybe it automadicly changes when you open IE or Firefox.)
Title: Re: JS:FakeAV-K[TRJ] , -F, -G [TRJ], TRJ[GEN], help please!!! avast will not update
Post by: YoKenny on April 18, 2009, 12:32:39 AM
Download the latest level of HijackThis v2.0.2 and install to the default location NOT the Desktop as your Desktop will become cluttered with backup log files:
http://download.cnet.com/Trend-Micro-HijackThis/3000-8022_4-10227353.html

Then run a scan after all browser windows are closed then select the following then Fixed checked to remove these items:
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)

Post a new HijackThis log.

Title: Re: JS:FakeAV-K[TRJ] , -F, -G [TRJ], TRJ[GEN], help please!!! avast will not update
Post by: St.Anger_561_ on April 18, 2009, 03:43:19 AM
here is the most recent log.  I only removed the 023 - Service:  iPod Service & the                                                             023 - Service : NMIndexingService because those were the only two that came up with the (filemissing) when I ran the hijackthis program prior to the repairs that generates the following log:

C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://hometabl.bellsouth.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
Title: Re: JS:FakeAV-K[TRJ] , -F, -G [TRJ], TRJ[GEN], help please!!! avast will not update
Post by: St.Anger_561_ on April 18, 2009, 03:43:40 AM
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [avast!] "C:\Program Files\Alwil Software\Avast4\ashDisp.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://help.bellsouth.net/sdccommon/download/tgctlcm.cab
O16 - DPF: {02CA9974-B6AC-497E-A371-73580432B0F6} (Eyeball Video Message Control) - http://imlive.com/ChatSource/gVideoContol.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,81/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by124fd.bay124.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1145927023781
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (Yahoo! MailTo) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,19/mcgdmgr.cab
O16 - DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} (Java Plug-in 1.4.2) -
O16 - DPF: {CE74A05D-ED12-473A-97F8-85FB0E2F479F} (dlControl.UserControl1) - http://www.livemetallica.com/nugster/dlControl.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{8ED412C0-6CA1-43D5-A584-2A41E154CB5A}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{B7F3EB81-4190-41B1-8527-EAC21B3079E9}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220 208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220 208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 208.67.220.220 208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220 208.67.222.222
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE

--
End of file - 11001 bytes


As an aside, I tried to update to IE8.0, but the installer program would not finish, it kept saying "downloading updates" I am guessing because of this trojan?  Thanks again.
Title: Re: JS:FakeAV-K[TRJ] , -F, -G [TRJ], TRJ[GEN], help please!!! avast will not update
Post by: St.Anger_561_ on April 18, 2009, 03:49:10 AM
That can be fixed by editing the hosts file. (Unless the virus rechanges the host file every few seconds...)

:Instructions For Windows XP:
1. Goto "C:\WINDOWS\system32\drivers\etc" on your computer.
2. Open the hosts file in notepad.
3. Delete everything in the file.
4. (Maybe, don't close but save it and type like "#A" so maybe the virus can't modify it)
5. Try opening Internet Explorer and search (Maybe it automadicly changes when you open IE or Firefox.)

I did what you were asking here and opened the host file, deleted everything (wow there was alot of stuff in there!!) then I saved the file as host_#A and performed a websearch, but I do not know what effect this had on the original host file.  THe new one I saved remained blank, is that what you meant? 

Thanks again for your time and for looking at this everyone. 
Title: Re: JS:FakeAV-K[TRJ] , -F, -G [TRJ], TRJ[GEN], help please!!! avast will not update
Post by: St.Anger_561_ on April 18, 2009, 02:01:58 PM
hey good morning ppl out there reading this,  i updated t ie8.0 (finally!!)

however after I updated I got the generic host services error for win32 (sent error report)

I saw on another post about trj[GEN] a website that checks your cpu for updates

I did update my java but there were several items (notable Adobe) that it said were "vulnerable" because I did no thave the most recent update.

I am going to update all of those this am.  My browser has not been redirected or crashed on me, yet, but when I try to update avast through the program I am still getting "package is broken"

WHen I clicked "View Log" this is what Avast shows me:   What does it all mean??  ???  ???
18.04.2009 07:59:16 general: Started: 18.04.2009, 07:59:16
18.04.2009 07:59:16 general: Running setup_av_pro-537 (1335)
18.04.2009 07:59:16 system: Operating system: WindowsXP ver 5.1, build 2600, sp 3.0 [Service Pack 3]
18.04.2009 07:59:16 system: Memory: 55% load. Phys:582260/1308672K free, Page:778236/1553724K free, Virt:2069344/2097024K free
18.04.2009 07:59:16 system: Computer WinName: D3Z3PF41
18.04.2009 07:59:16 system: Windows Net User: D3Z3PF41\Levent Canyas
18.04.2009 07:59:16 general: Cmdline: /downloadpkgs /noreboot /updatevps /silent /progress 
18.04.2009 07:59:16 general: DldSrc set to inet
18.04.2009 07:59:16 general: Operation set to INST_OP_UPDATE_GET_PACKAGES
18.04.2009 07:59:16 general: Old version: 537 (1335)
18.04.2009 07:59:16 registry: Deleted registry: Software\Alwil Software\Avast\4.0\UpdateReady
18.04.2009 07:59:16 system: Using temp: C:\DOCUME~1\LEVENT~1\LOCALS~1\Temp\_av_proI.tm~a02748 (32446M free)
18.04.2009 07:59:16 general: SGW32P::CheckIfInstalled set m_bAlreadyInstalled to 1
18.04.2009 07:59:16 internet: SYNCER: Agent=Syncer/4.80 (av_pro-1335;p)
18.04.2009 07:59:16 system: Computer DnsName: D3Z3PF41
18.04.2009 07:59:16 system: Computer Ip Addr: 192.168.1.96
18.04.2009 07:59:16 system: Installed in: C:\Program Files\Alwil Software\Avast4 (32446M free)
18.04.2009 07:59:16 internet: SYNCER: Type: use IE settings
18.04.2009 07:59:16 internet: SYNCER: Auth: another authentication, use WinInet
18.04.2009 07:59:16 package: Part prg_av_pro-537 is installed
18.04.2009 07:59:16 package: Part vps-9041300 is installed
18.04.2009 07:59:16 package: Part news-4f is installed
18.04.2009 07:59:16 package: Part setup_av_pro-537 is installed
18.04.2009 07:59:16 package: Part jrog-e1 is installed
18.04.2009 07:59:16 general: Old version: 537 (1335)
18.04.2009 07:59:16 general: GUID: ecb7bf8d-ad96-4921-8ba9-ede68d7d1fa6
18.04.2009 07:59:17 general: Server definition(s) loaded for 'main': 266 (maintenance:0)
18.04.2009 07:59:17 general: SelectCurrent: selected server 'Download734 AVAST Server' from 'main'
18.04.2009 07:59:17 internet: SYNCER: Type: use IE settings
18.04.2009 07:59:17 internet: SYNCER: Auth: another authentication, use WinInet
18.04.2009 07:59:17 general: Entered SetupProcessPro::Do( INST_OP_UPDATE_GET_PACKAGES )
18.04.2009 07:59:17 general: Entered SetupProcessWin32Avast::Do( INST_OP_UPDATE_GET_PACKAGES )
18.04.2009 07:59:17 general: Entered SetupProcessWin32::Do( INST_OP_UPDATE_GET_PACKAGES )
18.04.2009 07:59:17 general: Entered SetupProcess::Do( INST_OP_UPDATE_GET_PACKAGES )
18.04.2009 07:59:17 general: progress thread start
18.04.2009 07:59:17 internet: SYNCER: Agent=Syncer/4.80 (av_pro-1335;f)
18.04.2009 07:59:38 internet: Used server: http://download734.avast.com/iavs4x
18.04.2009 07:59:53 internet: Used server: http://download734.avast.com/iavs4x
18.04.2009 07:59:53 file: GetFileWithRetry: servers.def.vpu downloaded .
18.04.2009 07:59:53 file: GetNewerStampedFile:DSA_FileVerify(C:\DOCUME~1\LEVENT~1\LOCALS~1\Temp\_av_proI.tm~a02748\onefile), error: 0x2000000B
18.04.2009 07:59:53 package: Download servers.def, servers.def.vpu failed with error 0x20000011.
18.04.2009 08:00:08 internet: Used server: http://download734.avast.com/iavs4x
18.04.2009 08:00:24 internet: Used server: http://download734.avast.com/iavs4x
18.04.2009 08:00:24 file: GetFileWithRetry: servers.def downloaded .
18.04.2009 08:00:24 file: GetNewerStampedFile:DSA_FileVerify(C:\DOCUME~1\LEVENT~1\LOCALS~1\Temp\_av_proI.tm~a02748\onefile), error: 0x2000000B
18.04.2009 08:00:24 package: Tried to download servers.def but failed with error 0x20000011.
18.04.2009 08:00:24 package: LoadAllDefs failed 0x20000011
18.04.2009 08:00:24 general: Err:The package is broken
Title: Re: JS:FakeAV-K[TRJ] , -F, -G [TRJ], TRJ[GEN], help please!!! avast will not update
Post by: St.Anger_561_ on April 18, 2009, 02:03:11 PM
Additionally I went into windows update after updating to IE 8.0 and this is what it tells me I need to update:

 
Microsoft .NET Framework 3.5 Service Pack 1 and .NET Framework 3.5 Family Update (KB951847) x86
Download size: 248.4 MB , less than 1 minute
Microsoft .NET Framework 3.5 Service Pack 1 is a full cumulative update that contains many new features building incrementally upon .NET Framework 2.0, 3.0, 3.5, and includes cumulative servicing updates to the .NET Framework 2.0 and .NET Framework 3.0 subcomponents. The .NET Framework 3.5 Family Update provides important application compatibility updates.  Details...
Don't show this update again
 
Security Update for Microsoft .NET Framework, Version 1.1 Service Pack 1 (KB928366)

I am really CONFUSED because I am using sp3, why does it say I need  this second update for Service Pack 1??   Any ideas...?  thanks again
Title: Re: JS:FakeAV-K[TRJ] , -F, -G [TRJ], TRJ[GEN], help please!!! avast will not update
Post by: St.Anger_561_ on April 18, 2009, 02:09:28 PM
Yeah my browser is still messed up!!!!    >:(   >:(   >:(   

I tried to run adaware se personal and that program started, but it also would not update.

I tried to do a search for adaware se personal, but when I clicked on the link I was redirected to a website for "City Search", which is not what I clicked on    >:(    >:(    >:(   

I had to click back on my browser a few times, this is really annoying, can anyone help me please?!?

Thanks in advance for your expertise.
Title: Re: JS:FakeAV-K[TRJ] , -F, -G [TRJ], TRJ[GEN], help please!!! avast will not update
Post by: micky77 on April 18, 2009, 02:47:33 PM
I see you have SAS, try to update and scan, also download MBAM, if you need to use another pc download the updates too.Transfer to bad pc Install MBAM then exit. Double click update files to update both programs.I don't think you should messing with the host file.There are programs like hostsxpert, to clear bad entries.If you have renamed the file, I would rename to its original name    hosts

Please post back with progress on MBAM and SAS.

SAS UPDATES  for 4.2.6.100 http://www.superantispyware.com/definitions.html (http://www.superantispyware.com/definitions.html)

MBAM http://filehippo.com/download_malwarebytes_anti_malware/ (http://filehippo.com/download_malwarebytes_anti_malware/)

MBAM UPDTAES http://www.gt500.org/malwarebytes/database.jsp (http://www.gt500.org/malwarebytes/database.jsp)
Title: Re: JS:FakeAV-K[TRJ] , -F, -G [TRJ], TRJ[GEN], help please!!! avast will not update
Post by: St.Anger_561_ on April 18, 2009, 06:00:53 PM
ok' dokey status update, I have the new Ad-aware Anniversary Edition Installed (finally).  It wasn't installing properly at first (perhaps some conflict w/my Ad-Aware SE?)

By the way, during the Installation of the AE it told me that it had to remove Adaware SE-Personal, but now when I go under start>>Programs>>Lavasoft It lists both the Ad-Aware SE Personal and the new Ad-Aware, should I try running the uninstall for Ad-Aware SE Personal ?    ???

Also here is whats the new adaware found :  Pattern of Dropper DR/Sahat.AS  it quarantined the two files they were UVFDInstaller.exe , whatever that is.

I am pretty sure this hijacker is still active b/c when I tried to type in avast forum it redirected me to another site when I clicked on the search result links, and I had to hit back again.

I have to exit IE to run the install of the MB program, be back soon.  Thanks again.

Title: Re: JS:FakeAV-K[TRJ] , -F, -G [TRJ], TRJ[GEN], help please!!! avast will not update
Post by: micky77 on April 18, 2009, 06:13:10 PM
Forget about Ad aware its lame.Concentrate on mbam and sas
Title: Re: JS:FakeAV-K[TRJ] , -F, -G [TRJ], TRJ[GEN], avast will not update
Post by: St.Anger_561_ on April 18, 2009, 06:30:44 PM
Here is my malware bytes log that I just ran.  I don't know if it deleted the files at the bottom on reboot, it seemed like my computer rebooted like it normally does, so I am running malware again to see what it finds.

Database version: 1945
Windows 5.1.2600 Service Pack 3

4/18/2009 12:21:18 PM
mbam-log-2009-04-18 (12-21-18).txt

Scan type: Quick Scan
Objects scanned: 110574
Time elapsed: 17 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{549b5ca7-4a86-11d7-a4df-000874180bb3} (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMHelp (Hijack.Help) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\TEMP\Local Settings\Application Data\Microsoft\Windows\pguard.ini (Rogue.InternetAntivirus) -> Delete on reboot.
C:\Documents and Settings\TEMP\Local Settings\Application Data\Microsoft\Windows\pg32.exe (Rogue.InternetAntivirus) -> Delete on reboot.
C:\Documents and Settings\TEMP\Local Settings\Application Data\Microsoft\Internet Explorer\iv.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\TEMP\Local Settings\Application Data\Microsoft\Internet Explorer\procgdsj32.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\TEMP\Local Settings\Application Data\Microsoft\sessmgr.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\TEMP\Local Settings\Application Data\Microsoft\spoolsv.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\TEMP\Local Settings\Application Data\Microsoft\Windows\sav.exe (Fake.Dropped.Malware) -> Delete on reboot.
C:\Documents and Settings\TEMP\Local Settings\Application Data\Microsoft\Windows\services.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\TEMP\Local Settings\Application Data\Microsoft\Windows\procgdwh32.exe (Rogue.InternetAntivirus) -> Delete on reboot.
Title: Re: JS:FakeAV-K[TRJ] , -F, -G [TRJ], TRJ[GEN], avast will not update
Post by: St.Anger_561_ on April 18, 2009, 06:31:56 PM
I did notice another thing, my msconfig.exe keeps starting up due to a modified boot.ini because I am not loading up all the startup items, I guess?  I don't know if that is important or not, thanks again
Title: Re: JS:FakeAV-K[TRJ] , -F, -G [TRJ], TRJ[GEN], avast will not update
Post by: St.Anger_561_ on April 18, 2009, 06:46:27 PM
Here is the current scan, I will try to reboot again and hopefully it will clear or do something this time

Malwarebytes' Anti-Malware 1.36
Database version: 1945
Windows 5.1.2600 Service Pack 3

4/18/2009 12:45:23 PM
mbam-log-2009-04-18 (12-45-23).txt

Scan type: Quick Scan
Objects scanned: 110319
Time elapsed: 18 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\TEMP\Local Settings\Application Data\Microsoft\Windows\pguard.ini (Rogue.InternetAntivirus) -> Delete on reboot.
C:\Documents and Settings\TEMP\Local Settings\Application Data\Microsoft\Windows\pg32.exe (Rogue.InternetAntivirus) -> Delete on reboot.
C:\Documents and Settings\TEMP\Local Settings\Application Data\Microsoft\Internet Explorer\iv.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\TEMP\Local Settings\Application Data\Microsoft\Internet Explorer\procgdsj32.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\TEMP\Local Settings\Application Data\Microsoft\sessmgr.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\TEMP\Local Settings\Application Data\Microsoft\spoolsv.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\TEMP\Local Settings\Application Data\Microsoft\Windows\sav.exe (Fake.Dropped.Malware) -> Delete on reboot.
C:\Documents and Settings\TEMP\Local Settings\Application Data\Microsoft\Windows\services.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\TEMP\Local Settings\Application Data\Microsoft\Windows\procgdwh32.exe (Rogue.InternetAntivirus) -> Delete on reboot.
Title: Re: JS:FakeAV-K[TRJ] , -F, -G [TRJ], TRJ[GEN], avast will not update
Post by: St.Anger_561_ on April 19, 2009, 05:39:25 PM
 ???   Update time, here is what I have done thus far:

I went into safe mode and tried to run avast, but it would not load up completely.  I did run Spybot S&D in safe mode (nothing found) and malwarebytes in safe mode (nothing found), Adaware (nothing found) not I am in safe/network mode so I can go online.

My checkdisk utility would not work completely so I had to run it at reboot after safe mode.  Checkdisk then "Deleted Index Entries" in $I30, whatever that means, and also "orphaned file client" for 2 files into two directory files, whatever that means.

After this chkdisk said it was verifying UsnJournal, and that seemed it was ok, during boot up and then it rebooted and chkdisk ran ok and complete without any issues.

After this I defrag'ed my hard drive, not completely since it took about 6 hours to defrag it approx. 30%.  I also changed my password while I was offline, however I do not think I removed the trojan since Malware bytes never ran on reboot previously.

I have tried to load up avast in safe mode, but it will not load completely.  It shows me that it is loaded but AvastSimpleUserInterface is loaded and running in the task manager in safe mode, but when I click "Switch to" nothing happens.   ???

Anyway I just ran malware bytes, in safe/network mode, but it showed me no infections...which is great!  I think, hehe. I

Does anyone have any additional suggestions?  I tried to learn about fixing this myself but I think I am in deep with this trojan and I am worried I am going to have to reformat...   >:(   >:(

Thanks in advance
Title: Re: JS:FakeAV-K[TRJ] , -F, -G [TRJ], TRJ[GEN], avast will not update
Post by: St.Anger_561_ on April 19, 2009, 05:46:22 PM
 >:(  Ok this stupid trojan thing or whatever is in my system is still active and redirecting my browser.

I am having car problems (yes that was just my life, lately), which is another story since I am about to throw in the towel, worried my ride has reached the end of the line too, but I digress.

Anyway I just did a search, again I am in safe mode w/networking, for an automotive forum via google.  I clicked on the link for this carjunky website, then I get a popup saying I am about to be redirected to a new site, and it takes me to EDMUNDS.com  >:(

I had to hit back on my browser to get me back to the car junky website.  Also my windows defender will not update either...is that related?  I will run another hijack log now, I suppose..
Title: Re: JS:FakeAV-K[TRJ] , -F, -G [TRJ], TRJ[GEN], avast will not update
Post by: St.Anger_561_ on April 19, 2009, 05:50:10 PM
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:49:26 AM, on 4/19/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SYSTEM32\taskmgr.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [avast!] "C:\Program Files\Alwil Software\Avast4\ashDisp.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
Title: Re: JS:FakeAV-K[TRJ] , -F, -G [TRJ], TRJ[GEN], avast will not update
Post by: St.Anger_561_ on April 19, 2009, 05:51:12 PM
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://help.bellsouth.net/sdccommon/download/tgctlcm.cab
O16 - DPF: {02CA9974-B6AC-497E-A371-73580432B0F6} (Eyeball Video Message Control) - http://imlive.com/ChatSource/gVideoContol.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,81/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by124fd.bay124.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1145927023781
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (Yahoo! MailTo) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,19/mcgdmgr.cab
O16 - DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} (Java Plug-in 1.4.2) -
O16 - DPF: {CE74A05D-ED12-473A-97F8-85FB0E2F479F} (dlControl.UserControl1) - http://www.livemetallica.com/nugster/dlControl.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{8ED412C0-6CA1-43D5-A584-2A41E154CB5A}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{B7F3EB81-4190-41B1-8527-EAC21B3079E9}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220 208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220 208.67.222.222
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE

--
End of file - 10498 bytes

I am going to do some further reading in the other posts, I am sure someone else must have had a similar problem.  Thanks again
Title: Re: JS:FakeAV-K[TRJ] , -F, -G [TRJ], TRJ[GEN], avast will not update
Post by: micky77 on April 19, 2009, 05:55:04 PM
Just 2 brief questions, are mbam scans in normal mode all clear.Also did you manually update SAS and scan  ?
Title: Re: JS:FakeAV-K[TRJ] , -F, -G [TRJ], TRJ[GEN], avast will not update
Post by: St.Anger_561_ on April 19, 2009, 08:45:51 PM
thanks for the feedback.  I ran mbam in normal and it showed me "all clear" no infections, also I ran SAS in normal, showed me the same thing.

I did just download advanced system care v3.2.0 and did some repair work with that program.  It did find win32/Aspam.trojan and aspam.trojan/drvman variant when I ran it in safe mode, but this program has since taken care of those two items.

I noticed when I went into normal mode that I got the win32 generic host services error and when I opened up ie8.0 after running the mbam and sas in normal mode, my ie was redirected again when i clicked on the search link results.

Thanks again for your advice, I don't know what else to do or try at this point
Title: Re: JS:FakeAV-K[TRJ] , -F, -G [TRJ], TRJ[GEN], avast will not update
Post by: Lisandro on April 19, 2009, 08:54:42 PM
I suggest:

1. Clean your temporary files.
2. Schedule a boot time scanning with avast with archive scanning turned on. If avast does not detect it, you can try DrWeb CureIT! (http://www.freedrweb.com/cureit/) instead.
3. Use SUPERantispyware (http://www.superantispyware.com), MBAM (http://malwarebytes.org/mbam.php) or Spyware Terminator (http://www.spywareterminator.com/) to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete them.
4. Test your machine with anti-rootkit applications (http://www.antirootkit.com/software/index.htm). I suggest avast! antirootkit (http://files.avast.com/files/beta/aswar.exe) or Trend Micro RootkitBuster (http://www.trendmicro.com/download/rbuster.asp).
5. (you can skin this step as you've already done) Make a HijackThis (http://www.bleepingcomputer.com/files/hijackthis.php) log to post here or this analysis site (http://www.hijackthis.de/#anl). Or even submit the RunScanner (http://www.runscanner.net/) log to to on-line analysis.
6. Disable System Restore and then reenable it again.
7. Immunize your system with SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html).
8. Check if you have insecure applications with Secunia Software Inspector (http://secunia.com/software_inspector/).
Title: Re: JS:FakeAV-K[TRJ] , -F, -G [TRJ], TRJ[GEN], avast will not update
Post by: micky77 on April 19, 2009, 10:27:46 PM
St.Anger_561_, sorry to hear your still having problems. Are there any entries in your hosts file ? Look in
C:\WINDOWS\SYSTEM32\DRIVERS\ETC open hosts file by double clicking, choose  notepad to open. copy/paste whats there.
Title: Re: TRJ[KILLAV.KI} JS:FakeAV-K[TRJ],TRJ[GEN], avast not update, Sad But True
Post by: St.Anger_561_ on April 20, 2009, 04:41:20 AM
 :'(  thanks for the advice again Tech and Micky77

I have made progress, sort of.  I tried TREND Micro housecall but it will not work properly.  on my IE browser it says that I don't have JAVA updated, but I know I do b/c i downloaded it after I tried the Secunia Software Inspector already from a suggestion from one of your other posts, which showed me I needed several items updated, which I did.

I WAS able to run a panda active scan, although it was stuck on 36% complete FOREVER and it took several hours to run (really too long to run) it told me that I have a Trojan - KillAV.KI, which totally stinks!!   >:(     :'(   

What stinks even more is that Panda will not let me get rid of it b/c it asked me for my email address and I registered, but they have never sent me an email yet.  If i can just get that email and confirm then it seems like Panda is ready willing and able to remove...but the email is not coming through...gggrrrr!!   >:( 

I did open the host file with notepad Micky77, but it is a huge file!  There are many many many entries in it, was something I did supposed to delete those?

I am ready to throw in the towel but I appreciate your suggestions.  I have downloaded RunScanner from another of your posts too I believe, Tech, but I haven't ran it yet.

THanks again for the Secunia site, I had no clue on that.  I am going to try searching online for info on this KillAV.KI trojan that Panda found.  Total bummer..
Title: Re: KillAV.KI {TRJ} JS:FakeAV-K[TRJ], TRJ[GEN], avast not updatind, Sad But True
Post by: micky77 on April 20, 2009, 07:28:41 AM
Don't throw the towel in yet.There was a recent post here with KillAV ( maybe not the exact same thing )

http://forum.avast.com/index.php?topic=43784.msg368768#msg368768 (http://forum.avast.com/index.php?topic=43784.msg368768#msg368768)
Will look back later today. Chin up
Title: Re: KillAV.KI {TRJ} JS:FakeAV-K[TRJ], TRJ[GEN], avast not updatind, Sad But True
Post by: micky77 on April 20, 2009, 05:26:55 PM
Hello again St.Anger_561_, just a couple more suggestions.
First download Hostsxpert, this program does not need installing,just run it from where you download it to.Unzip it,then open,you will see a h in a red square,double click to start program.
You said there were many entries in your file,its possible most of them are from Spybots immunisation.Do you have spybot's ' locking' your host file setting onDidn't stop the malware  ;D if so uncheck that  in spybot ( i notice from HJT you have your homepaged locked ) I see you have teatimer on,( advanced settings ) 
In spybot go to 1. Click "Mode", selecting "Advanced Mode".
2. Click "Tools" in the left pane.
3. Click "IE tweaks" in the right pane.
4. UNCHECK "Lock Hosts file read-only as protection against hijackers".
http://z.about.com/d/antivirus/1/0/2/2/spybot_4.jpg (http://z.about.com/d/antivirus/1/0/2/2/spybot_4.jpg)
Its possible if this setting was checked it would stop you from clearing the host file
Anyway, click on file handling,then on restore MS host file.click on ok,then on, make read only.Your host file should now be clear ALL the entries gone
All this may not work due to malware,if it does,it will only be temporary,but may give you the oppurtunity to update programs and surf without being redirected.

Secondly you could try a rescue disc, These are fully updated av programs, that use linux,so no need to boot windows or malware.
 Here are links to instructions and downloads. These programs are primarily for unbootable computers.

With Avira, simply download file, from a clean pc,double click on file,you will be prompted to insert cd/dvd into drive.Program automatically burnt to disc.Insert disc into bad pc and reboot. See link ( especially about choosing english )

With Kaspersky,the file you download (from a clean pc )is an iso file,it will not work if you copy this to cd.You need to use something like Nero, and choose burn imageto disc.
Then same again,insert into bad pc, reboot
I have never used Kaspersky, but with Avira,which has a gui, you will be given the option to rename any suspicious files eg virus.exe to virus.xxx.
If it finds anything look carefully, you don't want to rename something like winlogon.exe  ;D.
If you are unsure post back with any names.
I wish you luck.

Hostsxpert http://www.snapfiles.com/reviews/hoster/hoster.html (http://www.snapfiles.com/reviews/hoster/hoster.html)

Avira tutorial and download link http://forum.avira.com/wbb/index.php?page=Thread&postID=730130#post730130 (http://forum.avira.com/wbb/index.php?page=Thread&postID=730130#post730130)

Extra download link http://www.free-av.com/en/products/12/avira_antivir_rescue_system.html (http://www.free-av.com/en/products/12/avira_antivir_rescue_system.html)

Kaspersky iso http://devbuilds.kaspersky-labs.com/devbuilds/RescueDisk/ (http://devbuilds.kaspersky-labs.com/devbuilds/RescueDisk/)

Kaspersky instructions http://www.raymond.cc/blog/archives/2008/06/16/kaspersky-offers-free-rescue-disk-to-clean-virus-without-booting-in-windows/ (http://www.raymond.cc/blog/archives/2008/06/16/kaspersky-offers-free-rescue-disk-to-clean-virus-without-booting-in-windows/)

Title: Re: KillAV.KI {TRJ} JS:FakeAV-K[TRJ], TRJ[GEN], avast not updatind, Sad But True
Post by: St.Anger_561_ on April 21, 2009, 01:33:38 PM
Hey Micky77,

Thanks so much for your help!  I have not given up yet, I am a soldier, like my father was before me.

However I also am a slave to my job, and the 9-5 is a real drag!  Unfortunately I have not had the time or energy to follow your most recent recommendations, but I fully intend to do so and will try to download some of the stuff you suggested today on my laptop while at work on my lunch.

As an aside, this trojan jerk bot killav program is messing with me, apparently, because my password to log into this forum had been changed!!!  Sad but true

I am changing my password to my email now (on my laptop) hopefully that will help a little, at least I wont have to change it again, thanks again!
Title: Re: KillAV.KI {TRJ} JS:FakeAV-K[TRJ], TRJ[GEN], avast not updatind, Sad But True
Post by: micky77 on April 21, 2009, 08:28:20 PM
One more thing, before you start with the rescue cds etc, someone recently suggested another program similar to HJT, I would like you to download.It will produce a BIG log, If you click on the link,and go to  Step Six:(title ) Post an OTListIt2 Log. Use the dowload link, and follow the instructions listed on step six. I scanned on my pc, the scan took about 20 mins. Please copy/paste the log here. I downloaded to my desktop,where a log will remain for reference.
Because the log may be so big, you will have to split it into several posts ( as its 1000 max characters per post ) Hopefully some of the more experienced will check out the log. I am unfamiliar with this program and will be keen to view it too.
http://www.geekstogo.com/forum/Malware-Spyware-Cleaning-Guide-t2852.html (http://www.geekstogo.com/forum/Malware-Spyware-Cleaning-Guide-t2852.html)

This is what a log looks like ( continued on page 2 )
If your log contains the 'many' hosts entries you have, it will be unpostable

http://forum.avast.com/index.php?topic=44267.msg371615#msg371615 (http://forum.avast.com/index.php?topic=44267.msg371615#msg371615)
Title: Re: KillAV.KI {TRJ} JS:FakeAV-K[TRJ], TRJ[GEN], avast not updatind, Sad But True
Post by: St.Anger_561_ on April 22, 2009, 01:42:42 PM
ok update time, thanks again for all of your advice, especially Micky77 and Tech!!

I am running DrWeb CureIt! in depth now, thus far it has found even more junk on my system i was unaware of having, for example: 
2 probable backdoor trojans, one with an infected archive,
trojan.startpage.1505, whatever that is,
tool.prockill (this is from virtumondobegone.exe) - again with infected archive
Bat.Generic (infected container)
another 2 probable backdoor.trojan
1 probabe dloader.trojan
and its only about 1 /3 of the way though my system, lovely!  I don't thinK I will have time to finish that scan before I leave for work.

Also I had to type in my password 3 times before I could log into windows on my infected pc and when I tried to log into this forum I had to change my password, 2nd time in two days, which I guess is a good thing with all that I have going on.

I have SAS and MBAM already, but I have downloaded Spyware Terminator
I have dowloaded Avast anti rootkit, and Runscanner.

System Restore was disabled from before.  I checked Secunia, shows me I am up to date on my infected pc.


My hosts file is still huge Micky77!  I have not done what you suggested, yet, regarding sypbot and changing the "lock your hostfile setting"  The reasonis that I am in safe mode in my infected pc, and, although it appears that spybot is loaded, when I click on it I get nothing coming up and when I click on "switch to task" under task manager, which shows me like its running, I get nothing.  I am going to have to try what you suggest under normal windows, but of course I want the Dr. Web to finish its run first.

I did download and burn a rescue disk from Avira.  that is going to be my next step after the above. I would rather try Avira then kapersky, at this point.

Thanks again for your help, especially micky and tech.  I hope to have this resolved soon that I can focus my energy and anger in a different direction and I will not feel so "frantic" about this ; )  thanks agan.

Title: Re: KillAV.KI {TRJ} JS:FakeAV-K[TRJ], TRJ[GEN], avast not updatind, Sad But True
Post by: micky77 on April 22, 2009, 05:11:40 PM
I am glad your having success with Dr Web, best to run in safe mode. Remember to always look at the locations of infections that are found. It possible they are being found in quarantine , what other programs have already removed,or they are just copies in system restore, or maybe even fp's, its possible that trojan.startpage.1505  may be part of spybots snapshots ( believe it or not I had this fp, some time ago ) also tool.prockill seems to be part of a legit removal tool.
I admire your determination,keep up the good work  ;)
Title: Re: KillAV.KI {TRJ} JS:FakeAV-K[TRJ], TRJ[GEN], avast not updatind, Sad But True
Post by: St.Anger_561_ on April 24, 2009, 01:47:28 PM
ok well update time.  I have not given up yet!  But I am frustrated.  Thank god I have another cpu that is not messed up.

Anyway I checked the Spybot IE Tweeks, and I did not have the "locking hosts file" function on, but of course spybot would not load properly in safe mode, only in normal mode, so I am beginning to think it is suspect and considering removing it at this point.

I will try what you suggested before running the rescue disk.  I did what tech had advised and tried another avast archive boot scan, but it didnt turn up anything.

THis program I downloaded SpyHunter3 advised me of zlob.trojan on my system, but it wants me to buy the program before it removes it!  I can do that but I am concerned that this may not even be the real problem and what if I buy it and I still have this problem, you know what I mean?

ALso I tried that panda active scan online, it showed me that I have the KillAV.KI trojan, but then it asks me to "register" for free to get this removed. I provided two email addresses and have waited for a couple of days to get an email from them to "register", but I never got any email from them!!!!

I don't know why that is, has anyone else had this problem?  That is pretty frustrating. I thought about downloading the panda program, but last time I tried to do that (over  a year ago) it would not install properly on my system, plus I know its not good to have more then one av running at a time on my system (I think I am beyond that point now with all the programs that I have been downloading, lol)

Thanks again.  I plan on putting some work into my infected cpu tommorrow when I am off of work.  Will update again.
Title: Re: KillAV.KI {TRJ} JS:FakeAV-K[TRJ], TRJ[GEN], avast not updatind, Sad But True
Post by: micky77 on April 24, 2009, 05:18:42 PM
  But I am frustrated. 

Yes, me too. You do not seem to be heeding any advice.Instead of doing what i suggested,you go and download, what could be a threat itself.Please remove spyhunter3 asap.IF you have MBAM and SAS .You do not need anymore antispyware programs.
Because this malware has restricted use/access of online scanners ( most wont remove malware anyway ).This route seems pointless.
So what happened with DrWeb ?
Right, this is what I think. First remove Spyhunter. Run MBAM again.Then either disable the immunsation part of spybot ( this adds thousands of legit entries into your host file.) Your host file is buggered anyway.Or even better REMOVE SPYBOT altogether. What good as it done you ?
Next,clear all entries in your host file,either by using hostsxpert, or manually by opening with notepad,clearing,and saving.
Then post the OTlistit2 log I asked for.With careful examination,it might be possible to see malicious files.
Then run the Avira rescue disk. This program is excellent, the main advantage is ,it will not boot windows.So your virus is fast asleep.
Ive just seen on another forum, this disc take out several nasty tdss trojans and the rootkit protecting them. It will not remove any threat,merely disable them, by altering the  extensions
So thats    1  Remove spyhunter
               2  Run MABM again, to make sure spyhunter is gone
               3  Remove spybot ( with MBAM and SAS you do not need it )
               4  Clear your host file
               5  Post the OTlistit2 log
               6  Run Avira rescue disk.

Also do not become fixated with AV kill and Panda. All AV programs have different names for threats.Waiting endlessly for a reply from panda, is too frustrating. As it says on their site, complete malware removal and tech support is for the paid version, probably for an extra fee.

EDIT I have just added an entry to my host file, and a scan with OTlistit2 did show it on the scan,so its important to clear the entries in your file,before posting the log.Especially if you have thousands of legit spybot immunisation entries.
Title: Re: KillAV.KI {TRJ} JS:FakeAV-K[TRJ], TRJ[GEN], avast not updatind, Sad But True
Post by: CharleyO on April 25, 2009, 08:36:55 AM
***

May I ask where you got SpyHunter3 from and did you have it at the beginning of this problem?


***
Title: Re: KillAV.KI {TRJ} JS:FakeAV-K[TRJ], TRJ[GEN], avast not updatind, Sad But True
Post by: micky77 on April 25, 2009, 09:10:40 AM
***
did you have it at the beginning of this problem?
***

It would have shown in his HJT log, ( although the second log was run in safe mode,and has bits missing )
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
Title: Re: KillAV.KI {TRJ} JS:FakeAV-K[TRJ], TRJ[GEN], avast not updatind, Sad But True
Post by: CharleyO on April 25, 2009, 10:13:56 AM
***

Yeah, I know about Enigma. it does not have a good reputation. You are right, running HJT in safe mode misses many things. Also, Prevx says SpyHunter3 is cloaked malware.

I wanted to know where the OP got it from because there also many cracked/keygen versions of SpyHunter3.


***
Title: Re: KillAV.KI {TRJ} JS:FakeAV-K[TRJ], TRJ[GEN], avast not updatind, Sad But True
Post by: St.Anger_561_ on April 25, 2009, 01:38:46 PM
Thanks again I am awake and ready to tackle this full force today!  I will remove spyhunter 3 asap.  I am so glad I read your posts. 

EDIT * I found out where I got spyhunter3 Charely.  After perming a websearch for killav.ki removal a website said that program could remove it (which was a lie! It didn't even detect that, just this zlob.trojan thing) I downloaded Spyhunter 3 from the website spywareremove . com and I know for certain that I did not have that program when my problems started, as micky77 has indicated. EDIT*

I believe my problems started when I went to a website that sells medications online (which I have never done! I was just curious as to what kinds of meds that one can order online, NEVER AGAIN!!!)

Anyway I am up and at them.  I am going to do what Micky said and post again on my progress.  Hopefully very soon.  Many thanks again for your expertise and advise.

Title: Re: KillAV.KI {TRJ} JS:FakeAV-K[TRJ], TRJ[GEN], avast not updatind, Sad But True
Post by: micky77 on April 25, 2009, 02:29:52 PM
You'd better start with MBAM and SAS fully updated

http://www.mywot.com/en/scorecard/spywareremove.com (http://www.mywot.com/en/scorecard/spywareremove.com)

Oh dear  :(

If you used another pc to download Spyhunter from Spywareremove,chances are that may  now be infected too ( hopefully not )
Title: Re: KillAV.KI {TRJ} JS:FakeAV-K[TRJ], TRJ[GEN], avast not updatind, Sad But True
Post by: St.Anger_561_ on April 25, 2009, 03:25:25 PM
wow that is a real bummer!  I did d/l from another cpu, even though I did not install on the other cpu.  I do have MBAM on my other cpu, but not SAS, which I will be downloading immediately.  Always something exciting, isn't it?

Well here is my log from the old timer 2 listit program:  I guess the bright side is if I need to do this all again I am getting plenty of practice, lol!  and some great advice, of course.  Thanks again Micky77

OTListIt logfile created on: 4/25/2009 9:12:06 AM - Run 1
OTListIt2 by OldTimer - Version 2.0.14.0     Folder = C:\Documents and Settings\Levent Canyas\My Documents
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
1.25 Gb Total Physical Memory | 0.90 Gb Available Physical Memory | 72.42% Memory free
1.48 Gb Paging File | 1.32 Gb Available in Paging File | 88.97% Paging File free
Paging file location(s): C:\pagefile.sys 384 768;
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.46 Gb Total Space | 33.09 Gb Free Space | 44.45% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 54.21 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
F: Drive not present or media not loaded
Drive G: | 1.94 Gb Total Space | 1.80 Gb Free Space | 92.54% Space Free | Partition Type: FAT
H: Drive not present or media not loaded
I: Drive not present or media not loaded
 
Computer Name: D3Z3PF41
Current User Name: Levent Canyas
Logged in as Administrator.
 
Current Boot Mode: SafeMode
Scan Mode: All users
Output = Standard
File Age = 30 Days
Company Name Whitelist: On
 
========== Processes (SafeList) ==========
 
PRC - [2006/11/03 19:19:58 | 00,013,592 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MsMpEng.exe
PRC - [2009/03/09 15:06:55 | 00,951,632 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
PRC - [2002/08/29 07:00:00 | 00,016,896 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wbem\unsecapp.exe
PRC - [2009/02/06 06:10:02 | 00,227,840 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wbem\wmiprvse.exe
PRC - [2008/04/13 20:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE
PRC - [2009/03/09 15:06:55 | 00,515,416 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
PRC - [2009/04/25 09:04:20 | 00,501,248 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Levent Canyas\My Documents\OTListIt2.exe
 
========== Win32 Services (SafeList) ==========
 
SRV - [2008/07/25 11:16:40 | 00,034,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - [2009/02/05 17:01:25 | 00,018,752 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe -- (aswUpdSv [Auto | Stopped])
SRV - [2009/02/05 17:08:40 | 00,138,680 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashServ.exe -- (avast! Antivirus [Auto | Stopped])
SRV - [2009/02/05 17:08:26 | 00,254,040 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe -- (avast! Mail Scanner [On_Demand | Stopped])
SRV - [2009/02/05 17:06:04 | 00,352,920 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe -- (avast! Web Scanner [On_Demand | Stopped])
SRV - [2002/04/12 01:00:00 | 00,057,344 | ---- | M] (brother Industries Ltd) -- C:\WINDOWS\System32\brsvc01a.exe -- (Brother XP spl Service [Auto | Stopped])
SRV - [2008/07/25 11:17:02 | 00,069,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
SRV - [2007/03/07 15:47:46 | 00,076,848 | ---- | M] () -- C:\Program Files\DellSupport\brkrsvc.exe -- (DSBrokerService [On_Demand | Stopped])
SRV - [2008/07/29 21:10:04 | 00,046,104 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand | Stopped])
SRV - [2009/03/27 00:45:33 | 00,137,200 | ---- | M] (Google) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc [On_Demand | Stopped])
SRV - [2008/04/13 20:12:02 | 00,038,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - [2005/04/04 00:41:10 | 00,069,632 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT [On_Demand | Stopped])
SRV - [2008/07/29 19:24:50 | 00,881,664 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc [Unknown | Stopped])
SRV - File not found --  -- (iPod Service [Disabled | Stopped])
SRV - [2009/04/18 21:40:11 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService [Auto | Stopped])
SRV - [2003/06/18 10:54:10 | 00,294,972 | ---- | M] (Eastman Kodak Company) -- C:\WINDOWS\system32\drivers\KodakCCS.exe -- (KodakCCS [Auto | Stopped])
SRV - [2009/03/09 15:06:55 | 00,951,632 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service [Auto | Running])
SRV - [2008/07/29 19:16:38 | 00,132,096 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing [Disabled | Stopped])
SRV - File not found --  -- (NMIndexingService [Disabled | Stopped])
SRV - [2003/07/28 11:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])
SRV - [2007/08/09 03:27:52 | 00,073,728 | ---- | M] (HP) -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12 [Auto | Stopped])
SRV - [2003/02/04 09:22:30 | 00,181,312 | ---- | M] () -- C:\WINDOWS\System32\ScsiAccess.EXE -- (ScsiAccess [Auto | Stopped])
SRV - [2005/01/28 14:44:28 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wdfmgr.exe -- (UMWdf [Auto | Stopped])
SRV - [2007/10/18 11:31:54 | 00,098,328 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Messenger\usnsvc.exe -- (usnjsvc [On_Demand | Stopped])
SRV - [2006/11/03 19:19:58 | 00,013,592 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MsMpEng.exe -- (WinDefend [Auto | Running])
SRV - [2007/10/25 15:27:54 | 00,266,240 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\installer\WLSetupSvc.exe -- (WLSetupSvc [On_Demand | Stopped])
SRV - [2005/10/06 19:12:30 | 00,855,552 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Connect 2\wmccds.exe -- (WMConnectCDS [On_Demand | Stopped])
 
Title: Re: KillAV.KI {TRJ} JS:FakeAV-K[TRJ], TRJ[GEN], avast not updatind, Sad But True
Post by: St.Anger_561_ on April 25, 2009, 03:26:48 PM
color=orange]========== Driver Services (SafeList) ==========[/color]
 
DRV - [2009/02/05 17:05:11 | 00,026,944 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys -- (Aavmker4 [System | Stopped])
DRV - [2002/04/01 15:15:00 | 00,004,816 | ---- | M] (Andrea Electronics Corporation) -- C:\WINDOWS\system32\drivers\aeaudio.sys -- (aeaudio [On_Demand | Stopped])
DRV - [2001/08/17 15:51:56 | 00,005,248 | ---- | M] (Acer Laboratories Inc.) -- C:\WINDOWS\System32\DRIVERS\aliide.sys -- (AliIde [Disabled | Stopped])
DRV - [2008/04/13 14:36:39 | 00,043,008 | ---- | M] (Advanced Micro Devices, Inc.) -- C:\WINDOWS\System32\DRIVERS\amdagp.sys -- (amdagp [Disabled | Stopped])
DRV - [2001/08/17 15:52:00 | 00,026,496 | ---- | M] (Advanced System Products, Inc.) -- C:\WINDOWS\System32\DRIVERS\asc.sys -- (asc [Disabled | Stopped])
DRV - [2001/08/17 15:51:58 | 00,014,848 | ---- | M] (Advanced System Products, Inc.) -- C:\WINDOWS\System32\DRIVERS\asc3550.sys -- (asc3550 [Disabled | Stopped])
DRV - [1999/09/10 07:06:00 | 00,025,244 | ---- | M] (Adaptec) -- C:\WINDOWS\System32\drivers\aspi32.sys -- (Aspi32 [Auto | Stopped])
DRV - [2009/02/05 17:07:12 | 00,020,560 | ---- | M] (ALWIL Software) -- C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys -- (aswFsBlk [Auto | Stopped])
DRV - [2009/02/05 17:08:10 | 00,094,032 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys -- (aswMon2 [Auto | Stopped])
DRV - [2009/02/05 17:06:10 | 00,023,152 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys -- (aswRdr [On_Demand | Stopped])
DRV - [2009/02/05 17:07:23 | 00,114,768 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswSP.sys -- (aswSP [System | Stopped])
DRV - [2009/02/05 17:06:20 | 00,051,376 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys -- (aswTdi [System | Stopped])
DRV - [2003/05/23 14:58:30 | 00,043,136 | ---- | M] (Broadcom Corporation) -- C:\WINDOWS\System32\DRIVERS\bcm4sbxp.sys -- (bcm4sbxp [On_Demand | Stopped])
DRV - [2001/08/17 14:12:12 | 00,002,944 | ---- | M] (Brother Industries Ltd.) -- C:\WINDOWS\System32\Drivers\Brfilt.sys -- (brfilt [On_Demand | Stopped])
DRV - [2003/03/14 01:04:20 | 00,061,952 | ---- | M] (Brother Industries Ltd.) -- C:\WINDOWS\System32\Drivers\BrSerWdm.sys -- (BrSerWDM [On_Demand | Stopped])
DRV - [2001/08/17 14:12:20 | 00,011,008 | ---- | M] (Brother Industries Ltd.) -- C:\WINDOWS\System32\Drivers\BrUsbMdm.sys -- (BrUsbMdm [On_Demand | Stopped])
DRV - [2001/08/17 14:12:22 | 00,010,368 | ---- | M] (Brother Industries Ltd.) -- C:\WINDOWS\System32\Drivers\BrUsbScn.sys -- (BrUsbScn [On_Demand | Stopped])
DRV - [2001/08/17 15:51:54 | 00,006,656 | ---- | M] (CMD Technology, Inc.) -- C:\WINDOWS\System32\DRIVERS\cmdide.sys -- (CmdIde [Disabled | Stopped])
DRV - [2001/08/17 15:52:16 | 00,179,584 | ---- | M] (Mylex Corporation) -- C:\WINDOWS\System32\DRIVERS\dac2w2k.sys -- (dac2w2k [Disabled | Stopped])
DRV - [2003/06/18 10:53:08 | 00,036,826 | ---- | M] (Eastman Kodak Company) -- C:\WINDOWS\System32\DRIVERS\DcCam.sys -- (DcCam [System | Running])
DRV - [2003/06/18 10:53:08 | 00,061,568 | ---- | M] (Eastman Kodak Company) -- C:\WINDOWS\System32\DRIVERS\DcFpoint.sys -- (DcFpoint [On_Demand | Stopped])
DRV - [2003/06/18 10:53:08 | 00,038,997 | ---- | M] (Eastman Kodak Company) -- C:\WINDOWS\system32\drivers\dcfs2k.sys -- (DCFS2K [Auto | Stopped])
DRV - [2003/06/18 10:53:08 | 00,008,058 | ---- | M] (Eastman Kodak Company) -- C:\WINDOWS\System32\DRIVERS\DcLps.sys -- (DcLps [On_Demand | Stopped])
DRV - [2003/06/18 10:53:08 | 00,063,002 | ---- | M] (Eastman Kodak Company) -- C:\WINDOWS\System32\DRIVERS\DcPTP.sys -- (DcPTP [On_Demand | Stopped])
DRV - [2006/10/05 16:07:28 | 00,004,736 | ---- | M] (Gteko Ltd.) -- C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys -- (DSPROCT [On_Demand | Stopped])
DRV - [2007/02/25 12:10:48 | 00,005,376 | --S- | M] (Gteko Ltd.) -- C:\WINDOWS\system32\DRIVERS\dsunidrv.sys -- (dsunidrv [Auto | Stopped])
DRV - [2001/08/17 14:11:06 | 00,066,591 | ---- | M] (3Com Corporation) -- C:\WINDOWS\System32\DRIVERS\el90xbc5.sys -- (EL90XBC [On_Demand | Stopped])
DRV - [2003/06/18 10:53:08 | 00,138,485 | ---- | M] (Eastman Kodak Company) -- C:\WINDOWS\System32\DRIVERS\exportit.sys -- (Exportit [System | Stopped])
DRV - [2005/10/21 18:58:52 | 00,049,920 | ---- | M] (HP) -- C:\WINDOWS\system32\DRIVERS\HPZid412.sys -- (HPZid412 [On_Demand | Stopped])
DRV - [2005/10/21 18:58:58 | 00,016,496 | ---- | M] (HP) -- C:\WINDOWS\system32\DRIVERS\HPZipr12.sys -- (HPZipr12 [On_Demand | Stopped])
DRV - [2005/10/21 18:52:48 | 00,021,568 | ---- | M] (HP) -- C:\WINDOWS\system32\DRIVERS\HPZius12.sys -- (HPZius12 [On_Demand | Running])
DRV - [2003/07/02 12:26:20 | 00,202,368 | ---- | M] (Conexant Systems, Inc.) -- C:\WINDOWS\System32\DRIVERS\HSFHWBS2.sys -- (HSFHWBS2 [On_Demand | Stopped])
DRV - [2003/07/02 12:24:16 | 01,063,936 | ---- | M] (Conexant Systems, Inc.) -- C:\WINDOWS\System32\DRIVERS\HSF_DP.sys -- (HSF_DP [On_Demand | Stopped])
DRV - [2004/08/04 01:29:36 | 00,161,020 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\System32\DRIVERS\i81xnt5.sys -- (i81x [On_Demand | Stopped])
DRV - [2004/08/04 01:29:37 | 00,012,415 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\System32\DRIVERS\wADV01nt.sys -- (iAimFP0 [On_Demand | Stopped])
DRV - [2004/08/04 01:29:37 | 00,012,127 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\System32\DRIVERS\wADV02NT.sys -- (iAimFP1 [On_Demand | Stopped])
DRV - [2004/08/04 01:29:37 | 00,011,775 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\System32\DRIVERS\wADV05NT.sys -- (iAimFP2 [On_Demand | Stopped])
DRV - [2004/08/04 01:29:47 | 00,012,063 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\System32\DRIVERS\wSiINTxx.sys -- (iAimFP3 [On_Demand | Stopped])
DRV - [2004/08/04 01:29:49 | 00,019,455 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\System32\DRIVERS\wVchNTxx.sys -- (iAimFP4 [On_Demand | Stopped])
DRV - [2004/08/04 01:29:41 | 00,029,311 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\System32\DRIVERS\wATV01nt.sys -- (iAimTV0 [On_Demand | Stopped])
DRV - [2004/08/04 01:29:42 | 00,019,551 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\System32\DRIVERS\wATV02NT.sys -- (iAimTV1 [On_Demand | Stopped])
DRV - [2004/08/04 01:29:43 | 00,033,599 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\System32\DRIVERS\wATV04nt.sys -- (iAimTV3 [On_Demand | Stopped])
DRV - [2004/08/04 01:29:45 | 00,023,615 | ---- | M] (Intel(R) Corporation) -- C:\WINDOWS\System32\DRIVERS\wCh7xxNT.sys -- (iAimTV4 [On_Demand | Stopped])
DRV - [2005/10/19 09:59:12 | 00,807,998 | ---- | M] (Intel Corporation) -- C:\WINDOWS\System32\DRIVERS\ialmnt5.sys -- (ialm [On_Demand | Stopped])
DRV - [2009/03/09 15:06:56 | 00,064,160 | ---- | M] (Lavasoft AB) -- C:\WINDOWS\system32\DRIVERS\Lbd.sys -- (Lbd [Boot | Running])
Title: Re: KillAV.KI {TRJ} JS:FakeAV-K[TRJ], TRJ[GEN], avast not updatind, Sad But True
Post by: St.Anger_561_ on April 25, 2009, 03:27:29 PM
DRV - [2003/04/09 15:48:08 | 00,011,043 | ---- | M] (Conexant) -- C:\WINDOWS\System32\DRIVERS\mdmxsdk.sys -- (mdmxsdk [Auto | Stopped])
DRV - [2008/04/13 14:36:41 | 00,063,744 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\DRIVERS\mf.sys -- (mf [On_Demand | Stopped])
DRV - [2001/08/17 14:57:38 | 00,016,128 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\MODEMCSA.sys -- (MODEMCSA [On_Demand | Stopped])
DRV - [2001/08/17 15:52:12 | 00,017,280 | ---- | M] (American Megatrends Inc.) -- C:\WINDOWS\System32\DRIVERS\mraid35x.sys -- (mraid35x [Disabled | Stopped])
DRV - [2003/06/13 13:06:32 | 00,030,336 | ---- | M] (Politecnico di Torino) -- C:\WINDOWS\system32\drivers\npf.sys -- (NPF [On_Demand | Stopped])
DRV - [2004/08/04 01:29:54 | 01,897,408 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\DRIVERS\nv4_mini.sys -- (nv [On_Demand | Stopped])
DRV - [2002/11/08 15:45:06 | 00,017,217 | ---- | M] (Dell Computer Corporation) -- C:\WINDOWS\System32\DRIVERS\omci.sys -- (omci [System | Running])
DRV - [2008/06/19 16:24:30 | 00,028,544 | ---- | M] (Panda Security, S.L.) -- C:\WINDOWS\system32\drivers\pavboot.sys -- (pavboot [Boot | Stopped])
DRV - [2002/08/29 07:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\System32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Stopped])
DRV - [2005/08/19 04:00:00 | 00,046,080 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20 [Boot | Running])
DRV - [2001/08/17 15:52:20 | 00,040,320 | ---- | M] (QLogic Corporation) -- C:\WINDOWS\System32\DRIVERS\ql1080.sys -- (ql1080 [Disabled | Stopped])
DRV - [2001/08/17 15:52:20 | 00,045,312 | ---- | M] (QLogic Corporation) -- C:\WINDOWS\System32\DRIVERS\ql12160.sys -- (ql12160 [Disabled | Stopped])
DRV - [2001/08/17 15:52:18 | 00,049,024 | ---- | M] (QLogic Corporation) -- C:\WINDOWS\System32\DRIVERS\ql1280.sys -- (ql1280 [Disabled | Stopped])
DRV - [2009/03/23 14:07:26 | 00,009,968 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS -- (SASDIFSV [System | Stopped])
DRV - [2009/03/23 14:07:28 | 00,007,408 | R--- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM [On_Demand | Stopped])
DRV - [2009/03/23 14:07:26 | 00,072,944 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys -- (SASKUTIL [System | Stopped])
DRV - [2007/11/13 06:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\System32\DRIVERS\secdrv.sys -- (Secdrv [On_Demand | Stopped])
DRV - [2008/04/13 14:36:39 | 00,040,960 | ---- | M] (Silicon Integrated Systems Corporation) -- C:\WINDOWS\System32\DRIVERS\sisagp.sys -- (sisagp [Disabled | Stopped])
DRV - [2003/02/28 11:17:18 | 00,545,024 | ---- | M] (Analog Devices, Inc.) -- C:\WINDOWS\system32\drivers\smwdm.sys -- (smwdm [On_Demand | Stopped])
DRV - [2001/08/17 16:07:44 | 00,019,072 | ---- | M] (Adaptec, Inc.) -- C:\WINDOWS\System32\DRIVERS\sparrow.sys -- (Sparrow [Disabled | Stopped])
DRV - [2001/08/17 14:53:32 | 00,006,784 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\DRIVERS\serscan.sys -- (StillCam [On_Demand | Stopped])
DRV - [2001/08/17 16:07:34 | 00,016,256 | ---- | M] (Symbios Logic Inc.) -- C:\WINDOWS\System32\DRIVERS\symc810.sys -- (symc810 [Disabled | Stopped])
DRV - [2001/08/17 16:07:36 | 00,032,640 | ---- | M] (LSI Logic) -- C:\WINDOWS\System32\DRIVERS\symc8xx.sys -- (symc8xx [Disabled | Stopped])
DRV - [2001/08/17 16:07:40 | 00,028,384 | ---- | M] (LSI Logic) -- C:\WINDOWS\System32\DRIVERS\sym_hi.sys -- (sym_hi [Disabled | Stopped])
DRV - [2001/08/17 16:07:42 | 00,030,688 | ---- | M] (LSI Logic) -- C:\WINDOWS\System32\DRIVERS\sym_u3.sys -- (sym_u3 [Disabled | Stopped])
DRV - [2009/04/19 22:57:34 | 00,102,664 | ---- | M] (Trend Micro Inc.) -- C:\WINDOWS\system32\drivers\tmcomm.sys -- (tmcomm [Auto | Stopped])
DRV - [2001/08/17 15:52:22 | 00,036,736 | ---- | M] (Promise Technology, Inc.) -- C:\WINDOWS\System32\DRIVERS\ultra.sys -- (ultra [Disabled | Stopped])
DRV - [2008/04/13 14:45:12 | 00,060,032 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\usbaudio.sys -- (usbaudio [On_Demand | Stopped])
DRV - [2003/07/02 12:25:24 | 00,631,680 | ---- | M] (Conexant Systems, Inc.) -- C:\WINDOWS\System32\DRIVERS\HSF_CNXT.sys -- (winachsf [On_Demand | Stopped])
DRV - [2004/01/26 21:42:44 | 00,728,083 | ---- | M] (Xirlink, Inc) -- C:\WINDOWS\System32\DRIVERS\ucdnt.sys -- (XIRLINK [On_Demand | Stopped])
DRV - [2003/04/15 12:40:54 | 00,113,504 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\drivers\ialmsbw.sys -- ({6080A529-897E-4629-A488-ABA0C29B635E} [On_Demand | Stopped])
DRV - [2003/04/15 12:40:46 | 00,078,752 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\drivers\ialmkchw.sys -- ({D31A0762-0CEB-444e-ACFF-B049A1F6FE91} [On_Demand | Stopped])
 
========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========
 
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://us.rd.yahoo.com/customize/ie/defaults/cs/msgr8/*http://www.yahoo.com/ext/search/search.html
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
 
 
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell4me.com/myway
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
Title: Re: KillAV.KI {TRJ} JS:FakeAV-K[TRJ], TRJ[GEN], avast not updatind, Sad But True
Post by: St.Anger_561_ on April 25, 2009, 03:28:03 PM
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell4me.com/myway
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
IE - HKU\S-1-5-20\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\S-1-5-21-2835264611-1626357533-382488265-1007\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.com
IE - HKU\S-1-5-21-2835264611-1626357533-382488265-1007\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = www.live.com;
IE - HKU\S-1-5-21-2835264611-1626357533-382488265-1007\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKU\S-1-5-21-2835264611-1626357533-382488265-1007\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKU\S-1-5-21-2835264611-1626357533-382488265-1007\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKU\S-1-5-21-2835264611-1626357533-382488265-1007\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKU\S-1-5-21-2835264611-1626357533-382488265-1007\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKU\S-1-5-21-2835264611-1626357533-382488265-1007\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex}&startPage={startPage}
IE - HKU\S-1-5-21-2835264611-1626357533-382488265-1007\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = www.live.com;
IE - HKU\S-1-5-21-2835264611-1626357533-382488265-1007\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com
IE - HKU\S-1-5-21-2835264611-1626357533-382488265-1007\S-1-5-21-2835264611-1626357533-382488265-1007\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-2835264611-1626357533-382488265-1007\S-1-5-21-2835264611-1626357533-382488265-1007\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
 
========== FireFox ==========
 
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.startup.homepage: "http://start.mozilla.org"
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA}:6.0
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}:6.0.01
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}:6.0.02
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}:6.0.03
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}:6.0.05
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}:6.0.07
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}:6.0.13
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {20a82645-c095-46ed-80e3-08825760534b}:1.0
FF - prefs.js..extensions.enabledItems: {ABDE892B-13A8-4d1b-88E6-365A6E755758}:1.0
FF - prefs.js..extensions.enabledItems: {635abd67-4fe9-1b23-4f01-e679fa7484c1}:1.5.4.20081105
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0.9
 
 
FF - HKLM\software\mozilla\Firefox\extensions\\{20a82645-c095-46ed-80e3-08825760534b}: C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.5\WINDOWS PRESENTATION FOUNDATION\DOTNETASSISTANTEXTENSION\ [2009/04/18 09:19:25 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\PROGRAM FILES\REAL\REALPLAYER\BROWSERRECORD [2009/04/18 21:06:35 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\jqs@sun.com: C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF [2009/04/18 21:40:11 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.9\extensions\\Components: C:\PROGRAM FILES\MOZILLA FIREFOX\COMPONENTS [2009/04/25 07:17:31 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.9\extensions\\Plugins: C:\PROGRAM FILES\MOZILLA FIREFOX\PLUGINS [2009/04/25 07:17:31 | 00,000,000 | ---D | M]
Title: Re: KillAV.KI {TRJ} JS:FakeAV-K[TRJ], TRJ[GEN], avast not updatind, Sad But True
Post by: St.Anger_561_ on April 25, 2009, 03:30:33 PM
 
[2008/08/29 21:08:37 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Levent Canyas\Application Data\mozilla\Extensions
[2008/08/29 21:08:37 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Levent Canyas\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/04/25 07:36:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Levent Canyas\Application Data\mozilla\Firefox\Profiles\0yyypzpn.default\extensions
[2009/04/19 12:49:43 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Levent Canyas\Application Data\mozilla\Firefox\Profiles\0yyypzpn.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2009/04/22 23:26:20 | 00,001,412 | ---- | M] () -- C:\Documents and Settings\Levent Canyas\Application Data\Mozilla\FireFox\Profiles\0yyypzpn.default\searchplugins\bittorrent.xml
[2009/04/22 23:26:20 | 00,005,500 | ---- | M] () -- C:\Documents and Settings\Levent Canyas\Application Data\Mozilla\FireFox\Profiles\0yyypzpn.default\searchplugins\foodtv.xml
[2008/06/25 21:37:59 | 00,000,908 | ---- | M] () -- C:\Documents and Settings\Levent Canyas\Application Data\Mozilla\FireFox\Profiles\0yyypzpn.default\searchplugins\IMDB.xml
[2008/07/02 22:03:26 | 00,001,963 | ---- | M] () -- C:\Documents and Settings\Levent Canyas\Application Data\Mozilla\FireFox\Profiles\0yyypzpn.default\searchplugins\odeo.xml
[2008/06/25 21:38:03 | 00,001,108 | ---- | M] () -- C:\Documents and Settings\Levent Canyas\Application Data\Mozilla\FireFox\Profiles\0yyypzpn.default\searchplugins\wikipedia.xml
[2009/04/25 07:36:26 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2009/04/25 07:17:14 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2007/03/03 21:11:54 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA}
[2007/04/26 04:24:47 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
[2007/08/19 21:22:51 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
[2007/10/14 12:28:38 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
[2008/03/15 23:18:34 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
[2008/08/29 21:14:07 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
[2009/04/18 21:43:57 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
[2009/04/25 07:17:08 | 00,023,032 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browserdirprovider.dll
[2009/04/25 07:17:08 | 00,134,648 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\brwsrcmp.dll
[2005/02/25 20:27:00 | 00,044,153 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\inspector.dll
[2009/04/25 07:17:25 | 00,001,394 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom.xml
[2009/04/25 07:17:25 | 00,002,193 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\answers.xml
[2009/04/25 07:17:25 | 00,001,534 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml
[2009/04/25 07:17:25 | 00,002,343 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay.xml
[2009/04/25 07:17:25 | 00,001,706 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml
[2009/04/25 07:17:25 | 00,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia.xml
[2009/04/25 07:17:25 | 00,000,792 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo.xml
Title: Re: KillAV.KI {TRJ} JS:FakeAV-K[TRJ], TRJ[GEN], avast not updatind, Sad But True
Post by: St.Anger_561_ on April 25, 2009, 03:30:59 PM
O1 HOSTS File: (853 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1    localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll (Yahoo! Inc.)
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - Reg Error: Key error. File not found
O2 - BHO: (Windows Live Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll ()
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll (Google Inc.)
O2 - BHO: (Windows Live Toolbar Helper) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O2 - BHO: (Google Dictionary Compression sdch) - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll (Google Inc.)
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (&Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll ()
O3 - HKLM\..\Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - Reg Error: Key error. File not found
O3 - HKLM\..\Toolbar: (Windows Live Toolbar) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll (Yahoo! Inc.)
O3 - HKU\S-1-5-21-2835264611-1626357533-382488265-1007\..\Toolbar\ShellBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll ()
O3 - HKU\S-1-5-21-2835264611-1626357533-382488265-1007\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll ()
O3 - HKU\S-1-5-21-2835264611-1626357533-382488265-1007\..\Toolbar\WebBrowser: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O3 - HKU\S-1-5-21-2835264611-1626357533-382488265-1007\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized File not found
O4 - HKLM..\Run: [avast!] "C:\Program Files\Alwil Software\Avast4\ashDisp.exe" (ALWIL Software)
O4 - HKLM..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe File not found
O4 - HKLM..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe (Hewlett-Packard)
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto (Microsoft Corporation)
O4 - HKLM..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" (Sun Microsystems, Inc.)
O4 - HKU\.DEFAULT..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (Microsoft Corporation)
O4 - HKU\S-1-5-18..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (Microsoft Corporation)
O4 - HKU\S-1-5-21-2835264611-1626357533-382488265-1007..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
O4 - HKLM..\RunOnceEx: [Flags] Reg Error: Invalid data type. File not found
O4 - HKLM..\RunOnceEx: [Title] UnHackMe Rootkit Check File not found
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoPropertiesMyComputer = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoViewContextMenu = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFileAssociate = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFind = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoRun = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoClose = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: StartMenuLogoff = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveTrack = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMHelp = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ShutdownWithoutLogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoDispCPL = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoDispBackgroundPage = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoDispSettingsPage = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoDispScrSavPage = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-2835264611-1626357533-382488265-1007\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-2835264611-1626357533-382488265-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-2835264611-1626357533-382488265-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HideClock = 0
O7 - HKU\S-1-5-21-2835264611-1626357533-382488265-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoTrayItemsDisplay = 0
O7 - HKU\S-1-5-21-2835264611-1626357533-382488265-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O7 - HKU\S-1-5-21-2835264611-1626357533-382488265-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoRecentDocsHistory = 1
O7 - HKU\S-1-5-21-2835264611-1626357533-382488265-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: ClearRecentDocsOnExit = 0
O7 - HKU\S-1-5-21-2835264611-1626357533-382488265-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O7 - HKU\S-1-5-21-2835264611-1626357533-382488265-1007_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Windows Live Search - Reg Error: Value error. File not found
O8 - Extra context menu item: Add to Windows &Live Favorites - Reg Error: Value error. File not found
Title: Re: KillAV.KI {TRJ} JS:FakeAV-K[TRJ], TRJ[GEN], avast not updatind, Sad But True
Post by: St.Anger_561_ on April 25, 2009, 03:32:37 PM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O15 - HKLM\..Trusted Sites: musicmatch.com ([]* in Trusted sites)
O15 - HKLM\..Trusted Domains: 50 domain(s) and sub-domain(s) not assigned to a zone.
[2009/04/19 03:21:39 | 00,000,000 | -HSD | C] -- C:\found.000
[2009/04/18 23:59:41 | 00,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2009/04/18 21:06:54 | 00,001,610 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\QuickTime Player.lnk
[2009/04/18 21:06:44 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\xing shared
[2009/04/18 21:06:35 | 00,000,897 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\RealPlayer.lnk
[2009/04/18 21:06:31 | 00,000,000 | ---D | C] -- C:\Program Files\QuickTime
[2009/04/18 12:01:36 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Levent Canyas\Application Data\Malwarebytes
[2009/04/18 12:01:23 | 00,015,504 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/04/18 12:01:23 | 00,000,714 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/04/18 12:01:21 | 00,038,496 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/04/18 12:01:19 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/04/18 12:01:19 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/04/18 11:55:43 | 02,967,800 | ---- | C] (Malwarebytes Corporation                                    ) -- C:\Documents and Settings\Levent Canyas\My Documents\mbam-setup.exe
[2009/04/18 11:42:54 | 00,000,466 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Scan (full scan).job
[2009/04/18 11:40:35 | 00,015,688 | ---- | C] () -- C:\WINDOWS\System32\lsdelete.exe
[2009/04/18 11:28:13 | 00,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily).job
[2009/04/18 11:19:18 | 00,064,160 | ---- | C] (Lavasoft AB) -- C:\WINDOWS\System32\drivers\Lbd.sys
[2009/04/18 11:16:38 | 00,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
[2009/04/18 11:16:34 | 00,000,867 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Ad-Aware.lnk
[2009/04/18 09:17:46 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\XPSViewer
[2009/04/18 09:17:39 | 00,000,000 | ---D | C] -- C:\Program Files\MSBuild
[2009/04/18 09:17:24 | 00,000,000 | ---D | C] -- C:\Program Files\Reference Assemblies
[2009/04/18 09:16:41 | 00,117,760 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\prntvpt.dll
[2009/04/18 09:16:41 | 00,089,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\filterpipelineprintproc.dll
[2009/04/18 09:16:40 | 01,676,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xpssvcs.dll
[2009/04/18 09:16:40 | 01,676,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\xpssvcs.dll
[2009/04/18 09:16:40 | 00,597,504 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\printfilterpipelinesvc.exe
[2009/04/18 09:16:40 | 00,575,488 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xpsshhdr.dll
[2009/04/18 09:16:40 | 00,575,488 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\xpsshhdr.dll
[2009/04/18 09:16:39 | 00,000,000 | ---D | C] -- C:\f5b77fb82c53c9034e9a44f517b8
[2009/04/18 09:16:16 | 00,000,000 | ---D | C] -- C:\WINDOWS\SxsCaPendDel
O15 - HKU\.DEFAULT\..Trusted Domains: 51 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-18\..Trusted Domains: 51 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-20\..Trusted Domains: 115 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-21-2835264611-1626357533-382488265-1007\..Trusted Domains: 65 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} http://help.bellsouth.net/sdccommon/download/tgctlcm.cab (Support.com Configuration Class)
O16 - DPF: {02CA9974-B6AC-497E-A371-73580432B0F6} http://imlive.com/ChatSource/gVideoContol.cab (Eyeball Video Message Control)
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} http://housecall60.trendmicro.com/housecall/xscan60.cab (HouseCall Control)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab (CKAVWebScan Object)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?LinkID=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab (ActiveScan 2.0 Installer Class)
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} C:\Program Files\Yahoo!\Common\yinsthelper.dll (YInstStarter Class)
O16 - DPF: {31435657-9980-0010-8000-00AA00389B71} http://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab (Reg Error: Value error.)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,81/mcinsctl.cab (Reg Error: Value error.)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} http://by124fd.bay124.hotmail.msn.com/resources/MsnPUpld.cab (MSN Photo Upload Tool)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1145927023781 (MUWebControl Class)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab (HouseCall Control)
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} http://chat.yahoo.com/cab/yuplapp.cab (Yahoo! Webcam Upload Wrapper)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll (Yahoo! MailTo)
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} http://ax.emsisoft.com/asquared.cab (a-squared Scanner)
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,19/mcgdmgr.cab (Reg Error: Value error.)
O16 - DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA}  (Reg Error: Value error.)
O16 - DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab (Reg Error: Value error.)
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab (Reg Error: Value error.)
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab (Reg Error: Value error.)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab (Reg Error: Value error.)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Reg Error: Value error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab (Java Plug-in 1.6.0_13)
Title: Re: KillAV.KI {TRJ} JS:FakeAV-K[TRJ], TRJ[GEN], avast not updatind, Sad But True
Post by: St.Anger_561_ on April 25, 2009, 03:36:16 PM
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CE74A05D-ED12-473A-97F8-85FB0E2F479F} http://www.livemetallica.com/nugster/dlControl.CAB (dlControl.UserControl1)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000}  (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220 208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Interfaces\{8ED412C0-6CA1-43D5-A584-2A41E154CB5A}\\NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Interfaces\{B7F3EB81-4190-41B1-8527-EAC21B3079E9}\\NameServer = 208.67.220.220,208.67.222.222
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Filter:  - text/xml - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\SYSTEM32\igfxsrvc.dll (Intel Corporation)
O20 - Winlogon\Notify\WRNotifier: DllName - WRLogonNTF.dll -  File not found
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2002/09/03 10:59:58 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()
 
========== Files/Folders - Created Within 30 Days ==========
Title: Re: KillAV.KI {TRJ} JS:FakeAV-K[TRJ], TRJ[GEN], avast not updatind, Sad But True
Post by: St.Anger_561_ on April 25, 2009, 03:36:51 PM
========== Files/Folders - Created Within 30 Days ==========
 
[1 C:\WINDOWS\System32\*.tmp files]
[2 C:\WINDOWS\*.tmp files]
[2009/04/25 09:11:45 | 00,501,248 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Levent Canyas\My Documents\OTListIt2.exe
[2009/04/22 23:17:33 | 01,089,593 | ---- | C] () -- C:\WINDOWS\System32\dllcache\ntprint.cat
[2009/04/22 20:15:35 | 00,003,500 | ---- | C] () -- C:\Documents and Settings\Levent Canyas\My Documents\DrWebScan2.csv
[2009/04/22 20:14:33 | 00,003,464 | ---- | C] () -- C:\Documents and Settings\Levent Canyas\My Documents\DrWebScan.csv
[2009/04/21 23:44:02 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2009/04/21 23:43:55 | 00,000,702 | ---- | C] () -- C:\Documents and Settings\Levent Canyas\Desktop\SpywareBlaster.lnk
[2009/04/21 23:43:45 | 00,000,000 | ---D | C] -- C:\Program Files\SpywareBlaster
[2009/04/19 23:03:47 | 00,000,000 | ---D | C] -- C:\Program Files\Enigma Software Group
[2009/04/19 23:03:03 | 00,001,604 | ---- | C] () -- C:\Documents and Settings\Levent Canyas\Desktop\True Sword.lnk
[2009/04/19 23:03:00 | 00,356,352 | ---- | C] (eSellerate Inc.) -- C:\WINDOWS\eSellerateEngine.dll
[2009/04/19 23:03:00 | 00,081,920 | ---- | C] (eSellerate Inc.) -- C:\WINDOWS\eSellerateControl350.dll
[2009/04/19 23:02:58 | 00,000,000 | ---D | C] -- C:\Program Files\True Sword 5
[2009/04/19 15:32:08 | 70,178,288 | ---- | C] (Emsi Software GmbH                                          ) -- C:\Documents and Settings\Levent Canyas\My Documents\a2FreeOASetup.exe
[2009/04/19 15:27:08 | 00,028,544 | ---- | C] (Panda Security, S.L.) -- C:\WINDOWS\System32\drivers\pavboot.sys
[2009/04/19 15:25:17 | 00,000,000 | ---D | C] -- C:\Program Files\Panda Security
[2009/04/19 15:24:15 | 00,221,154 | ---- | C] () -- C:\Documents and Settings\Levent Canyas\My Documents\cc_20090419_152412.reg
[2009/04/19 15:19:33 | 00,781,909 | ---- | C] () -- C:\Documents and Settings\Levent Canyas\My Documents\RSIT.exe
[2009/04/19 14:48:45 | 02,480,016 | -H-- | C] () -- C:\Documents and Settings\Levent Canyas\Local Settings\Application Data\IconCache.db
[2009/04/19 12:49:08 | 00,000,886 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Advanced SystemCare.lnk
[2009/04/19 12:49:08 | 00,000,161 | ---- | C] () -- C:\Documents and Settings\Levent Canyas\Desktop\IObit Freeware.url
[2009/04/19 12:49:04 | 00,000,000 | ---D | C] -- C:\Program Files\IObit
[2009/04/19 12:49:04 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Levent Canyas\Application Data\IObit
[2009/04/19 12:46:35 | 00,001,548 | ---- | C] () -- C:\Documents and Settings\Levent Canyas\Desktop\CCleaner.lnk
[2009/04/19 12:46:35 | 00,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2009/04/19 12:42:53 | 01,970,629 | ---- | C] () -- C:\Documents and Settings\Levent Canyas\My Documents\runscanner.zip
[2009/04/19 12:42:29 | 03,190,688 | ---- | C] (Piriform Ltd) -- C:\Documents and Settings\Levent Canyas\My Documents\ccsetup218.exe
[2009/04/19 12:37:10 | 00,102,664 | ---- | C] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys
[2009/04/19 12:23:41 | 07,796,200 | ---- | C] (IObit                                                       ) -- C:\Documents and Settings\Levent Canyas\My Documents\asc-setup.exe
[2009/04/19 12:22:23 | 01,055,648 | ---- | C] () -- C:\Documents and Settings\Levent Canyas\My Documents\RootkitBuster_2.52.1013.zip
[2009/04/19 03:21:39 | 00,000,000 | -HSD | C] -- C:\found.000
[2009/04/18 23:59:41 | 00,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2009/04/18 21:06:54 | 00,001,610 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\QuickTime Player.lnk
[2009/04/18 21:06:44 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\xing shared
[2009/04/18 21:06:35 | 00,000,897 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\RealPlayer.lnk
[2009/04/18 21:06:31 | 00,000,000 | ---D | C] -- C:\Program Files\QuickTime
[2009/04/18 12:01:36 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Levent Canyas\Application Data\Malwarebytes
[2009/04/18 12:01:23 | 00,015,504 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/04/18 12:01:23 | 00,000,714 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/04/18 12:01:21 | 00,038,496 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/04/18 12:01:19 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/04/18 12:01:19 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/04/18 11:55:43 | 02,967,800 | ---- | C] (Malwarebytes Corporation                                    ) -- C:\Documents and Settings\Levent Canyas\My Documents\mbam-setup.exe
[2009/04/18 11:42:54 | 00,000,466 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Scan (full scan).job
[2009/04/18 11:40:35 | 00,015,688 | ---- | C] () -- C:\WINDOWS\System32\lsdelete.exe
[2009/04/18 11:28:13 | 00,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily).job
[2009/04/18 11:19:18 | 00,064,160 | ---- | C] (Lavasoft AB) -- C:\WINDOWS\System32\drivers\Lbd.sys
[2009/04/18 11:16:38 | 00,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
[2009/04/18 11:16:34 | 00,000,867 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Ad-Aware.lnk
[2009/04/18 09:17:46 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\XPSViewer
[2009/04/18 09:17:39 | 00,000,000 | ---D | C] -- C:\Program Files\MSBuild
[2009/04/18 09:17:24 | 00,000,000 | ---D | C] -- C:\Program Files\Reference Assemblies
[2009/04/18 09:16:41 | 00,117,760 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\prntvpt.dll
[2009/04/18 09:16:41 | 00,089,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\filterpipelineprintproc.dll
[2009/04/18 09:16:40 | 01,676,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xpssvcs.dll
[2009/04/18 09:16:40 | 01,676,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\xpssvcs.dll
[2009/04/18 09:16:40 | 00,597,504 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\printfilterpipelinesvc.exe
[2009/04/18 09:16:40 | 00,575,488 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xpsshhdr.dll
[2009/04/18 09:16:40 | 00,575,488 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\xpsshhdr.dll
[2009/04/18 09:16:39 | 00,000,000 | ---D | C] -- C:\f5b77fb82c53c9034e9a44f517b8
[2009/04/18 09:16:16 | 00,000,000 | ---D | C] -- C:\WINDOWS\SxsCaPendDel
[2009/04/18 09:08:39 | 03,569,025 | ---- | C] () -- C:\Documents and Settings\Levent Canyas\My Documents\SASDEFINITIONS.EXE
[2009/04/18 09:05:13 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Lavasoft
[2009/04/18 01:01:56 | 00,000,000 | ---D | C] -- C:\WINDOWS\ie8updates
[2009/04/18 00:58:51 | 00,000,000 | -H-D | C] -- C:\WINDOWS\ie8
[2009/04/17 21:00:40 | 00,105,984 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\iecompat.dll
[2009/04/17 20:03:53 | 00,001,740 | ---- | C] () -- C:\Documents and Settings\Levent Canyas\Desktop\HijackThis.lnk
[2009/04/17 20:03:52 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2009/04/17 20:03:45 | 00,000,000 | ---D | C] -- C:\b6af8ac97383a24bba8a1bef8244c9
[2009/04/17 19:53:46 | 00,812,344 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\Levent Canyas\My Documents\HJTInstall.exe
[2009/04/17 19:45:19 | 25,569,440 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\Levent Canyas\My Documents\Setup.exe
[2009/04/16 23:00:26 | 00,284,160 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\pdh.dll
[2009/04/16 23:00:25 | 00,401,408 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\rpcss.dll
[2009/04/16 23:00:25 | 00,110,592 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\services.exe
[2009/04/16 23:00:24 | 00,473,600 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\fastprox.dll
[2009/04/16 23:00:24 | 00,227,840 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wmiprvse.exe
[2009/04/16 23:00:23 | 00,453,120 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wmiprvsd.dll
[2009/04/16 23:00:22 | 00,729,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\lsasrv.dll
[2009/04/16 23:00:22 | 00,714,752 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntdll.dll
[2009/04/16 23:00:22 | 00,617,472 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\advapi32.dll
[2009/04/16 22:58:38 | 01,203,922 | ---- | C] () -- C:\WINDOWS\System32\dllcache\sysmain.sdb
Title: Re: KillAV.KI {TRJ} JS:FakeAV-K[TRJ], TRJ[GEN], avast not updatind, Sad But True
Post by: St.Anger_561_ on April 25, 2009, 03:37:32 PM
[2009/04/16 22:58:38 | 00,002,560 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xpsp4res.dll
[2009/04/16 22:58:37 | 00,215,552 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wordpad.exe
[2009/04/16 01:32:15 | 00,022,648 | ---- | C] () -- C:\Documents and Settings\Levent Canyas\My Documents\American_Community_Survey_Wexler.wpd
[2009/04/08 19:12:11 | 00,003,864 | ---- | C] () -- C:\Documents and Settings\Levent Canyas\My Documents\life_Letter.wpd
[2009/04/06 21:11:01 | 00,000,788 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2009/04/06 21:09:11 | 06,237,728 | ---- | C] () -- C:\Documents and Settings\Levent Canyas\My Documents\SUPERAntiSpyware.exe
[2009/04/06 20:58:58 | 06,187,552 | ---- | C] () -- C:\Documents and Settings\Levent Canyas\My Documents\SUPERAntiSpywarePro.exe
[2009/04/05 19:13:44 | 24,356,488 | ---- | C] () -- C:\Documents and Settings\Levent Canyas\My Documents\vpsupd.exe
[2009/04/01 23:18:43 | 00,047,525 | ---- | C] () -- C:\Documents and Settings\Levent Canyas\My Documents\EU Transcript Request (2).pdf
[2009/03/27 00:26:27 | 00,016,320 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\LC_UF_UOT.wpd
[2007/07/08 21:32:10 | 00,000,058 | ---- | C] () -- C:\WINDOWS\OSA.INI
[2007/05/22 00:00:26 | 00,000,250 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2007/05/04 08:49:05 | 00,000,000 | ---- | C] () -- C:\WINDOWS\pestpatrol5.INI
[2007/03/22 09:52:57 | 00,000,029 | ---- | C] () -- C:\WINDOWS\atid.ini
[2007/02/21 03:29:50 | 00,000,214 | ---- | C] () -- C:\WINDOWS\HP_48BitScanUpdatePatch.ini
[2007/01/02 21:53:29 | 00,077,824 | R--- | C] () -- C:\WINDOWS\System32\HPZIDS01.dll
[2006/01/22 07:08:19 | 00,068,096 | ---- | C] () -- C:\WINDOWS\zwpshex.dll
[2005/11/24 01:16:21 | 00,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2005/08/30 00:39:24 | 00,000,264 | ---- | C] () -- C:\WINDOWS\System32\winsusrm.dll
[2005/05/03 11:44:44 | 00,025,157 | ---- | C] () -- C:\WINDOWS\RMAgentOutput.dll
[2005/05/03 11:43:44 | 00,126,976 | ---- | C] () -- C:\WINDOWS\dllTSCLIBMT.dll
[2005/04/24 00:51:03 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\sys_dll.dll
[2005/04/04 18:12:19 | 00,000,073 | ---- | C] () -- C:\WINDOWS\morphexe.INI
[2005/03/15 01:01:13 | 00,016,970 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2005/01/10 23:39:05 | 00,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2004/11/10 18:42:16 | 00,000,045 | ---- | C] () -- C:\WINDOWS\Protocol.ini
[2004/11/09 01:03:46 | 00,071,749 | ---- | C] () -- C:\WINDOWS\HCExtOutput.dll
[2004/11/09 01:03:46 | 00,000,679 | ---- | C] () -- C:\WINDOWS\TSC.ini
[2004/11/09 00:58:26 | 00,000,170 | ---- | C] () -- C:\WINDOWS\GetServer.ini
[2004/10/21 19:53:14 | 00,040,448 | ---- | C] () -- C:\WINDOWS\System32\BJAXSecurityManager.dll
[2004/10/21 19:53:13 | 00,086,016 | ---- | C] () -- C:\WINDOWS\System32\BJInstaller.dll
[2004/09/01 11:49:17 | 03,375,104 | ---- | C] () -- C:\WINDOWS\System32\qt-mt331.dll
[2004/06/17 21:30:15 | 00,002,450 | ---- | C] () -- C:\WINDOWS\ACROREAD.INI
[2004/05/17 20:57:42 | 00,000,040 | ---- | C] () -- C:\WINDOWS\opt_2460.ini
[2004/05/17 20:57:41 | 00,000,051 | ---- | C] () -- C:\WINDOWS\brmx2001.ini
[2004/04/05 09:46:37 | 00,000,116 | ---- | C] () -- C:\WINDOWS\WinInit.Ini
[2004/03/25 20:22:10 | 00,000,031 | ---- | C] () -- C:\WINDOWS\AUTHMGR.INI
[2004/03/25 19:25:08 | 00,000,030 | ---- | C] () -- C:\WINDOWS\System32\brss01a.ini
[2004/03/25 19:24:48 | 00,002,188 | ---- | C] () -- C:\WINDOWS\BRMFBIDI.INI
[2004/03/25 19:23:56 | 00,000,585 | ---- | C] () -- C:\WINDOWS\Brpcfx.ini
[2004/03/25 19:23:56 | 00,000,463 | ---- | C] () -- C:\WINDOWS\brwmark.ini
[2004/03/25 19:23:56 | 00,000,079 | ---- | C] () -- C:\WINDOWS\BRPP2KA.INI
[2004/03/25 19:22:02 | 00,000,806 | ---- | C] () -- C:\WINDOWS\maxlink.ini
[2004/02/25 20:17:13 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2004/02/25 20:09:09 | 00,000,258 | ---- | C] () -- C:\WINDOWS\System32\BDEMERGE.INI
[2004/02/25 20:02:28 | 00,000,899 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/02/25 19:47:15 | 00,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2004/02/25 19:34:14 | 00,000,452 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2002/11/01 17:17:50 | 00,000,256 | ---- | C] () -- C:\WINDOWS\aucfg.ini
[2002/09/03 10:59:58 | 00,000,226 | ---- | C] () -- C:\WINDOWS\WIN.INI
[2002/09/03 10:50:58 | 00,000,227 | ---- | C] () -- C:\WINDOWS\SYSTEM.INI
[2002/08/12 09:19:42 | 00,101,376 | ---- | C] () -- C:\WINDOWS\System32\Welsof32.dll
[2002/07/04 16:05:34 | 00,000,269 | ---- | C] () -- C:\WINDOWS\tmupdate.ini
[2002/01/08 17:57:34 | 00,110,592 | ---- | C] () -- C:\WINDOWS\System32\Jpeg32.dll
[2001/12/14 14:34:46 | 00,164,864 | ---- | C] () -- C:\WINDOWS\patchw32.dll
[2001/07/07 04:00:00 | 00,003,399 | ---- | C] () -- C:\WINDOWS\System32\hptcpmon.ini
[2000/09/08 17:53:50 | 00,073,839 | ---- | C] () -- C:\WINDOWS\System32\KodakOneTouch.dll
[1999/12/07 01:00:00 | 00,024,976 | ---- | C] () -- C:\WINDOWS\twain_16.dll
[1999/07/23 13:46:48 | 00,000,116 | ---- | C] () -- C:\WINDOWS\AuHCcup1.ini
[1999/07/23 10:53:20 | 00,129,536 | ---- | C] () -- C:\WINDOWS\AuHCcup1.dll
 
========== Files - Modified Within 30 Days ==========
Title: Re: KillAV.KI {TRJ} JS:FakeAV-K[TRJ], TRJ[GEN], avast not updatind, Sad But True
Post by: St.Anger_561_ on April 25, 2009, 03:38:06 PM
1 C:\WINDOWS\System32\*.tmp files]
[2 C:\WINDOWS\*.tmp files]
[2009/04/25 09:04:20 | 00,501,248 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Levent Canyas\My Documents\OTListIt2.exe
[2009/04/25 08:45:13 | 00,000,853 | ---- | M] () -- C:\WINDOWS\System32\drivers\ETC\HOSTS
[2009/04/25 08:36:39 | 00,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2009/04/25 08:35:12 | 00,000,330 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2009/04/25 08:31:16 | 00,002,048 | --S- | M] () -- C:\WINDOWS\BOOTSTAT.DAT
[2009/04/25 08:30:15 | 02,480,016 | -H-- | M] () -- C:\Documents and Settings\Levent Canyas\Local Settings\Application Data\IconCache.db
[2009/04/25 08:10:46 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/04/25 08:10:26 | 00,000,230 | -H-- | M] () -- C:\BOOT.INI
[2009/04/25 08:10:26 | 00,000,227 | ---- | M] () -- C:\WINDOWS\SYSTEM.INI
[2009/04/25 08:10:26 | 00,000,226 | ---- | M] () -- C:\WINDOWS\WIN.INI
[2009/04/24 07:39:01 | 00,000,256 | ---- | M] () -- C:\WINDOWS\tasks\Check Updates for Windows Live Toolbar.job
[2009/04/22 20:15:35 | 00,003,500 | ---- | M] () -- C:\Documents and Settings\Levent Canyas\My Documents\DrWebScan2.csv
[2009/04/22 20:14:33 | 00,003,464 | ---- | M] () -- C:\Documents and Settings\Levent Canyas\My Documents\DrWebScan.csv
[2009/04/21 23:43:55 | 00,000,702 | ---- | M] () -- C:\Documents and Settings\Levent Canyas\Desktop\SpywareBlaster.lnk
[2009/04/21 23:37:47 | 00,155,136 | ---- | M] () -- C:\Documents and Settings\Levent Canyas\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/04/21 23:35:41 | 00,001,170 | ---- | M] () -- C:\WINDOWS\System32\WPA.DBL
[2009/04/19 23:03:03 | 00,001,604 | ---- | M] () -- C:\Documents and Settings\Levent Canyas\Desktop\True Sword.lnk
[2009/04/19 22:57:34 | 00,102,664 | ---- | M] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys
[2009/04/19 15:32:12 | 70,178,288 | ---- | M] (Emsi Software GmbH                                          ) -- C:\Documents and Settings\Levent Canyas\My Documents\a2FreeOASetup.exe
[2009/04/19 15:24:37 | 00,221,154 | ---- | M] () -- C:\Documents and Settings\Levent Canyas\My Documents\cc_20090419_152412.reg
[2009/04/19 15:19:37 | 00,781,909 | ---- | M] () -- C:\Documents and Settings\Levent Canyas\My Documents\RSIT.exe
[2009/04/19 12:49:08 | 00,000,886 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Advanced SystemCare.lnk
[2009/04/19 12:49:08 | 00,000,161 | ---- | M] () -- C:\Documents and Settings\Levent Canyas\Desktop\IObit Freeware.url
[2009/04/19 12:46:35 | 00,001,548 | ---- | M] () -- C:\Documents and Settings\Levent Canyas\Desktop\CCleaner.lnk
[2009/04/19 12:46:26 | 03,190,688 | ---- | M] (Piriform Ltd) -- C:\Documents and Settings\Levent Canyas\My Documents\ccsetup218.exe
[2009/04/19 12:43:07 | 01,970,629 | ---- | M] () -- C:\Documents and Settings\Levent Canyas\My Documents\runscanner.zip
[2009/04/19 12:37:26 | 07,796,200 | ---- | M] (IObit                                                       ) -- C:\Documents and Settings\Levent Canyas\My Documents\asc-setup.exe
[2009/04/19 12:36:48 | 01,055,648 | ---- | M] () -- C:\Documents and Settings\Levent Canyas\My Documents\RootkitBuster_2.52.1013.zip
[2009/04/19 08:11:03 | 00,000,899 | ---- | M] () -- C:\WINDOWS\orun32.ini
[2009/04/18 23:55:11 | 00,075,200 | ---- | M] () -- C:\Documents and Settings\Levent Canyas\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2009/04/18 21:06:54 | 00,001,610 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\QuickTime Player.lnk
[2009/04/18 21:06:35 | 00,000,897 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\RealPlayer.lnk
[2009/04/18 21:05:48 | 00,278,528 | ---- | M] (Real Networks, Inc) -- C:\WINDOWS\System32\pncrt.dll
[2009/04/18 20:46:18 | 00,001,740 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 7.0.lnk
[2009/04/18 12:48:16 | 00,000,466 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Scan (full scan).job
[2009/04/18 12:01:23 | 00,000,714 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/04/18 11:56:01 | 02,967,800 | ---- | M] (Malwarebytes Corporation                                    ) -- C:\Documents and Settings\Levent Canyas\My Documents\mbam-setup.exe
[2009/04/18 11:28:13 | 00,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Daily).job
[2009/04/18 11:16:34 | 00,000,867 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Ad-Aware.lnk
[2009/04/18 09:50:51 | 00,278,944 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/04/18 09:25:37 | 00,524,280 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/04/18 09:25:37 | 00,442,774 | ---- | M] () -- C:\WINDOWS\System32\PERFH009.DAT
[2009/04/18 09:25:37 | 00,071,848 | ---- | M] () -- C:\WINDOWS\System32\PERFC009.DAT
[2009/04/18 09:09:10 | 03,569,025 | ---- | M] () -- C:\Documents and Settings\Levent Canyas\My Documents\SASDEFINITIONS.EXE
[2009/04/18 07:50:26 | 00,000,084 | -HS- | M] () -- C:\Documents and Settings\Levent Canyas\My Documents\DESKTOP.INI
[2009/04/17 20:03:54 | 00,001,740 | ---- | M] () -- C:\Documents and Settings\Levent Canyas\Desktop\HijackThis.lnk
[2009/04/17 20:03:46 | 00,812,344 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\Levent Canyas\My Documents\HJTInstall.exe
[2009/04/17 20:03:36 | 25,569,440 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\Levent Canyas\My Documents\Setup.exe
[2009/04/17 07:49:30 | 00,016,970 | ---- | M] () -- C:\WINDOWS\cdplayer.ini
[2009/04/16 12:08:55 | 00,022,648 | ---- | M] () -- C:\Documents and Settings\Levent Canyas\My Documents\American_Community_Survey_Wexler.wpd
[2009/04/09 23:16:05 | 00,312,968 | R--- | M] () -- C:\WINDOWS\System32\drivers\ETC\hosts.20090418-235101.backup
[2009/04/08 19:16:31 | 00,003,864 | ---- | M] () -- C:\Documents and Settings\Levent Canyas\My Documents\life_Letter.wpd
[2009/04/06 21:11:01 | 00,000,788 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2009/04/06 21:09:50 | 06,237,728 | ---- | M] () -- C:\Documents and Settings\Levent Canyas\My Documents\SUPERAntiSpyware.exe
[2009/04/06 21:07:14 | 06,187,552 | ---- | M] () -- C:\Documents and Settings\Levent Canyas\My Documents\SUPERAntiSpywarePro.exe
[2009/04/06 15:32:54 | 00,038,496 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/04/06 15:32:46 | 00,015,504 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/04/06 10:57:24 | 24,921,544 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe
[2009/04/05 19:14:04 | 24,356,488 | ---- | M] () -- C:\Documents and Settings\Levent Canyas\My Documents\vpsupd.exe
[2009/04/05 18:41:17 | 00,304,968 | R--- | M] () -- C:\WINDOWS\System32\drivers\ETC\hosts.20090409-231605.backup
[2009/04/02 16:03:02 | 00,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2009/04/01 23:18:43 | 00,047,525 | ---- | M] () -- C:\Documents and Settings\Levent Canyas\My Documents\EU Transcript Request (2).pdf
[2009/03/31 23:35:48 | 00,001,831 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Windows Live Messenger .lnk
[2009/03/27 02:58:38 | 01,203,922 | ---- | M] () -- C:\WINDOWS\System32\dllcache\sysmain.sdb
[2009/03/27 00:26:27 | 00,016,320 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\LC_UF_UOT.wpd
 
========== Alternate Data Streams ==========
Title: Re: KillAV.KI {TRJ} JS:FakeAV-K[TRJ], TRJ[GEN], avast not updatind, Sad But True
Post by: St.Anger_561_ on April 25, 2009, 03:39:02 PM
========== Alternate Data Streams ==========
 
@Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
< End of report >


holy smokes, what a bunch of stuff is in this log!!!  it also gave me another log, called a extraol2.list, I guess I should post that too?
Title: Re: KillAV.KI {TRJ} JS:FakeAV-K[TRJ], TRJ[GEN], avast not updatind, Sad But True
Post by: St.Anger_561_ on April 25, 2009, 03:39:41 PM
OTListIt Extras logfile created on: 4/25/2009 9:12:06 AM - Run 1
OTListIt2 by OldTimer - Version 2.0.14.0     Folder = C:\Documents and Settings\Levent Canyas\My Documents
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
1.25 Gb Total Physical Memory | 0.90 Gb Available Physical Memory | 72.42% Memory free
1.48 Gb Paging File | 1.32 Gb Available in Paging File | 88.97% Paging File free
Paging file location(s): C:\pagefile.sys 384 768;
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.46 Gb Total Space | 33.09 Gb Free Space | 44.45% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 54.21 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
F: Drive not present or media not loaded
Drive G: | 1.94 Gb Total Space | 1.80 Gb Free Space | 92.54% Space Free | Partition Type: FAT
H: Drive not present or media not loaded
I: Drive not present or media not loaded
 
Computer Name: D3Z3PF41
Current User Name: Levent Canyas
Logged in as Administrator.
 
Current Boot Mode: SafeMode
Scan Mode: All users
Output = Standard
File Age = 30 Days
Company Name Whitelist: On
 
========== File Associations ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
 
========== Security Center Settings ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
"DisableMonitoring" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
"DisableMonitoring" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]
 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0
 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Connect
"10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Connect
"10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Connect
"10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Connect
"10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Connect
"10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Connect
 
Title: Re: KillAV.KI {TRJ} JS:FakeAV-K[TRJ], TRJ[GEN], avast not updatind, Sad But True
Post by: St.Anger_561_ on April 25, 2009, 03:40:13 PM
========== Authorized Applications List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
[2008/04/13 14:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
[2007/10/18 11:34:02 | 05,724,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger
[2007/10/02 17:18:24 | 00,304,488 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
[2008/04/13 20:12:28 | 01,695,232 | -HS- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msmsgs.exe:*:Disabled:Windows Messenger
[2008/04/13 20:12:25 | 01,414,656 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\SYSTEM32\mmc.exe:*:Disabled:Microsoft Management Console
[2007/08/30 18:43:18 | 00,091,376 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Disabled:Yahoo! FT Server
[2008/04/13 14:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
[2006/02/19 05:21:22 | 00,288,472 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe:*:Enabled:hpqtra08.exe
[2006/02/19 06:24:52 | 00,239,320 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe:*:Enabled:hpqste08.exe
[2006/04/21 01:13:30 | 00,231,000 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe:*:Enabled:hpofxm08.exe
[2006/04/20 22:28:12 | 00,040,960 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe:*:Enabled:hposfx08.exe
[2006/04/21 00:43:46 | 00,087,640 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe
[2006/02/17 01:19:34 | 00,192,512 | ---- | M] () -- C:\Program Files\HP\Digital Imaging\bin\hpqscnvw.exe:*:Enabled:hpqscnvw.exe
[2006/02/16 23:49:52 | 01,085,440 | R--- | M] (Hewlett-Packard) -- C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe:*:Enabled:hpqkygrp.exe
[2006/04/21 01:06:26 | 00,181,848 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files\HP\Digital Imaging\bin\hpqCopy.exe:*:Enabled:hpqcopy.exe
[2006/02/15 11:37:26 | 00,147,511 | R--- | M] (Hewlett-Packard) -- C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe:*:Enabled:hpfccopy.exe
[2006/04/21 01:13:00 | 00,456,280 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe:*:Enabled:hpzwiz01.exe
[2006/02/09 17:43:36 | 00,110,592 | R--- | M] (Hewlett-Packard) -- C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe:*:Enabled:hpqphunl.exe
[2006/02/09 17:41:28 | 00,573,440 | ---- | M] ( ) -- C:\Program Files\HP\Digital Imaging\Unload\HpqDIA.exe:*:Enabled:hpqdia.exe
[2006/04/21 00:42:18 | 00,063,064 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe:*:Enabled:hpoews01.exe
[2006/02/19 06:29:46 | 00,139,264 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe:*:Enabled:hpqnrs08.exe
[2009/04/25 07:17:15 | 00,307,704 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Firefox
[2007/08/30 18:43:18 | 04,670,704 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Disabled:Yahoo! Messenger
[2008/02/08 11:04:44 | 00,072,264 | ---- | M] (Kaspersky Lab) -- C:\kav\kav7\setup.exe:*:Enabled:Kaspersky Anti-Virus 7.0 Setup
[2007/10/18 11:34:02 | 05,724,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger
[2007/10/02 17:18:24 | 00,304,488 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)
Title: Re: KillAV.KI {TRJ} JS:FakeAV-K[TRJ], TRJ[GEN], avast not updatind, Sad But True
Post by: St.Anger_561_ on April 25, 2009, 03:41:15 PM
========== HKEY_LOCAL_MACHINE Uninstall List ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0008546E-DF6E-4CC1-AFD0-2CB8E16C95A2}" = Notifier
"{015E4B8A-29B5-4AE3-BD08-38220FADFF4C}" = aspi
"{04410044-9149-45C6-A806-F2BF9CFCE762}" = Microsoft Encarta Encyclopedia Standard 2004
"{0A65A3BD-54B5-4d0d-B084-7688507813F5}" = SlideShow
"{0D499481-22C6-4B25-8AC2-6D3F6C885FB9}" = OpenOffice.org Installer 1.0
"{0E9804E3-1D94-4D4A-A17D-19777FEF049D}" = Weather Add-in for Windows Live Toolbar
"{11B569C2-4BF6-4ED0-9D17-A4273943CB24}" = Adobe Photoshop Album 2.0 Starter Edition
"{11F1920A-56A2-4642-B6E0-3B31A12C9288}" = Dell Solution Center
"{14D4ED84-6A9A-45A0-96F6-1753768C3CB5}" = ESSPCD
"{15C0AF59-4877-49B6-B8C6-A61CE54515F5}" = cp_OnlineProjectsConfig
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{1D643CD7-4DD6-11D7-A4E0-000874180BB3}" = Microsoft Money 2004
"{216AB108-2AE1-4130-B3D5-20B2C4C80F8F}" = QuickTime
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{2376813B-2E5A-4641-B7B3-A0D5ADB55229}" = HPPhotoSmartExpress
"{2637C347-9DAD-11D6-9EA2-00055D0CA761}" = Dell Media Experience
"{26A24AE4-039D-4CA4-87B4-2F83216013FF}" = Java(TM) 6 Update 13
"{2F58D60D-2BFD-4467-9B4D-64E7355C329D}" = Sonic_PrimoSDK
"{3248F0A8-6813-11D6-A77B-00B0D0160000}" = Java(TM) SE Runtime Environment 6
"{3248F0A8-6813-11D6-A77B-00B0D0160010}" = Java(TM) SE Runtime Environment 6 Update 1
"{3248F0A8-6813-11D6-A77B-00B0D0160020}" = Java(TM) 6 Update 2
"{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java(TM) 6 Update 3
"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java(TM) 6 Update 5
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java(TM) 6 Update 7
"{33BF0960-DBA3-4187-B6CC-C969FCFA2D25}" = SkinsHP1
"{341201D4-4F61-4ADB-987E-9CCE4D83A58D}" = Windows Live Toolbar Extension (Windows Live Toolbar)
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{35BDEFF1-A610-4956-A00D-15453C116395}" = Internet Explorer Default Page
"{35E1A8C8-6646-4101-B0AA-42D1EB2AB3AE}" = Windows Live Outlook Toolbar (Windows Live Toolbar)
"{363790D2-DA98-41DD-9C9F-69FA36B169DE}" = PanoStandAlone
"{36FDBE6E-6684-462B-AE98-9A39A1B200CC}" = HP Product Assistant
"{41E776A5-9B12-416D-9A12-B4F7B044EBED}" = CP_Package_Basic1
"{432C3720-37BF-4BD7-8E49-F38E090246D0}" = CR2
"{45B8A76B-57EC-4242-B019-066400CD8428}" = BufferChm
"{469730CC-78DF-4CD3-B286-562D459EA619}" = ESSCAM
"{48C82F7A-F100-4DAB-A310-8E18BF2159E1}" = ESSvpot
"{4B9F45E8-E3CE-40B4-9463-80A9B3481DEF}" = Banctec Service Agreement
"{4EA684E9-5C81-4033-A696-3019EC57AC3A}" = HPProductAssistant
"{508CE775-4BA4-4748-82DF-FE28DA9F03B0}" = Windows Live Messenger
"{53B2CFE9-A508-4457-B2CA-5D253536BFB7}" = OneCare Advisor (Windows Live Toolbar)
"{53EE9E42-CECB-4C92-BF76-9CA65DAF8F1C}" = FullDPAppQFolder
"{548B3DC6-2300-47E1-BA7B-74AD25F8DEBF}" = Form Fill (Windows Live Toolbar)
"{54DD126C-E5F5-404C-B4B7-66DF7FD4F2FF}" = MSSoap
"{54F90B55-BEB3-4F0D-8802-228822FA5921}" = WordPerfect Office 11
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{57B2281D-A34A-4a48-8C68-169B8873659D}" = c4100_Help
"{643EAE81-920C-4931-9F0B-4B343B225CA6}" = ESSBrwr
"{66910000-8B30-4973-A159-6371345AFFA5}" = WebReg
"{6696D9A4-28A8-4F5A-8E9A-2E8974C8C39C}" = RandMap
"{66A7A386-6F35-41A7-A731-101F0C0153C8}" = Popup Blocker (Windows Live Toolbar)
"{66E6CE0C-5A1E-430C-B40A-0C90FF1804A8}" = eSupportQFolder
"{68108E66-D13A-4EE8-A6F4-40E4B90C2A26}" = Windows Live Toolbar Feed Detector (Windows Live Toolbar)
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{68763C27-235D-4165-A961-FDEA228CE504}" = AiOSoftwareNPI
"{68D60342-7686-45C9-B8EB-40EF843D0460}" = Dell Networking Guide
"{6909F917-5499-482e-9AA1-FAD06A99F231}" = Toolbox
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{69BD6399-3D8F-45B7-81D9-819361F5101D}" = PCDLNCH
"{6F5E2F4A-377D-4700-B0E3-8F7F7507EA15}" = CustomerResearchQFolder
"{736C803C-DD3B-4015-BC51-AFB9E67B9076}" = Readme
"{7745B7A9-F323-4BB9-9811-01BF57A028DA}" = Map Button (Windows Live Toolbar)
"{786C4AD1-DCBA-49A6-B0EF-B317A344BD66}" = Windows Live Favorites for Windows Live Toolbar
"{78CC3BAB-DE2A-4FB4-8FBB-E4DADDC26747}" = Ad-Aware SE Personal
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX
"{7C03270C-4FAB-4F5C-B10D-52FEDA190790}" = DocumentViewerQFolder
"{7E7B7865-6C80-4373-8BC1-C2EB9431F9DE}" = ProductContextNPI
"{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}" = DellSupport
"{7F142D56-3326-11D5-B229-002078017FBF}" = Modem Helper
"{81A34902-9D0B-4920-A25C-4CDC5D14B328}" = Jasc Paint Shop Pro 8 Dell Edition
"{8331C3EA-0C91-43AA-A4D4-27221C631139}" = Status
"{84F1DE76-C48C-4281-87A0-CC9548D1E7F9}" = Rhapsody Player Engine
"{87843A41-7808-4F2E-B13F-25C1E67CF2FD}" = ESShelp
"{87E2B986-07E8-477a-93DC-AF0B6758B192}" = DocProcQFolder
"{89EE857B-8970-4F9F-AB58-A1C873AC72B3}" = Broadcom Management Programs
"{8A4CE7FD-9657-4B06-9943-E1819F3D5D67}" = DocProc
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel(R) Extreme Graphics Driver
"{8C64E145-54BA-11D6-91B1-00500462BE80}" = Microsoft Money 2004 System Pack
"{8CE4E6E9-9D55-43FB-9DDB-688C976BFC05}" = Unload
"{8E92D746-CD9F-4B90-9668-42B74C14F765}" = ESSini
"{8EF1122E-E90C-4EE9-AB0C-7FDE2BA42C26}" = Musicmatch® Jukebox
"{90840409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Excel Viewer 2003
"{90AF0409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office PowerPoint Viewer 2003
"{90D55A3F-1D99-4C94-A77E-46DC14F0BF08}" = Help and Support Customization
"{91110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{91517631-A9F3-4B7C-B482-43E0068FD55A}" = ESSgui
"{9422C8EA-B0C6-4197-B8FC-DC797658CA00}" = Windows Live Sign-in Assistant
"{996512CF-F35B-48DE-9291-557FA5316967}" = ScannerCopy
"{9D1CF8B6-17B3-4832-B062-2C2DD0B57B04}" = CCHelp
Title: Re: KillAV.KI {TRJ} JS:FakeAV-K[TRJ], TRJ[GEN], avast not updatind, Sad But True
Post by: St.Anger_561_ on April 25, 2009, 03:42:09 PM
"{9D8FEE90-0377-49A9-AEFB-525BDE549BA4}" = ESScore
"{A06275F4-324B-4E85-95E6-87B2CD729401}" = Windows Defender
"{A29800BA-0BF1-4E63-9F31-DF05A87F4104}" = InstantShareDevices
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A5B3EB8A-4071-42F0-8E8E-7A8342AA8E69}" = ESSvpaht
"{A5CC2A09-E9D3-49EC-923D-03874BBD4C2C}" = Windows Defender Signatures
"{A6F18A67-B771-4191-8A33-36D2E742D6D9}" = ESSANUP
"{A72C3852-1B81-4E49-BBF7-A1795413FCBD}" = Veo Creative Studio - Connect
"{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}" = Windows Live installer
"{AB5D51AE-EBC3-438D-872C-705C7C2084B0}" = DeviceManagementQFolder
"{ABE068DF-8DC4-4947-ABFC-DD2B40850225}" = SFR2
"{AC76BA86-7AD7-1033-7B44-A71000000002}" = Adobe Reader 7.1.1
"{AE1FA02D-E6A4-4EA0-8E58-6483CAC016DD}" = ESSCDBK
"{AEF2D1F3-0696-11D5-8E6A-00C04F7FA234}" = PaperPort 8.0 SE
"{B2157760-AA3C-4E2E-BFE6-D20BC52495D9}" = cp_PosterPrintConfig
"{B4B44FE7-41FF-4DAD-8C0A-E406DDA72992}" = CCScore
"{B5FDA445-CAC4-4BA6-A8FB-A7212BD439DE}" = Microsoft XML Parser
"{B6286A44-7505-471A-A72B-04EC2DB2F442}" = CueTour
"{B69CFE29-FD03-4E0A-87A7-6ED97F98E5B3}" = CP_Panorama1Config
"{B8DBED1E-8BC3-4d08-B94A-F9D7D88E9BBF}" = HPSSupply
"{B997C2A0-4383-41BF-B76E-9B8B7ECFB267}" = KSU
"{BDBE2F3E-42DB-4d4a-8CB1-19BA765DBC6C}" = HP Photosmart, Officejet and Deskjet 7.0.A
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C1C6767D-B395-43CB-BF99-051B58B86DA6}" = PhotoGallery
"{C354C9B6-A4E0-4BB0-A368-6DC6BCA0E314}" = SFR
"{C44CB060-2AD1-11D6-BC84-00D0B7E10CD1}" = Veo Advanced Connect
"{C7F54CF8-D6FB-4E0A-93A3-E68AE0D6C476}" = SolutionCenter
"{C871525F-7116-4d26-BA6D-215F59B6F88B}" = C4100
"{C8753E28-2680-49BF-BD48-DD38FD086EFE}" = AiO_Scan_CDA
"{C8FD5BC1-92EF-4C15-92A9-F9AC7F61985F}" = HP Update
"{CA60320D-6A16-49C8-A34F-84EEF4799567}" = ESSTUTOR
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CC000127-5E5D-4A1C-90CB-EEAAAC1E3AC0}" = Jasc Paint Shop Photo Album
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware Free Edition
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D15E9DB5-6BEB-4534-901E-80C0A29BAB97}" = ESSAdpt
"{D32470A1-B10C-4059-BA53-CF0486F68EBC}" = Kodak EasyShare software
"{D43E1D3F-CC1F-4E41-80F5-9C1D28187DE9}" = iPod Updater 2004-08-06
"{D5A145FC-D00C-4F1A-9119-EB4D9D659750}" = Windows Live Toolbar
"{D78653C3-A8FF-415F-92E6-D774E634FF2D}" = Dell ResourceCD
"{DBC20735-34E6-4E97-A9E5-2066B66B243D}" = TrayApp
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware
"{E1B80DEE-A795-4258-8445-074C06AE3AB8}" = MarketResearch
"{E646DCF0-5A68-11D5-B229-002078017FBF}" = Digital Line Detect
"{EC3B598C-1151-4191-B5B4-A9072ADE6259}_is1" = ZipGenius 6 (6.0.2.1060)
"{ED2C557E-9C18-41FF-B58E-A05EEF0B3B5F}" = CP_CalendarTemplates1
"{F084395C-40FB-4DB3-981C-B51E74E1E83D}" = Smart Menus (Windows Live Toolbar)
"{F157460F-720E-482f-8625-AD7843891E5F}" = InstantShareDevicesMFC
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{F3760724-B29D-465B-BC53-E5D72095BCC4}" = Scan
"{F6076EF9-08E1-442F-B6A2-BFB61B295A14}" = Fax_CDA
"{F71760CD-0F8B-4DCC-B7B7-6B223CC3843C}" = OTtBP
"{F91E1833-2D7C-4725-B98A-C779FEC41946}" = EarthLink MDAC
"{FB15E224-67C3-491F-9F5C-F257BC418412}" = Destinations
"{FBB980B0-63F8-4B48-8D65-90F1D9F81D9F}" = NewCopy_CDA
"{FC4ED75D-916C-4A8C-BB67-3C6F6E06D62B}" = Banctec Service Agreement
"{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}" = HighMAT Extension to Microsoft Windows XP CD Writing Wizard
"{FE7E1DD7-EBCE-4696-ADE2-22BDBF2372DA}" = DocumentViewer
"ActiveScan 2.0" = Panda ActiveScan 2.0
"Ad-Aware" = Ad-Aware
"Adobe Acrobat Reader 3.0" = Adobe Acrobat Reader 3.0
"Adobe Atmosphere Player" = Adobe Atmosphere Player for Acrobat and Adobe Reader
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Advanced SystemCare 3_is1" = Advanced SystemCare 3
"Ashampoo WinOptimizer 4_is1" = Ashampoo WinOptimizer 4.35
"avast!" = avast! Antivirus
"BellSouth" = BellSouth FastAccess DSL Help Center
"blstoolbar" = BellSouth Toolbar 1.0
"BroadJump Client Foundation" = BroadJump Client Foundation
"CCleaner" = CCleaner (remove only)
Title: Re: KillAV.KI {TRJ} JS:FakeAV-K[TRJ], TRJ[GEN], avast not updatind, Sad But True
Post by: St.Anger_561_ on April 25, 2009, 03:42:42 PM
"CNXT_MODEM_PCI_VEN_14F1&DEV_2702" = Conexant SmartHSFi V.9x 56K DF PCI Modem
"CyberScrub Trial Edition 3.5" = CyberScrub Trial Edition 3.5
"dBpoweramp [Calculate Audio CRC] Codec" = dBpoweramp [Calculate Audio CRC] Codec
"dBpoweramp CD Writer" = dBpoweramp CD Writer
"dBpoweramp Dalet Codec" = dBpoweramp Dalet Codec
"dBpoweramp FLAC Codec" = dBpoweramp FLAC Codec
"dBpoweramp Monkeys Audio Codec" = dBpoweramp Monkeys Audio Codec
"dBpoweramp Mp2 and BwfMp2 codec" = dBpoweramp Mp2 and BwfMp2 codec
"dBpoweramp mp3 (Fraunhofer IIS) Codec" = dBpoweramp mp3 (Fraunhofer IIS) Codec
"dBpoweramp Music Converter" = dBpoweramp Music Converter
"dBpoweramp Ogg Vorbis Codec" = dBpoweramp Ogg Vorbis Codec
"dBpoweramp Real Audio (Helix) Encoder" = dBpoweramp Real Audio (Helix) Encoder
"dBPoweramp tooLame MP2 codec" = dBPoweramp tooLame MP2 codec
"dBpoweramp Wave64 Codec" = dBpoweramp Wave64 Codec
"dBpoweramp WavPack Codec" = dBpoweramp WavPack Codec
"Dell Digital Jukebox Driver" = Dell Digital Jukebox Driver
"Eraser_is1" = Eraser
"Eyeball Chat 2.2" = Eyeball Chat 2.2
"GRE POWERPREP" = GRE POWERPREP
"HijackThis" = HijackThis 2.0.2
"HP Document Viewer" = HP Document Viewer 7.0
"HP Imaging Device Functions" = HP Imaging Device Functions 7.0
"HP Photo & Imaging" = HP Photosmart Premier Software 6.5
"HP Solution Center & Imaging Support Tools" = HP Solution Center 7.0
"HPExtendedCapabilities" = HP Customer Participation Program 7.0
"HPOCR" = OCR Software by I.R.I.S 7.0
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"Inspiration 8" = Inspiration 8
"InstallShield_{89EE857B-8970-4F9F-AB58-A1C873AC72B3}" = Broadcom Management Programs
"InstallShield_{D43E1D3F-CC1F-4E41-80F5-9C1D28187DE9}" = iPod Updater 2004-08-06
"Kaspersky Online Scanner" = Kaspersky Online Scanner
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1  (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.0.9)" = Mozilla Firefox (3.0.9)
"MSN Music Assistant" = MSN Music Assistant
"MSTTS" = Microsoft Text-to-Speech Engine 4.0 (English)
"MySpaceIM" = MySpaceIM
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"RealPlayer 6.0" = RealPlayer
"Shockwave" = Shockwave
"Shop for HP Supplies" = Shop for HP Supplies
"Spybot - Search & Destroy_is1" = Spybot - Search & Destroy 1.4
"SpywareBlaster_is1" = SpywareBlaster 4.2
"StreetPlugin" = Learn2 Player (Uninstall Only)
"TOEFL POWERPREP" = TOEFL POWERPREP
"TradeManager" = TradeManager
"True Sword 5_is1" = True Sword 5
"Windows Live Toolbar" = Windows Live Toolbar
"Windows Media Format Runtime" = Windows Media Format Runtime
"Windows Media Player" = Windows Media Player 10
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinRAR archiver" = WinRAR archiver
"WMCSetup" = Windows Media Connect
"Yahoo! Companion" = Yahoo! Toolbar
"Yahoo! Messenger" = Yahoo! Messenger
"Yahoo! Search Defender" = Yahoo! Search Protection
"Yahoo! Toolbar" = Yahoo! Toolbar
"YInstHelper" = Yahoo! Install Manager
"ZipWiz" = ZipWiz 2005 by Synaptek Software
 
========== HKEY_CURRENT_USER Uninstall List ==========
Title: Re: KillAV.KI {TRJ} JS:FakeAV-K[TRJ], TRJ[GEN], avast not updatind, Sad But True
Post by: St.Anger_561_ on April 25, 2009, 03:43:15 PM
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
 
========== HKEY_USERS Uninstall List ==========
 
[HKEY_USERS\S-1-5-21-2835264611-1626357533-382488265-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
 
========== Last 10 Event Log Errors ==========
 
[ Antivirus Events ]
Error - 3/20/2009 7:31:51 AM | Computer Name = D3Z3PF41 | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
 C:\DOCUMENTS AND SETTINGS\LEVENT CANYAS\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\0YYYPZPN.DEFAULT\PREFS.JS
 failed, 00000005. 
 
Error - 3/21/2009 5:53:45 PM | Computer Name = D3Z3PF41 | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
 C:\DOCUMENTS AND SETTINGS\LEVENT CANYAS\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\0YYYPZPN.DEFAULT\PREFS.JS
 failed, 00000005. 
 
Error - 3/26/2009 8:49:36 PM | Computer Name = D3Z3PF41 | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
 C:\DOCUMENTS AND SETTINGS\LEVENT CANYAS\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\0YYYPZPN.DEFAULT\PREFS.JS
 failed, 00000005. 
 
Error - 4/2/2009 7:38:04 PM | Computer Name = D3Z3PF41 | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
 C:\DOCUMENTS AND SETTINGS\LEVENT CANYAS\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\0YYYPZPN.DEFAULT\PREFS.JS
 failed, 00000005. 
 
Error - 4/2/2009 7:38:05 PM | Computer Name = D3Z3PF41 | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
 C:\DOCUMENTS AND SETTINGS\LEVENT CANYAS\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\0YYYPZPN.DEFAULT\SESSIONSTORE.JS
 failed, 00000005. 
 
Error - 4/4/2009 9:28:36 PM | Computer Name = D3Z3PF41 | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
 C:\DOCUMENTS AND SETTINGS\LEVENT CANYAS\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\0YYYPZPN.DEFAULT\PREFS.JS
 failed, 00000005. 
 
Error - 4/4/2009 9:28:36 PM | Computer Name = D3Z3PF41 | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
 C:\DOCUMENTS AND SETTINGS\LEVENT CANYAS\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\0YYYPZPN.DEFAULT\SESSIONSTORE.JS
 failed, 00000005. 
Title: Re: KillAV.KI {TRJ} JS:FakeAV-K[TRJ], TRJ[GEN], avast not updatind, Sad But True
Post by: St.Anger_561_ on April 25, 2009, 03:43:48 PM
Error - 4/12/2009 7:22:25 PM | Computer Name = D3Z3PF41 | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
 C:\DOCUMENTS AND SETTINGS\LEVENT CANYAS\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\0YYYPZPN.DEFAULT\PREFS.JS
 failed, 00000005. 
 
Error - 4/17/2009 8:26:47 PM | Computer Name = D3Z3PF41 | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
 C:\WINDOWS\SoftwareDistribution\Download\ff6a3f56b09f733b206809386437d42e\BIT49.tmp
 failed, 00000026. 
 
Error - 4/18/2009 6:21:26 PM | Computer Name = D3Z3PF41 | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
 C:\DOCUMENTS AND SETTINGS\LEVENT CANYAS\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\0YYYPZPN.DEFAULT\PREFS.JS
 failed, 00000005. 
 
[ Application Events ]
Error - 3/18/2009 7:26:58 AM | Computer Name = D3Z3PF41 | Source = MsiInstaller | ID = 11706
Description = Product: Microsoft .NET Framework 1.1 -- Error 1706.No valid source
 could be found for product Microsoft .NET Framework 1.1.  The Windows installer
 cannot continue.
 
Error - 3/18/2009 7:26:59 AM | Computer Name = D3Z3PF41 | Source = MsiInstaller | ID = 1024
Description = Product: Microsoft .NET Framework 1.1 - Update '{8D1D0E9A-C799-4D28-9E29-0061D1E66E43}'
 could not be installed. Error code 1603. Windows Installer can create logs to help
 troubleshoot issues with installing software packages. Use the following link for
 instructions on turning on logging support: http://go.microsoft.com/fwlink/?LinkId=23127
 
Error - 3/19/2009 3:01:01 AM | Computer Name = D3Z3PF41 | Source = MsiInstaller | ID = 11706
Description = Product: Microsoft .NET Framework 1.1 -- Error 1706.No valid source
 could be found for product Microsoft .NET Framework 1.1.  The Windows installer
 cannot continue.
 
Error - 3/19/2009 3:01:02 AM | Computer Name = D3Z3PF41 | Source = MsiInstaller | ID = 1024
Description = Product: Microsoft .NET Framework 1.1 - Update '{8D1D0E9A-C799-4D28-9E29-0061D1E66E43}'
 could not be installed. Error code 1603. Windows Installer can create logs to help
 troubleshoot issues with installing software packages. Use the following link for
 instructions on turning on logging support: http://go.microsoft.com/fwlink/?LinkId=23127
Title: Re: KillAV.KI {TRJ} JS:FakeAV-K[TRJ], TRJ[GEN], avast not updatind, Sad But True
Post by: St.Anger_561_ on April 25, 2009, 03:44:17 PM
Error - 3/19/2009 8:21:39 AM | Computer Name = D3Z3PF41 | Source = MsiInstaller | ID = 11706
Description = Product: Microsoft .NET Framework 1.1 -- Error 1706.No valid source
 could be found for product Microsoft .NET Framework 1.1.  The Windows installer
 cannot continue.
 
Error - 3/19/2009 8:21:39 AM | Computer Name = D3Z3PF41 | Source = MsiInstaller | ID = 1024
Description = Product: Microsoft .NET Framework 1.1 - Update '{8D1D0E9A-C799-4D28-9E29-0061D1E66E43}'
 could not be installed. Error code 1603. Windows Installer can create logs to help
 troubleshoot issues with installing software packages. Use the following link for
 instructions on turning on logging support: http://go.microsoft.com/fwlink/?LinkId=23127
 
Error - 3/20/2009 3:01:03 AM | Computer Name = D3Z3PF41 | Source = MsiInstaller | ID = 11706
Description = Product: Microsoft .NET Framework 1.1 -- Error 1706.No valid source
 could be found for product Microsoft .NET Framework 1.1.  The Windows installer
 cannot continue.
 
Error - 3/20/2009 3:01:03 AM | Computer Name = D3Z3PF41 | Source = MsiInstaller | ID = 1024
Description = Product: Microsoft .NET Framework 1.1 - Update '{8D1D0E9A-C799-4D28-9E29-0061D1E66E43}'
 could not be installed. Error code 1603. Windows Installer can create logs to help
 troubleshoot issues with installing software packages. Use the following link for
 instructions on turning on logging support: http://go.microsoft.com/fwlink/?LinkId=23127
 
Error - 3/20/2009 10:53:43 PM | Computer Name = D3Z3PF41 | Source = MsiInstaller | ID = 11706
Description = Product: Microsoft .NET Framework 1.1 -- Error 1706.No valid source
 could be found for product Microsoft .NET Framework 1.1.  The Windows installer
 cannot continue.
 
Error - 3/20/2009 10:53:44 PM | Computer Name = D3Z3PF41 | Source = MsiInstaller | ID = 1024
Description = Product: Microsoft .NET Framework 1.1 - Update '{8D1D0E9A-C799-4D28-9E29-0061D1E66E43}'
 could not be installed. Error code 1603. Windows Installer can create logs to help
 troubleshoot issues with installing software packages. Use the following link for
 instructions on turning on logging support: http://go.microsoft.com/fwlink/?LinkId=23127
 
[ System Events ]
Error - 4/25/2009 8:37:01 AM | Computer Name = D3Z3PF41 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
 arguments ""  in order to run the server:  {A1F4E726-8CF1-11D1-BF92-0060081ED811}
 
Error - 4/25/2009 8:37:04 AM | Computer Name = D3Z3PF41 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service netman with
 arguments ""  in order to run the server:  {BA126AE5-2166-11D1-B1D0-00805FC1270E}
 
Error - 4/25/2009 8:37:04 AM | Computer Name = D3Z3PF41 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
 arguments ""  in order to run the server:  {A1F4E726-8CF1-11D1-BF92-0060081ED811}
 
Error - 4/25/2009 8:37:04 AM | Computer Name = D3Z3PF41 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
 arguments ""  in order to run the server:  {A1F4E726-8CF1-11D1-BF92-0060081ED811}
Title: Re: KillAV.KI {TRJ} JS:FakeAV-K[TRJ], TRJ[GEN], avast not updatind, Sad But True
Post by: St.Anger_561_ on April 25, 2009, 03:46:21 PM
Error - 4/25/2009 8:38:07 AM | Computer Name = D3Z3PF41 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
 arguments ""  in order to run the server:  {A1F4E726-8CF1-11D1-BF92-0060081ED811}
 
Error - 4/25/2009 8:39:04 AM | Computer Name = D3Z3PF41 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
 arguments ""  in order to run the server:  {A1F4E726-8CF1-11D1-BF92-0060081ED811}
 
Error - 4/25/2009 8:41:38 AM | Computer Name = D3Z3PF41 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
 arguments ""  in order to run the server:  {A1F4E726-8CF1-11D1-BF92-0060081ED811}
 
Error - 4/25/2009 8:46:10 AM | Computer Name = D3Z3PF41 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service netman with
 arguments ""  in order to run the server:  {BA126AE5-2166-11D1-B1D0-00805FC1270E}
 
Error - 4/25/2009 9:10:11 AM | Computer Name = D3Z3PF41 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
 arguments ""  in order to run the server:  {A1F4E726-8CF1-11D1-BF92-0060081ED811}
 
Error - 4/25/2009 9:11:12 AM | Computer Name = D3Z3PF41 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
 arguments ""  in order to run the server:  {A1F4E726-8CF1-11D1-BF92-0060081ED811}
 
 < End of report >

Wow what alot of information...I am going to attempt to run the rescue disk next on the infected cpu.


Title: Re: KillAV.KI {TRJ} JS:FakeAV-K[TRJ], TRJ[GEN], avast not updatind, Sad But True
Post by: micky77 on April 25, 2009, 04:02:45 PM
It appears you run the OT scan in safe mode. This is the first time I've examined a log  in detail. So hopefully some others may help.I would do another scan in normal mode.Only this time do not copy/paste the log,but post it as an attatchment

Can you go to C:\WINDOWS\System32\sys_dll.dll  and copy/paste sys_dll.dll to desktop, then send to virustotal

http://www.virustotal.com/ (http://www.virustotal.com/)

and  RMAgentOutput.dll     in C:\WINDOWS\RMAgentOutput.dll    RMAgentOutput.dll
and twain_16.dll  in   C:\WINDOWS\twain_16.dll
and qt-mt331.dll in   C:\WINDOWS\System32\qt-mt331.dll
and Welsof32.dll  in  C:\WINDOWS\System32\Welsof32.dll
and zwpshex.dll in  C:\WINDOWS\zwpshex.dll
Title: Re: KillAV.KI {TRJ} JS:FakeAV-K[TRJ], TRJ[GEN], avast not updatind, Sad But True
Post by: St.Anger_561_ on April 26, 2009, 07:00:22 PM
Thanks for the tip Micky77, I am on the case again and running the scan now.  I will post as an attachment this time, also good news, in a sense.  The silly spyhunt program that I d/l from that shady website was on the infected cpu, not my clean one!! So hopefully my 2nd cpu is still clean.  THanks again for the advice and help.
Title: Re: KillAV.KI {TRJ} JS:FakeAV-K[TRJ], TRJ[GEN], avast not updatind, Sad But True
Post by: micky77 on April 26, 2009, 07:45:24 PM
Have you made any progress ?
What happened with DrWeb, that was finding lots of things ?
Did you run the Avira disc ?
Did you analyse those 6 files at Virustotal ?
Title: Re: KillAV.KI {TRJ} JS:FakeAV-K[TRJ], TRJ[GEN], avast not updatind, Sad But True
Post by: St.Anger_561_ on April 26, 2009, 08:32:44 PM
Update time again.  Here is what I have found thus far:

I tried sending the 6 files to virus total but here is what I get:

sys_dll.dll  0 byte file , apparently there is no data in this file?  I double check in my system32 file for properties and it tells me this file is 0 bytes and it has a size on the disk of 4 kb, so this was not scanned by the website.

RMAAgentoutput.dll  - esafe = suspicious, VBA32 = Trojan.win32.Agent.avfi - is this my trojan?

Qt-mt331.dll = 3.22 mb file =  I tried to upload this with both ie8.0 and firefox.  THe website told me at first that it was already analyzed, but then it would not let me click on analyze again or show last report.  Instead both of these options were grayed out and the bottom of my web browsers says done, but with error on page.   I could try to put this file on a jump drive and try to upload from my clean cpu, but I am worried about infecting that one.

Welsof32.dll = clear 0/40

zwpshex.dll = clear 0/40

twain_16.dll = clear 0/40

dr. web somehow seems to have disappeared from my infected cpu, which is rather odd b/c I do not remember uninstalling it.

I will run the avira disc next after I try drweb once again.  Thanks again for all your help!
Title: Re: KillAV.KI {TRJ} JS:FakeAV-K[TRJ], TRJ[GEN], avast not updatind, Sad But True
Post by: St.Anger_561_ on April 26, 2009, 09:00:05 PM
I ran Dr. Web under "express scan", which I did under normal windows operation, however this did not turn up anything yet, so I am running a complete scan now, will update you on that asap.

I am going to give the rescue disk a shot next, but I will upload my ot2list scan firstly, which I have done.

Thanks again for all of your help.  I think I am seeing the light near the end of the tunnel.
Title: Re: KillAV.KI {TRJ} JS:FakeAV-K[TRJ], TRJ[GEN], avast not updatind, Sad But True
Post by: St.Anger_561_ on April 27, 2009, 01:50:54 AM
OK I ran a thorough scan w/the most recent Dr. web updated program and here is what it told me:

inst.#xe  in a folder for aoldownloads/triton_suite_instal6.0.28.3, probable back door trojan - was renamed

sdcmon.#ll in a folder for C:programfiles/support.com/bin, probable Dloader.trojan - was renamed.

I am runing the rescue disc now *fingers crossed*  will update again very soon.
Title: Re: KillAV.KI {TRJ} JS:FakeAV-K[TRJ], TRJ[GEN], avast not updatind, Sad But True
Post by: St.Anger_561_ on April 27, 2009, 02:53:30 AM
I tried several times, but apparently I cannot boot from theAvira rescue cd, arrgh!!   Maybe I am missing something?

I went into my system BIOS, as below, but here is what happened:

I tried going into the boot sequence by hitting f12 and I hit 4 for the IDE Cd-rom device, but it booted into windows.

I then tried to reboot and hit f2 for the system setup, then I went into the boot sequece and moved the IDE - CD rom Device into spot 1, but it booted into windows.

I then rebooted, hit f2 for system setup, this time I moved the hard disk to slot 3, and it booted into  windows again.

I rebooted again, f2 for system setup, then I chose to disable the diskettte drive and the hard disk drive C, so I only had the IDE Cd-Rom device chosen for the boot.

this time I just kept getting the following message : strike f1 to retry boot, F2 for setup utility

I hit f1 a few times, but I just got the same message.  I then tried putting the rescue cd into my 2nd cd drive, but I got same message about striking f 1 to rety boot, f2 for setup utility

eh should I try to mess around with the boot sequence option 7 : boot to Utility Partition? 

I tried the IDE Drive Diagnostics under the boot device menu and it says the following info:

My primary IDE: Drive 0 : ste with some numbers - Pass, drive 1: no IDE device
My secondary IDE : Drive 0 - Lite-on combo - diagnostics not supported, drive 1: no IDE device

I don't know what else to try....I was thinking a different rescue disk but I fear it will have the same outcome. 

I am certainly willing to try a different rescue disk and open to any other suggestions, I feel like I hit a brick wall at this point.

Thanks for all your time and suggestions and expertise thus far. 
Title: Re: KillAV.KI {TRJ} JS:FakeAV-K[TRJ], TRJ[GEN], avast not updatind, Sad But True
Post by: micky77 on April 27, 2009, 07:15:04 AM
I don't think you should mess too much with your settings.Try another disc ( different batch ). try a dvd, and try a different download link
http://www.free-av.com/en/products/12/avira_antivir_rescue_system.html (http://www.free-av.com/en/products/12/avira_antivir_rescue_system.html)
Title: Re: KillAV.KI {TRJ} JS:FakeAV-K[TRJ], TRJ[GEN], avast not updatind, Sad But True
Post by: micky77 on April 27, 2009, 07:09:23 PM
Ok, I have looked at the log again.( and again and again  ;D ) There are two more files I would like you to send to virustotal.They are

 npf.sys in C:\WINDOWS\system32\drivers\npf.sys  and

 winsusrm.dll in C:\WINDOWS\System32\winsusrm.dll

http://www.virustotal.com/ (http://www.virustotal.com/)
If it says they have already been analysed, re-analyse them please.
If you cannot get the rescue disc to work,and scans from MBAM, SAS, and Avast are clean,There are only two more options I can think of, one is SDfix and Combofix.We will wait to see what progress you have made first,with the disc and file results.If you have to run Combofix, I will need to ask someone more experienced to help you.( if I can findsomeone willing  ;D )

I take it you are still being redirected, and Avast still not updating,browser crashing, no online scanners work ?

I won't look at the log again,so if you could report back with

1 Progress with Rescue disc
2 Results of file analysis
3 Current problems with pc
Thanks
 
Title: Re: KillAV.KI {TRJ} JS:FakeAV-K[TRJ], TRJ[GEN], avast not updatind, Sad But True
Post by: micky77 on April 28, 2009, 06:15:10 PM
 Hi St.Anger_561_, as we are not making as much progress, as I hoped.I have asked for any advice.Thankfully a very senior member offered some ( many thanks )

Update Java

Upgrading Java:
Clean FF with gored

Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1 (http://jpshortstuff.247fixes.com/GooredFix.exe)
Download Mirror #2 (http://downloads.securitycadets.com/GooredFix.exe)
Note: If you receive a message saying that GooredFix needs your system to be restarted, please close all applications and reboot your system. Please also allow any registry changes that may be prompted by any of your security programs.

Run OTLI
Run OTList2.exe

 Under the Custom Scans/Fixes box at the bottom, paste in the following ( not the word quote )

Quote
:OTLI
[2009/04/19 23:03:00 | 00,356,352 | ---- | C] (eSellerate Inc.) -- C:\WINDOWS\eSellerateEngine.dll
[2009/04/19 23:03:00 | 00,081,920 | ---- | C] (eSellerate Inc.) -- C:\WINDOWS\eSellerateControl350.dll

:Commands
[purity]
[emptytemp]
[Reboot]

# Then click the Run Fix button at the top
# Let the program run unhindered, reboot when it is done
#  Then post a new OTL2 log

Also reset the trusted domains

Right-Click Here (http://www.mvps.org/winhelp2002/DelDomains.inf) and Save As to download DelDomains.inf to your desktop.
To use: RIGHT-CLICK DelDomains.inf on your desktop and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

Finally remove Adobe, and replace with Foxit

http://filehippo.com/download_foxit/ (http://filehippo.com/download_foxit/)

Title: Re: KillAV.KI {TRJ} JS:FakeAV-K[TRJ], TRJ[GEN], avast not updatind, Sad But True
Post by: St.Anger_561_ on April 29, 2009, 01:53:39 PM
Hello Micky, I wanted to post here in regards to a status update.  Unfortunately my job has me working like a slave, again, and I am not one of the employees priveleged enough to work from home.  Therefore I have not been able to put much work into my cpu at home over the past several days.  However I do plan on performing what I can that you have advised me to during my lunch break, particularly the downloading of the programs which I can do and then transfer via a jump drive to my monster of a cpu at home.  I truly appreciate all of your help!  I am confident this this can be solved and I will not give up easily.  I am a soldier, like my father before me was.  Thank you for your direction and expertise and time.
Title: Re: KillAV.KI {TRJ} JS:FakeAV-K[TRJ], TRJ[GEN], avast not updatind, Sad But True
Post by: St.Anger_561_ on May 09, 2009, 04:46:56 PM
ok I finally have a status update!  Thanks for your patience Micky.   here it goes: 

Firstly I downloaded a second copy of the Avira rescue disk from the new link.  This time the disc seems to be working, however the problem that I am having is with the display.  When it loads I cannot see the entire screen, therefore I cannot click on the flag to change it to English and I cannot click on the option to run the virus scanner.  I have attempted to reboot my cpu after changing the graphic properties, specifically the screen area, hoping one would allow me to see the entire screen, but this is not working the way I had hoped.

Secondly I sent those 2 files to virus total, they both came back with 0/40 hits.

Thirdly I ran the Java as you instructed and removed all of the previous Java's from my system, then I ran the gooredfix program, then I reset the trusted domains and removed adobe and installed fox it.

Finally I have ran the otlist and the fix as you instructed, I am attaching the logs now.  Thank you again for your time, expertise, and assistance.

Title: Re: KillAV.KI {TRJ} JS:FakeAV-K[TRJ], TRJ[GEN], avast not updatind, Sad But True
Post by: St.Anger_561_ on May 09, 2009, 04:49:28 PM
I wasn't sure which log to post, that last log showed the removed files.   I am now posting the log for the scan that I ran immediately after the fix. 

I will wait to hear from you regarding using a different rescue disk or if you can advise about what to do with the Avira rescue disk. 

Thanks again for your time and patience and expertise.
Title: Re: KillAV.KI {TRJ} JS:FakeAV-K[TRJ], TRJ[GEN], avast not updatind, Sad But True
Post by: micky77 on May 09, 2009, 07:10:25 PM
Hi St.Anger_561_, can you state exactly what problems you still have, eg redirections,avast not updating etc

The logs you posted are all scrambled,can you still see eSellerateEngine.dll in C:\WINDOWS\eSellerateEngine.dll  ?
Title: Re: KillAV.KI {TRJ} JS:FakeAV-K[TRJ], TRJ[GEN], avast not updatind, Sad But True
Post by: St.Anger_561_ on May 12, 2009, 01:36:12 PM
Hello Micky77.  I do not see eSellerateEngine.dll anywhere.  As far as the problems I am having the avast is still not updating, also MBAM is not updating.  Avast is giving me an error "packet broken" and MBAM tells me "you have the most recent update" but I know this is not true MBAM is updating on my other system.

I have not been using my infected system very much, but I am pretty confident that it is still redirecting the browser.  I will try to use my infected pc some more this evening when I get home to see if I can reproduce the errors and crashes it was having.  Thank you again for your time.

I do not know why the logs were all scrambled.  That is strange, I can try to post them again, if you wish.  Thank you again for your time.
Title: Re: KillAV.KI {TRJ} JS:FakeAV-K[TRJ], TRJ[GEN], avast not updatind, Sad But True
Post by: Lisandro on May 12, 2009, 01:52:51 PM
Sorry, the thread is too long to find it out...
Is your hosts file clean?

It sounds like a hosts file problem. Check the contents of the file at the location for your operating system.

Windows 95 - C:\windows
Windows 98 - C:\windows
Windows Me - C:\windows
Windows 2000 - C:windows\system32\drivers\etc
Windows XP - C:\windows\system32\drivers\etc
Windows NT - C:\winnt\system32\drivers\etc
Windows Vista - C:\winnt\system32\drivers\etc

note the file does not have an extention, it's simply hosts

Remove any reference to avast from the file. The file can be viewed with notepad.

The default file consists of a number of example lines preceded with # The only required line is
127.0.0.1       localhost

You can get a good replacement and more info on what the hosts file does from here

http://www.mvps.org/winhelp2002/hosts.htm

HOSTS file redirect a common malware tactic to block AV sites making it difficult to remove malware. Check your HOSTS file using notepad or a text editor of your choice and look for entries with avast.com on the line, you may well see other AV sites.
Title: Re: KillAV.KI {TRJ} JS:FakeAV-K[TRJ], TRJ[GEN], avast not updatind, Sad But True
Post by: micky77 on May 12, 2009, 05:11:50 PM
  I do not see eSellerateEngine.dll anywhere. 
Hello again,because we didn't seem to be having much success,i asked if someone more experienced would run through the thread. He kindly did, and examined your log.I,m not sure if eSellerateEngine.dll would be responsible for your problems, but it should be removed.In the scrambled log it said C:\WINDOWS\eSellerateEngine.dll  NOT unregistered.No need to post anymore logs. As he did not see anything else bad, I assume there is no malware on your pc, ( mbam did initially remove some malware ).Hence the recommendation to run gooredfix etc.
Its possible the pc is clean but your host file still has bad entries. You could try using this tool to clear your host file.There is no need to install this program,just run it from where you download it too

http://www.funkytoad.com/index.php?option=com_content&task=view&id=13&Itemid=&28d444df85eb4f435055ed9d39c02f03=e10955cd0fb40d35143be6e908fcb198 (http://www.funkytoad.com/index.php?option=com_content&task=view&id=13&Itemid=&28d444df85eb4f435055ed9d39c02f03=e10955cd0fb40d35143be6e908fcb198)

# Run HostsXpert 4.2 - Hosts File Manager
# Click on "File Handling".
# Click on "Restore MS Hosts File".
# Click OK on the Confirmation box.
# Click on "Make Read Only?"
# Click the X to exit the program.

Title: Re: KillAV.KI {TRJ} JS:FakeAV-K[TRJ], TRJ[GEN], avast not updatind, Sad But True
Post by: St.Anger_561_ on May 13, 2009, 02:08:25 PM
well I truly appreciate your help Micky and Tech too, but I think there is still a trojan on my system. 

My avast will still not update and MBAM will still not update, although I am getting different error messages then I was before.  Also I have double checked the host file, there are no entries in it at all.  The only listing there is:

127.0.0.1 local host

I have used the host expert program previously, but I will give it a shot again.

My browser is still being redirected, for example when I clicked on a link in google it redirected me to a white pages listing for local house cleaners, which had nothing to do with what I clicked on.

I did notice another thing, when my wife was using her profile I logged her off of the cpu.  The "logging off" grey box was on the system for several minutes, approximately 3 - 5, before it disappeared.  I found this odd because usually it only takes a matter of seconds before it logs off the system.

Again I do not know what else to do, but I am open to any other suggestions that you or anyone using the forum may have.  I really do not want to reformat my hard drive, but if we have given up here then I suppose I can start a thread in another forum and try it all over again there. 

I appreciate your time, effort, and expertise.
Title: Re: KillAV.KI {TRJ} JS:FakeAV-K[TRJ], TRJ[GEN], avast not updatind, Sad But True
Post by: micky77 on May 13, 2009, 04:59:46 PM
Ok, try this tool, http://www.bleepingcomputer.com/forums/topic131299.html (http://www.bleepingcomputer.com/forums/topic131299.html)
 then run fully updated MBAM, and SAS , and post all three logs
Title: Re: KillAV.KI {TRJ} JS:FakeAV-K[TRJ], TRJ[GEN], avast not updatind, Sad But True
Post by: YoKenny on May 13, 2009, 05:09:53 PM
Try these:
MB won't run(Fix), Total-Security (FakeAlert)
http://www.malwarebytes.org/forums/index.php?showtopic=12873
MBAM wont run (Fix), av360 (Fakealert)
http://www.malwarebytes.org/forums/index.php?showtopic=12713
MBAM wont install or will not run., CLB Rootkit driver=TDSS/Seneka/GAOPDX/UAC/ovfst
http://www.malwarebytes.org/forums/index.php?showtopic=12709

These are the experts so register there and follow the directions:
Hello and welcome to Malwarebytes
http://www.malwarebytes.org/forums/index.php?showtopic=9573