BleepingComputer.com: Unknown Infection

Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Forum Guidelines

Posted Image Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help


Posted Image Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.


Posted Image DO NOT RUN ComboFix unless requested to.


Posted Image Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


Posted Image When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Posted Image Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

Unknown Infection HJT Log

#1 User is offline   fungusaur 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 2
  • Joined: 05-January 09

Posted 05 January 2009 - 01:14 AM

Howdy folks, I was hoping you could help. If had this little issue where clicking on a link goes directly to yahoo search results and puts me at a Dex Directory page or some other such crud instead of the link. Attached is the HJT log. Can you help me identify the intruder?
Thanks much.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:05:19 PM, on 1/4/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\SonicWALL\SSL-VPN\NetExtender\NEGui.exe
C:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Apple\Mobile Device

Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\SonicWALL\SSL-VPN\NetExtender\NEService.exe
C:\Program Files\Electronic Arts\EADM\Core.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://qwest.live.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =

http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://qwest.live.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://qwest.live.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://qwest.live.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =

http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =

http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows

Internet Explorer provided by Qwest
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} -

C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -

C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-

4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll

(file missing)
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-

D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} -

c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {B8C5186E-EC37-4889-9C2E-F73649FFB7BB} - (no file)
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-

64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-

9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} -

C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -

C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}

- C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: (no name) - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - (no

file)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} -

C:\Program Files\Canon\Easy-WebPrint\Toolband.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program

files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program

Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program

Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program

Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software

Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6

\bin\jusched.exe"
O4 - HKLM\..\Run: [SonicWALLNetExtender] C:\Program Files\SonicWALL\SSL-

VPN\NetExtender\NEGui.exe -hideGUI -clearReboot
O4 - HKLM\..\Run: [QuickCare2.2] C:\Program

Files\Qwest\QuickCare\bin\sprtcmd.exe /P QuickCare2.2
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program

Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows

Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"

/background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common

Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Easy-WebPrint Add To Print List -

res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print -

res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program

Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program

Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} -

C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-

82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-

00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Qwest Live - {CAB7AB9C-B59C-4F0F-AF44-5E66FF18DA63} -

http://qwest.live.com (file missing) (HKCU)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) -

C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6045C5E3-3653-4262-9E3E-0DA3A22A2C1D} (Crystal ActiveX Report

Viewer Web Report Source 10.0) -

https://dmhdowney1.co.la.ca.us/crystalrepor...XControls/Activ


eXViewer.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://update.microsoft.com/microsoftupdat.../x86/client/wuw

eb_site.cab?1187910102671
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

http://update.microsoft.com/microsoftupdat.../x86/client/muw

eb_site.cab?1187910085015
O16 - DPF: {6EEFD7B1-B26C-440D-B55A-1EC677189F30} (NELaunchCtrl Class) -

https://remote.olivecrest.org/NELX.cab
O16 - DPF: {79D6214F-CFCE-480F-9901-27950E78F1E6} (WebCacheCleaner Class) -

https://remote.olivecrest.org/MLWebCacheCleaner.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} -

http://a532.g.akamai.net/f/532/6712/5m/vir...mai.com/6712/pl

ayer/install/installer.exe
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} -

http://mvnet.xlontech.net/qm/fox/06101102/qsp2ie06101001.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C86AD249-BEBE-4925-AAF7-

08777166977E}: NameServer = 85.255.115.76,85.255.112.149
O17 - HKLM\System\CCS\Services\Tcpip\..\{D75992ED-6628-422A-8467-

A4A5D27486CA}: NameServer = 85.255.115.76,85.255.112.149
O17 - HKLM\System\CCS\Services\Tcpip\..\{DFEF4468-155B-4878-8A66-

22E1CD7C51B7}: NameServer = 85.255.115.76,85.255.112.149
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.76

85.255.112.149
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.76

85.255.112.149
O22 - SharedTaskScheduler: equiparant - {25b7d2fd-4f71-46d1-801a-

7de323e4ec82} - (no file)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common

Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common

Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel

Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program

Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision

Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel

32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun

Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program

Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel

Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel

Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SonicWALL NetExtender Service (SONICWALL_NetExtender) -

SonicWALL Inc. - C:\Program Files\SonicWALL\SSL-

VPN\NetExtender\NEService.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program

Files\Common Files\SupportSoft\bin\ssrc.exe

--
End of file - 11005 bytes


C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\SonicWALL\SSL-VPN\NetExtender\NEGui.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\SonicWALL\SSL-VPN\NetExtender\NEService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\sean-mcauley\Local Settings\Temporary Internet Files\Content.IE5\OOF77BEA\dds[1].scr

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = hxxp://qwest.live.com
uWindow Title = Windows Internet Explorer provided by Qwest
uDefault_Page_URL = hxxp://qwest.live.com
mDefault_Page_URL = hxxp://qwest.live.com
mStart Page = hxxp://qwest.live.com
uInternet Settings,ProxyOverride = <local>
mSearchAssistant = hxxp://www.google.com/ie
mWinlogon: System=kdxsm.exe
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!

\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common

files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: EWPBrowseObject Class: {68f9551e-0411-48e4-9aaf-4bc42a6a46be} - c:\program files\canon\easy-

webprint\EWPBrowseLoader.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6

\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
{b8c5186e-ec37-4889-9c2e-f73649ffb7bb}
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live

toolbar\msntb.dll
BHO: NoExplorer - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6

\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6

\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0

\yt.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live

toolbar\msntb.dll
TB: {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - No File
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [NBJ] "c:\program files\ahead\nero backitup\NBJ.exe"
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Reminder] %WINDIR%\Creator\Remind_XP.exe
mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [SMSERIAL] sm56hlpr.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [SonicWALLNetExtender] c:\program files\sonicwall\ssl-vpn\netextender\NEGui.exe -hideGUI -clearReboot
mRun: [QuickCare2.2] c:\program files\qwest\quickcare\bin\sprtcmd.exe /P QuickCare2.2
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common

files\adobe\calibration\Adobe Gamma Loader.exe
uPolicies-explorer: NoFavoritesMenu = 1 (0x1)
uPolicies-explorer: NoRun = 1 (0x1)
uPolicies-explorer: StartMenuLogoff = 1 (0x1)
uPolicies-explorer: MaxRecentDocs = 99 (0x63)
mPolicies-system: HideShutdownScripts = 0 (0x0)
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Toolband.dll/RC_Print.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3

\office11\REFIEBAR.DLL
TCP: NameServer = 85.255.115.76 85.255.112.149
TCP: {C86AD249-BEBE-4925-AAF7-08777166977E} = 85.255.115.76,85.255.112.149
TCP: {D75992ED-6628-422A-8467-A4A5D27486CA} = 85.255.115.76,85.255.112.149
TCP: {DFEF4468-155B-4878-8A66-22E1CD7C51B7} = 85.255.115.76,85.255.112.149
Handler: x-excid - {9D6CC632-1337-4a33-9214-2DA092E776F4} - c:\windows\downloaded program files\mimectl.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: {25b7d2fd-4f71-46d1-801a-7de323e4ec82}: equiparant

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\sean-m~1\applic~1\mozilla\firefox\profiles\fykfk6dd.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-shkwav&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.alternet.org/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-shkwav&p=
FF - plugin: c:\documents and settings\sean-mcauley\application

data\mozilla\firefox\profiles\fykfk6dd.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-

msvc\plugins\npmnqmp071101000055.dll

============= SERVICES / DRIVERS ===============

S3 SSLDrv;SSL-VPN NetExtender Adapter;c:\windows\system32\drivers\SSLDrv.sys [2007-4-25 19640]
S4 Ql19rmaas;Ql19rmaas; [x]

=============== Created Last 30 ================

2009-01-04 21:49 <DIR> --d----- c:\program files\Trend Micro
2008-12-24 01:00 32,768 -------- c:\windows\system32\IJRMF.exe
2008-12-23 15:23 135,168 a------- c:\windows\system32\igfxres.dll
2008-12-23 15:18 57,344 a------- c:\windows\system32\igxprd32.dll
2008-12-23 15:18 5,854,752 a------- c:\windows\system32\drivers\igxpmp32.sys
2008-12-23 15:18 1,670,144 a------- c:\windows\system32\igxpdv32.dll
2008-12-23 15:18 151,040 a------- c:\windows\system32\igxpgd32.dll
2008-12-23 15:18 147,456 a------- c:\windows\system32\igfxCoIn_v4926.dll
2008-12-23 15:18 2,643,968 a------- c:\windows\system32\igxpdx32.dll
2008-12-23 15:18 176,128 a------- c:\windows\system32\igfxrsky.lrc
2008-12-23 15:18 172,032 a------- c:\windows\system32\igfxrslv.lrc
2008-12-23 15:18 920,088 a------- c:\windows\system32\igxpun.exe
2008-12-23 15:18 319,456 a------- c:\windows\system32\difxapi.dll
2008-12-23 15:18 <DIR> --d----- c:\windows\system32\Lang
2008-12-23 15:18 <DIR> --d----- C:\Intel
2008-12-23 14:15 <DIR> --d----- c:\program files\SystemRequirementsLab
2008-12-20 16:30 <DIR> --d----- c:\program files\City of Heroes
2008-12-14 11:46 410,984 a------- c:\windows\system32\deploytk.dll

==================== Find3M ====================

2008-12-20 12:09 2,718 ac------ c:\windows\system32\ealregsnapshot1.reg
2008-11-21 13:47 524,288 a------- c:\windows\system32\DivXsm.exe
2008-11-21 13:47 3,596,288 a------- c:\windows\system32\qt-dx331.dll
2008-11-21 13:46 1,044,480 a------- c:\windows\system32\libdivx.dll
2008-11-21 13:46 200,704 a------- c:\windows\system32\ssldivx.dll
2008-11-21 13:44 161,096 a------- c:\windows\system32\DivXCodecVersionChecker.exe
2008-11-21 13:44 12,288 a------- c:\windows\system32\DivXWMPExtType.dll
2008-11-14 07:59 60,744 a------- c:\documents and settings\sean-mcauley\g2mdlhlpx.exe
2008-11-02 20:45 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-07-25 12:18 60,968 ac------ c:\documents and settings\sean-

mcauley\GoToAssistDownloadHelper.exe

============= FINISH: 2:37:26.79 ===============

This post has been edited by fungusaur: 05 January 2009 - 05:39 AM

#2 User is offline   fenzodahl512 

  • Forum Addict
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Members
  • Posts: 6,738
  • Joined: 04-December 07

Posted 05 January 2009 - 05:50 AM

Please open Notepad >> Go to Format tab >> untick Word Wrap


Please download Malwarebytes' Anti-Malware from HERE or HERE

Note: If you already have Malwarebytes' Anti-Malware, just run and update it.. Then do a "Perform Full Scan"

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.




NEXT


Please download RSIT by random/random and save it to your Desktop.
  • Double click on RSIT.exe to run RSIT
  • Before you click "Continue", make sure you change the List files/folders created or modified in the last 3 months
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt and info.txt in your next reply.




NEXT


Please download GMER and unzip it to your Desktop.
  • Open the program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results into a Notepad >> save it and attach in this thread.



Post me these logs in your next reply.. Post each log in separate post..

1. Malwarebytes'
2. RSIT log.txt
3. RSIT info.txt
4. Attach GMER result..
Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive

#3 User is offline   fungusaur 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 2
  • Joined: 05-January 09

Posted 06 January 2009 - 02:42 AM

Thanks!
Malwarebytes' Anti-Malware 1.32
Database version: 1616
Windows 5.1.2600 Service Pack 3

1/5/2009 11:36:21 PM
mbam-log-2009-01-05 (23-36-21).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 165441
Time elapsed: 51 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 81
Registry Values Infected: 2
Registry Data Items Infected: 21
Folders Infected: 6
Files Infected: 14

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\cerberus.enginelistener (Rogue.Antivirus.Gold) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\cerberus.enginelistener.1 (Rogue.Antivirus.Gold) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\cerberus.scanner (Rogue.Antivirus.Gold) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\cerberus.scanner.1 (Rogue.Antivirus.Gold) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\cerberus.threatcollection (Rogue.Antivirus.Gold) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\cerberus.threatcollection.1 (Rogue.Antivirus.Gold) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\engine.backup (Rogue.Antivirus.Gold) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\engine.backup.1 (Rogue.Antivirus.Gold) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\engine.ignorelist (Rogue.Antivirus.Gold) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\engine.ignorelist.1 (Rogue.Antivirus.Gold) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\engine.log (Rogue.Antivirus.Gold) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\engine.log.1 (Rogue.Antivirus.Gold) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\engine.logrecord (Rogue.Antivirus.Gold) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\engine.logrecord.1 (Rogue.Antivirus.Gold) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\engine.paths (Rogue.Antivirus.Gold) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\engine.paths.1 (Rogue.Antivirus.Gold) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\engine.quarantine (Rogue.Antivirus.Gold) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\engine.quarantine.1 (Rogue.Antivirus.Gold) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\engine.runas (Rogue.Antivirus.Gold) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\engine.runas.1 (Rogue.Antivirus.Gold) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\engine.searchitem (Rogue.Antivirus.Gold) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\engine.searchitem.1 (Rogue.Antivirus.Gold) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\engine.threat (Rogue.Antivirus.Gold) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\engine.threat.1 (Rogue.Antivirus.Gold) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{27ed4ac2-b6d8-4079-9831-017a100b391e} (Rogue.Antivirus.Gold) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3f6d6c35-fb73-45e6-9473-bb4cc25ce019} (Rogue.Antivirus.Gold) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{715d709b-2b10-42fa-a069-297d25d93601} (Rogue.Antivirus.Gold) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{872c1b1e-3cf0-4d3a-95e5-a0c662d2854c} (Rogue.Antivirus.Gold) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{886b1d08-b404-40f0-aa18-4e416682a2e9} (Rogue.Antivirus.Gold) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{8b5f65cf-0b0a-4291-8da2-86d7f7b0a6db} (Rogue.Antivirus.Gold) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{925b0211-a1c1-4712-8fca-5f5b8101736d} (Rogue.Antivirus.Gold) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{b01e37c4-5497-4d58-9ffd-d5653b8dc866} (Rogue.Antivirus.Gold) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{ccaa201c-c48d-48a8-a1e8-846562cbf1c1} (Rogue.Antivirus.Gold) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{d483521b-d5cc-43ff-a45a-9be4a8e6606e} (Rogue.Antivirus.Gold) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{ed2aff47-b7be-4273-a203-c796e87f72d2} (Rogue.Antivirus.Gold) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f0fa7ed9-5a0a-4374-b63e-bebafd52192e} (Rogue.Antivirus.Gold) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f5dee77c-87eb-4e00-bbf9-8cbf3bdea7af} (Rogue.Antivirus.Gold) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fb5ddab7-6aa5-4e97-9541-5a75addf4aba} (Rogue.Antivirus.Gold) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fddf521b-0ebe-4d15-838c-73e2d851161b} (Rogue.Antivirus.Gold) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{ff609434-eb47-481b-ba0e-1d2b467629a5} (Rogue.Antivirus.Gold) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{25b7d2fd-4f71-46d1-801a-7de323e4ec82} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{b8c5186e-ec37-4889-9c2e-f73649ffb7bb} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d06e2eae-1922-4a0b-6a7c-8d9e3de0e708} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\c:/windows/downloaded program files/crviewer.dll (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{0a97babb-7f1e-4da7-a5e5-ba2784a49406} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{1f46d19f-292c-42c4-8c56-2a9d7477a5f1} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{54ccaee4-c899-49b2-90e8-56353f8843a5} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{8a59e1d8-d586-4661-8b23-508f07273844} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{90c76ba9-ade5-4756-8ae9-f611af92ab7c} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a1b8a30b-8aaa-4a3e-8869-1da509e8a011} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a1b8a30b-8aaa-4a3e-8869-1da509e8a011} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f075fb59-00b1-4232-93a8-07b30b60f1b0} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f2d814df-5c5c-4b06-bf80-d699a8dafb70} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{020b1227-417d-4682-9ac3-61f43cb5b6b1} (Rogue.Antivirus.Gold) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{125494b2-acad-414c-98b9-452f3ef7703a} (Rogue.Antivirus.Gold) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{20a3d913-30ef-4e69-b3f7-93b3f1fb9d5c} (Rogue.Antivirus.Gold) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3d00a39c-655b-428b-aeb2-2fba03dcc49c} (Rogue.Antivirus.Gold) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{408f660a-9465-44a3-b557-8709dfd992bc} (Rogue.Antivirus.Gold) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{5f6bbd8a-18cf-4d55-8b4c-c9b4c9328dfe} (Rogue.Antivirus.Gold) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{8c56b6ce-c53f-44c4-9bdc-a9bc1711d05a} (Rogue.Antivirus.Gold) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{8ee6bf73-b370-4d13-9126-eb0071178f2e} (Rogue.Antivirus.Gold) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{97f56e12-c706-4aeb-9ffb-133c05ee5d38} (Rogue.Antivirus.Gold) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9bb7e700-4e48-476d-b75c-6f47606be988} (Rogue.Antivirus.Gold) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9cb478a2-ca39-0cfd-efac-db80710601d3} (Rogue.Antivirus.Gold) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{cbcaca58-1aee-4600-8cf0-e8b30bff1535} (Rogue.Antivirus.Gold) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d6d64cdf-0363-4261-b723-29a3af365e1d} (Rogue.Antivirus.Gold) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{60f94d7d-563e-4942-b5ec-2de9c135c139} (Rogue.Antivirus.Gold) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{70f17c8c-1744-41b6-9d07-575db448dcc5} (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3aa42713-5c1e-48e2-b432-d8bf420dd31d} (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a3ed5288-f558-4f6e-8d5c-740cb6f89029} (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{f919fbd3-a96b-4679-af26-f551439bb5fd} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{e596df5f-4239-4d40-8367-ebadf0165917} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{31615d5c-5126-448a-818a-a7cdfee85a9b} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b8c5186e-ec37-4889-9c2e-f73649ffb7bb} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b64f4a7c-97c9-11da-8bde-f66bad1e3f3a} (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b8c5186e-ec37-4889-9c2e-f73649ffb7bb} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Trymedia Systems (Adware.Trymedia) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Windows Safety Alert (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Security Tools (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\SpywareBot (Rogue.SpywareBot) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\Cerberus.EXE (Rogue.Antivirus.Gold) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{25b7d2fd-4f71-46d1-801a-7de323e4ec82} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Downloaded Program Files\CRViewer.dll (Trojan.Zlob) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\System (Rootkit.DNSChanger.H) -> Data: kdxsm.exe -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun (Hijack.Run) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.115.76 85.255.112.149 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{019bb413-8f7b-422b-b454-0f745d6c51d3}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.115.76,85.255.112.149 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{c86ad249-bebe-4925-aaf7-08777166977e}\NameServer (Trojan.DNSChanger) -> Data: 85.255.115.76,85.255.112.149 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{d75992ed-6628-422a-8467-a4a5d27486ca}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.115.76,85.255.112.149 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{d75992ed-6628-422a-8467-a4a5d27486ca}\NameServer (Trojan.DNSChanger) -> Data: 85.255.115.76,85.255.112.149 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{dfef4468-155b-4878-8a66-22e1cd7c51b7}\NameServer (Trojan.DNSChanger) -> Data: 85.255.115.76,85.255.112.149 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.115.76 85.255.112.149 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{019bb413-8f7b-422b-b454-0f745d6c51d3}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.115.76,85.255.112.149 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{c86ad249-bebe-4925-aaf7-08777166977e}\NameServer (Trojan.DNSChanger) -> Data: 85.255.115.76,85.255.112.149 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{d75992ed-6628-422a-8467-a4a5d27486ca}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.115.76,85.255.112.149 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{d75992ed-6628-422a-8467-a4a5d27486ca}\NameServer (Trojan.DNSChanger) -> Data: 85.255.115.76,85.255.112.149 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{dfef4468-155b-4878-8a66-22e1cd7c51b7}\NameServer (Trojan.DNSChanger) -> Data: 85.255.115.76,85.255.112.149 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.115.76 85.255.112.149 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{019bb413-8f7b-422b-b454-0f745d6c51d3}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.115.76,85.255.112.149 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{c86ad249-bebe-4925-aaf7-08777166977e}\NameServer (Trojan.DNSChanger) -> Data: 85.255.115.76,85.255.112.149 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{d75992ed-6628-422a-8467-a4a5d27486ca}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.115.76,85.255.112.149 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{d75992ed-6628-422a-8467-a4a5d27486ca}\NameServer (Trojan.DNSChanger) -> Data: 85.255.115.76,85.255.112.149 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{dfef4468-155b-4878-8a66-22e1cd7c51b7}\NameServer (Trojan.DNSChanger) -> Data: 85.255.115.76,85.255.112.149 -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\Common Files\DriveCleaner Freeware (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Documents and Settings\sean-mcauley\Application Data\SpywareBot (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\sean-mcauley\Application Data\SpywareBot\Log (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\sean-mcauley\Application Data\SpywareBot\Quarantine (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\sean-mcauley\Application Data\SpywareBot\Registry Backups (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\sean-mcauley\Application Data\SpywareBot\Settings (Rogue.SpywareBot) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\Downloaded Program Files\CRViewer.dll (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Documents and Settings\sean-mcauley\Application Data\SpywareBot\rs.dat (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\sean-mcauley\Application Data\SpywareBot\Log\2007 Aug 23 - 01_19_44 PM_296.log (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\sean-mcauley\Application Data\SpywareBot\Log\2007 Aug 23 - 01_19_45 PM_531.log (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\sean-mcauley\Application Data\SpywareBot\Log\2007 Aug 23 - 02_02_38 PM_687.log (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\sean-mcauley\Application Data\SpywareBot\Log\2007 Aug 23 - 02_03_04 PM_437.log (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\sean-mcauley\Application Data\SpywareBot\Log\2007 Aug 23 - 02_56_36 PM_734.log (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\sean-mcauley\Application Data\SpywareBot\Log\2007 Aug 23 - 03_01_56 PM_156.log (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\sean-mcauley\Application Data\SpywareBot\Settings\CustomScan.stg (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\sean-mcauley\Application Data\SpywareBot\Settings\IgnoreList.stg (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\sean-mcauley\Application Data\SpywareBot\Settings\ScanInfo.stg (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\sean-mcauley\Application Data\SpywareBot\Settings\ScanResults.stg (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\sean-mcauley\Application Data\SpywareBot\Settings\SelectedFolders.stg (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\sean-mcauley\Application Data\SpywareBot\Settings\Settings.stg (Rogue.SpywareBot) -> Quarantined and deleted successfully.

#4 User is offline   fenzodahl512 

  • Forum Addict
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Members
  • Posts: 6,738
  • Joined: 04-December 07

Posted 06 January 2009 - 05:37 AM

Waiting for your RSIT and GMER logs :thumbsup:
Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive

#5 User is offline   fenzodahl512 

  • Forum Addict
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Members
  • Posts: 6,738
  • Joined: 04-December 07

Posted 12 January 2009 - 03:14 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users