Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Zlob Active X Video Object-spylocked Fake Alert.


  • Please log in to reply
17 replies to this topic

#1 Srki

Srki

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:06 PM

Posted 30 July 2007 - 10:54 PM

:flowers: Ok,a few days ago i have installed a video active x object because it was needed to play a movie clip and the same second after it was installed my f-secure displayed:malware detected,Zlob troyan downloader,so i clicked on desinfect and message appears :the object could not be removed.After that i manually scanned entire pc(with f-secure)ind it found 4 infections and could not remove even one of them.So i turned to spybots&d and it found:Zlob video active x object(3 infections) and Spylocked.fake alert.It fixed all of them but it said one canot be fixed and ask me to run at my next computer start so i clicked ok and rebooted.After spybbot performed second snac it displayed the same message,it could not be fixed so can it run on the next start and i clicked no because it was clear it cannot remove it.I have forgot to say that when infection accured the 2 icons poped up on my desktop(two shields one green and one blue)and one icon on the taskbar(flashing red-blue shield displaying pop up message that my pc is infected wirth spyware and that i should cllick on it to download the oficcial security software)and when i clicked it the web page opens:virusprotectpro,but not only that now my browser is hijacked and whatever page i want to open it opens the same -virusprotectpro for download.The next step i downloaded a special removal tool made just for zlob from the f-secure site.The tool requiredthe boot the comp into the safe mod then run the tool and let the informatin be merged in the registry,and then rebbot again,so i did it.Now the two icons on the desktop have changed,active x object removed from the program list,and no more flashing icon in the taskbar :huh: untill the next start of my comp when the flashing taskbar shield returned.Now when i launch the internet explorer white page opens titled:about blank,so i go in internet options and retype my original home page so now everything is ok with that,i can open web pages,but the annoying flashing icon on the taskbar is still here.Next i have opened the adwance windows care and in the start up menager i spoted new entrys,one user32.dll,and the other rar or something like that,and i have chosen to delet those entrys(mistake i guess).I used online help for the item user32.dll and i found that it is a trojan user23.exe presenting itself like a user32.dll.So now i have turned to some desperate measures.I was thinking that any security software now cant fix this becausei have delated the startup entry(user32.dll) so i have decided to infect my pc again by downloading the same active x object,and then run the scan again. :thumbsup: Result?Well now i have 2 flashing shields blinking in par from my taskbar :huh: :huh: :huh: :huh: :o Iperformed the complete scan again and used the special f-secure tool in the same way and came back to the situation i had before second infection,no browser hijack,no more entrys user.32dll and rar,just two annoying shields on the taskbar refusing to go away.So now it was the time to try some other software so i have downloaded the ad-aware free edition,spy cacher,spyware terminator,windows defender,avg antispyware,spyware doctor(version only with antyspyware and no antivirus),even the fameous spyware doctor couldn't remove it,detection yes but not the removal.And finally i have downloaded hijack this.So what is the current situation?Two or three startups of my pc the shields dont show,and next three or four startups they do,then thay dont ,and so on.I am running windows xp with integrated sp2 and using the built in firewall.G, if this is not detailed description of my problem then i dont know what is.I am really sorry because such a huge post,but i would really like if someone can save from reformating the disk and help me with this nasty thing.I am also sorry because of my english,i am from Serbia and i am still learning it.Here is the log file:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:33:38 AM, on 7/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\F-SECU~1\backweb\1245240\Program\SERVIC~1.EXE
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure Internet Security\backweb\1245240\program\fsbwsys.exe
C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fssm32.exe
C:\Program Files\F-Secure Internet Security\Common\FSMB32.EXE
C:\Program Files\F-Secure Internet Security\Common\FCH32.EXE
C:\Program Files\SiteAdvisor\6066\SAService.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\F-Secure Internet Security\Common\FAMEH32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsqh.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsrw.exe
C:\Program Files\F-Secure Internet Security\FSPC\fspc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsav32.exe
C:\Program Files\SiteAdvisor\6066\SiteAdv.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\PROGRA~1\F-SECU~1\ANTI-S~1\fsaw.exe
C:\Program Files\Samsung\Samsung Optical Wheel Mouse\gnetmous.exe
C:\Program Files\F-Secure Internet Security\FSGUI\fsguidll.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\F-Secure Internet Security\backweb\1245240\Program\fspex.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\slrundll.exe
C:\Documents and Settings\Srki\My Documents\My Downloads\zaSetup_en.exe
C:\Program Files\SpeedFan\speedfan.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\Crawler\Toolbar\CToolbar.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher\SCActiveBlock.dll (file missing)
O2 - BHO: ClickCatcher MSIE handler - {16664845-0E00-11D2-8059-000000000000} - C:\Program Files\Common Files\ReGet Shared\Catcher.dll
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: ReGet Bar - {17939A30-18E2-471E-9D3A-56DD725F1215} - C:\Program Files\ReGet Software\ReGet Deluxe 5.1\IEBar.dll
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6066\SiteAdv.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure Internet Security\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\F-Secure Internet Security\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [Gnetmous] "C:\Program Files\Samsung\Samsung Optical Wheel Mouse\gnetmous.exe"
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: F-Secure 2006 OEM.lnk = C:\Program Files\F-Secure Internet Security\backweb\1245240\Program\fspex.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure Internet Security\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\F-Secure Internet Security\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\F-Secure Internet Security\FSPC\fspcmsie.dll
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure Internet Security\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure Internet Security\Anti-Spyware\ieshield.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A7E46D43-E6EB-461D-9188-DD40CD27F31E}: NameServer = 212.200.191.166 212.200.190.166
O18 - Protocol: hddlife - {BD758015-47D9-477A-8873-4B688A2BC0E2} - "C:\Program Files\BinarySense\HDDlife 3\hlAPP.dll" (file missing)
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O20 - AppInit_DLLs: secuload.dll C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O22 - SharedTaskScheduler: convalescently - {cea2e5cd-e849-427b-80f0-59298caef1c4} - C:\WINDOWS\system32\cqsfk.dll
O22 - SharedTaskScheduler: enlodgement - {aa6d4f53-4c8d-4549-84d2-02d584acc4e9} - C:\WINDOWS\system32\wzhtjqo.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: F-Secure 2006 OEM (BackWeb Plug-in - 1245240) - F-Secure Internet Security 2005 - C:\PROGRA~1\F-SECU~1\backweb\1245240\Program\SERVIC~1.EXE
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\F-Secure Internet Security\backweb\1245240\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure HTTP Server (fshttps) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\FSPC\fshttps\fshttps.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
O23 - Service: HDDlife HDD Access service - BinarySense, Inc. - C:\Program Files\BinarySense\HDDlife 3\hldasvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XI.SP2\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XI.SP2\RpcSandraSrv.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6066\SAService.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 11266 bytes

BC AdBot (Login to Remove)

 


m

#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:08:06 PM

Posted 31 July 2007 - 08:06 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum Srki :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

Please download OTMoveIt by OldTimer:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe

Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'):

C:\WINDOWS\system32\cqsfk.dll
C:\WINDOWS\system32\wzhtjqo.dll


Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Copy everything on the 'Results' window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'), and paste it on your next reply.
Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes.

-----------------------------------------------------

Please download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.


-----------------------------------------------------

Download SmitfraudFix (by S!Ri), to your desktop.
Double click on Smitfraudfix.cmd
Select option 1 Search, by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy and paste the content of that report into your next reply.

*IMPORTANT*
Do NOT run any other options until you are asked to do so!

Also post a new Hijackthis log.
Posted Image
Posted Image

#3 Srki

Srki
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:06 PM

Posted 31 July 2007 - 02:11 PM

Hi,here are the things that you asked for,sorry if i did something wrong,i'm not really an advance user.
FDllUnregisterServer procedure not found in C:\WINDOWS\system32\cqsfk.dll
C:\WINDOWS\system32\cqsfk.dll NOT unregistered.
C:\WINDOWS\system32\cqsfk.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\wzhtjqo.dll
C:\WINDOWS\system32\wzhtjqo.dll NOT unregistered.
C:\WINDOWS\system32\wzhtjqo.dll moved successfully.

Created on 07/31/2007 20:46:19
irst the OTMovelt results:

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:08:06 PM

Posted 31 July 2007 - 02:15 PM

You're doing just great,now carry on with the rest of the instructions please.
Posted Image
Posted Image

#5 Srki

Srki
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:06 PM

Posted 31 July 2007 - 02:26 PM

HComboFix 07-07-31 - "Srki" 2007-07-31 21:15:59.1 [GMT 2:00] - NTFS
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.True
* Created a new restore point


((((((((((((((((((((((((( Files Created from 2007-06-28 to 2007-07-31 )))))))))))))))))))))))))))))))


2007-07-31 21:04 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-07-31 21:04 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-07-31 21:04 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-07-31 20:58 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-31 02:58 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-07-31 00:09 2,320,000 --a------ C:\WINDOWS\system32\TUKernel.exe
2007-07-30 21:16 <DIR> d-------- C:\Program Files\PC Drivers HeadQuarters
2007-07-30 20:46 <DIR> d-------- C:\Program Files\Driver-Soft
2007-07-30 20:14 <DIR> d-------- C:\DOCUME~1\Srki\APPLIC~1\ArcSoft
2007-07-30 20:05 20 ---h----- C:\DOCUME~1\ALLUSE~1\APPLIC~1\PKP_DLec.DAT
2007-07-30 20:05 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Ultima_T15
2007-07-30 20:05 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\EnterNHelp
2007-07-30 20:01 974,848 --a------ C:\WINDOWS\system32\mfc70.dll
2007-07-30 20:01 765,952 --a------ C:\WINDOWS\system32\msvcp71d.dll
2007-07-30 20:01 544,768 --a------ C:\WINDOWS\system32\msvcr71d.dll
2007-07-30 20:01 2,867,200 -ra------ C:\WINDOWS\system32\NkNEFPlugin.dll
2007-07-30 20:01 2,179,072 --a------ C:\WINDOWS\system32\mfc71d.dll
2007-07-30 20:01 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2007-07-30 20:01 <DIR> d-------- C:\DOCUME~1\Srki\APPLIC~1\Nikon
2007-07-30 20:00 73,728 --a------ C:\WINDOWS\system32\LFFAX12N.DLL
2007-07-30 20:00 60,416 --a------ C:\WINDOWS\system32\LFPCT12N.DLL
2007-07-30 20:00 54,784 -ra------ C:\WINDOWS\system32\RedEye.dll
2007-07-30 20:00 495,616 -ra------ C:\WINDOWS\system32\DRAGNKL1.dll
2007-07-30 20:00 48,128 -ra------ C:\WINDOWS\system32\picn20.dll
2007-07-30 20:00 434,176 --a------ C:\WINDOWS\system32\DC120V15_32.DLL
2007-07-30 20:00 406,016 --a------ C:\WINDOWS\system32\LTKRN12N.DLL
2007-07-30 20:00 36,864 --a------ C:\WINDOWS\system32\LFPSD12N.DLL
2007-07-30 20:00 358,912 --a------ C:\WINDOWS\system32\LFCMP12N.DLL
2007-07-30 20:00 30,720 --a------ C:\WINDOWS\system32\LFBMP12N.DLL
2007-07-30 20:00 26,112 --a------ C:\WINDOWS\system32\LFPCX12N.DLL
2007-07-30 20:00 259,072 --a------ C:\WINDOWS\system32\LTDIS12N.DLL
2007-07-30 20:00 230,400 --a------ C:\WINDOWS\system32\DC265.DLL
2007-07-30 20:00 212,480 --a------ C:\WINDOWS\system32\PCDLIB32.DLL
2007-07-30 20:00 207,872 --a------ C:\WINDOWS\system32\LTEFX12N.DLL
2007-07-30 20:00 19,968 --a------ C:\WINDOWS\system32\LFPCD12N.DLL
2007-07-30 20:00 181,248 --a------ C:\WINDOWS\system32\LFPNG12N.DLL
2007-07-30 20:00 180,224 -ra------ C:\WINDOWS\system32\picn1120.dll
2007-07-30 20:00 176,128 -ra------ C:\WINDOWS\system32\Strato4.dll
2007-07-30 20:00 164,864 --a------ C:\WINDOWS\system32\LTIMG12N.DLL
2007-07-30 20:00 155,648 -ra------ C:\WINDOWS\system32\picn1020.dll
2007-07-30 20:00 141,312 --a------ C:\WINDOWS\system32\LFTIF12N.DLL
2007-07-30 20:00 131,072 --a------ C:\WINDOWS\system32\LTFIL12N.DLL
2007-07-30 20:00 110,592 -ra------ C:\WINDOWS\system32\RCSigProc.dll
2007-07-30 20:00 <DIR> d-------- C:\Program Files\Nikon
2007-07-30 20:00 <DIR> d-------- C:\Program Files\Common Files\muvee Technologies
2007-07-30 19:59 212,480 --------- C:\WINDOWS\PCDLIB32.DLL
2007-07-30 19:59 <DIR> d-------- C:\Program Files\ArcSoft
2007-07-30 19:58 <DIR> d-------- C:\Program Files\Common Files\Nikon
2007-07-30 03:37 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-07-30 02:46 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-07-30 01:41 <DIR> d-------- C:\Program Files\Trend Micro
2007-07-29 04:08 <DIR> d-------- C:\DOCUME~1\Srki\APPLIC~1\Uniblue
2007-07-27 21:49 <DIR> d-------- C:\DOCUME~1\Srki\APPLIC~1\Tenebril
2007-07-27 21:42 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tenebril
2007-07-27 21:13 180,224 --a-s---- C:\WINDOWS\system32\archlib.dll
2007-07-27 21:13 <DIR> d-------- C:\WINDOWS\system32\tenarchlib
2007-07-27 01:33 <DIR> d-------- C:\Program Files\Crawler
2007-07-26 19:48 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-07-25 07:31 <DIR> d-------- C:\WINDOWS\spywareb
2007-07-25 07:04 <DIR> d-------- C:\Program Files\WhatsRunning
2007-07-25 01:49 83,024 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-07-25 01:49 57,424 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-07-25 01:49 53,840 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-07-25 01:49 39,376 --a------ C:\WINDOWS\system32\drivers\ikfileflt.sys
2007-07-25 01:49 29,264 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-07-25 01:48 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-07-25 01:48 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-07-25 01:48 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2007-07-25 01:48 <DIR> d-------- C:\DOCUME~1\Srki\APPLIC~1\PC Tools
2007-07-24 01:34 <DIR> d-------- C:\Program Files\ATITool
2007-07-24 01:04 <DIR> d-------- C:\Program Files\Titan Backup
2007-07-24 00:53 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Earthsim
2007-07-23 18:18 684,032 --a------ C:\WINDOWS\system32\libeay32.dll
2007-07-23 18:18 155,648 --a------ C:\WINDOWS\system32\ssleay32.dll
2007-07-23 17:40 <DIR> d-------- C:\DOCUME~1\Srki\APPLIC~1\Lavasoft
2007-07-23 07:38 <DIR> d-------- C:\DOCUME~1\Srki\APPLIC~1\SLAutoSave
2007-07-23 07:35 <DIR> d-------- C:\DOCUME~1\Srki\APPLIC~1\12Ghosts
2007-07-23 07:35 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\12Ghosts
2007-07-23 07:26 <DIR> d-------- C:\WINDOWS\pss
2007-07-23 06:59 5,242,880 --a------ C:\DOCUME~1\Srki\ntuser.dat
2007-07-23 04:55 427,864 --a------ C:\WINDOWS\system32\XceedZip.dll
2007-07-22 03:34 <DIR> d-------- C:\Program Files\iTunes
2007-07-22 03:34 <DIR> d-------- C:\Program Files\iPod
2007-07-22 01:01 <DIR> d-------- C:\Program Files\QuickTime
2007-07-22 00:34 <DIR> d--hs---- C:\Diskeeper
2007-07-21 05:53 <DIR> d-------- C:\Program Files\Diskeeper Corporation
2007-07-21 05:53 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Diskeeper Corporation
2007-07-21 05:38 <DIR> d-------- C:\DOCUME~1\Srki\X86
2007-07-21 05:38 <DIR> d-------- C:\DOCUME~1\Srki\X64
2007-07-21 03:01 <DIR> d-------- C:\DOCUME~1\Srki\APPLIC~1\WinRAR
2007-07-21 02:36 <DIR> d-------- C:\Program Files\MSBuild
2007-07-21 02:33 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2007-07-21 02:32 <DIR> d-------- C:\Program Files\Reference Assemblies
2007-07-21 02:30 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2007-07-20 23:23 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2007-07-20 22:11 <DIR> d-------- C:\Program Files\MadOnion.com
2007-07-20 19:34 <DIR> d-------- C:\Program Files\Prime95
2007-07-20 03:19 36,352 --------- C:\WINDOWS\system32\tsgqec.dll
2007-07-20 03:19 288,768 --------- C:\WINDOWS\system32\rhttpaa.dll
2007-07-20 03:19 116,736 --------- C:\WINDOWS\system32\aaclient.dll


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-01 05:24 4314112 --a------ C:\WINDOWS\system32\logonuiX.exe
2007-06-13 21:50 43152 --a------ C:\WINDOWS\system32\drivers\ativvpxx.vp


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2004-10-27 15:21 C:\WINDOWS\system32\HdAShCut.exe]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6066\SiteAdv.exe" [2007-03-30 17:42]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-06-27 21:49]
"F-Secure Manager"="C:\Program Files\F-Secure Internet Security\Common\FSM32.exe" [2005-06-03 00:37]
"F-Secure TNB"="C:\Program Files\F-Secure Internet Security\TNB\TNBUtil.exe" [2005-07-18 16:51]
"F-Secure Startup Wizard"="C:\Program Files\F-Secure Internet Security\FSGUI\FSSW.exe" [2005-08-23 15:38]
"Gnetmous"="C:\Program Files\Samsung\Samsung Optical Wheel Mouse\gnetmous.exe" [2002-08-02 10:34]
"LogonStudio"="C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" [2002-09-03 18:38]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 11:25]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
F-Secure 2006 OEM.lnk - C:\Program Files\F-Secure Internet Security\backweb\1245240\Program\fspex.exe [2007-06-27 23:41:52]
NkbMonitor.exe.lnk - C:\Program Files\Nikon\PictureProject\NkbMonitor.exe [2007-07-30 20:00:55]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"LinkResolveIgnoreLinkInfo"=0 (0x0)
"NoResolveSearch"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"LinkResolveIgnoreLinkInfo"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=secuload.dll C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

R0 FSFW;F-Secure Firewall Driver;C:\WINDOWS\system32\drivers\fsdfw.sys
R0 RecAgent;RecAgent;C:\WINDOWS\system32\DRIVERS\SLDRV\RecAgent.sys
R0 speedfan;speedfan;C:\WINDOWS\system32\speedfan.sys
R1 aslm75;aslm75;\??\C:\WINDOWS\system32\drivers\aslm75.sys
R1 ATITool;ATITool Overclocking Utility;C:\WINDOWS\system32\DRIVERS\ATITool.sys
R2 BackWeb Plug-in - 1245240;F-Secure 2006 OEM;C:\PROGRA~1\F-SECU~1\backweb\1245240\Program\SERVIC~1.EXE
R2 F-Secure Filter;F-Secure File System Filter;\??\C:\Program Files\F-Secure Internet Security\Anti-Virus\Win2K\FSfilter.sys
R2 F-Secure Gatekeeper;F-Secure Gatekeeper;\??\C:\Program Files\F-Secure Internet Security\Anti-Virus\Win2K\FSgk.sys
R2 F-Secure Recognizer;F-Secure File System Recognizer;\??\C:\Program Files\F-Secure Internet Security\Anti-Virus\Win2K\FSrec.sys
R2 PStrip;PStrip;C:\WINDOWS\system32\drivers\pstrip.sys
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe -k netsvcs
R3 ADIHdAudAddService;ADI UAA Function Driver for High Definition Audio Service;C:\WINDOWS\system32\drivers\ADIHdAud.sys
R3 AEAudioService;AEAudio Service;C:\WINDOWS\system32\drivers\AEAudio.sys
R3 genmcmn;Scroll Mouse Driver;C:\WINDOWS\system32\DRIVERS\gmfiltr.sys
R3 Mtlmnt5;Mtlmnt5;C:\WINDOWS\system32\DRIVERS\SLDRV\Mtlmnt5.sys
R3 Mtlstrm;Mtlstrm;C:\WINDOWS\system32\DRIVERS\SLDRV\Mtlstrm.sys
R3 SaiHFF0C;SaiHFF0C;C:\WINDOWS\system32\DRIVERS\SaiHFF0C.sys
R3 SaiMini;SaiMini;C:\WINDOWS\system32\DRIVERS\SaiMini.sys
R3 SaiNtBus;SaiNtBus;C:\WINDOWS\system32\drivers\SaiNtBus.sys
R3 SaiUFF0C;SaiUFF0C;C:\WINDOWS\system32\DRIVERS\SaiUFF0C.sys
R3 SenFiltService;SenFilt Service;C:\WINDOWS\system32\drivers\Senfilt.sys
R3 Slntamr;SmartLink AMR_PCI Driver;C:\WINDOWS\system32\DRIVERS\SLDRV\slntamr.sys
R3 SlNtHal;SlNtHal;C:\WINDOWS\system32\DRIVERS\SLDRV\Slnthal.sys
R3 SlWdmSup;SlWdmSup;C:\WINDOWS\system32\DRIVERS\SLDRV\SlWdmSup.sys
S2 HDDlife HDD Access service;HDDlife HDD Access service;"C:\Program Files\BinarySense\HDDlife 3\hldasvc.exe"
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0;C:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
S3 GVCplDrv;GVCplDrv;C:\WINDOWS\system32\drivers\GVCplDrv.sys
S3 HdAudAddService;Microsoft UAA Function Driver for High Definition Audio Service;C:\WINDOWS\system32\drivers\HdAudio.sys
S3 idsvc;Windows CardSpace;"C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe"
S3 IKFileFlt;File Filter Driver;C:\WINDOWS\system32\drivers\ikfileflt.sys
S3 IKFileSec;File Security Driver;C:\WINDOWS\system32\drivers\ikfilesec.sys
S3 IkSysFlt;System Filter Driver;C:\WINDOWS\system32\drivers\iksysflt.sys
S3 IKSysSec;System Security Driver;C:\WINDOWS\system32\drivers\iksyssec.sys
S3 MagicTune;MagicTune;C:\WINDOWS\system32\drivers\MTiCtwl.sys
S3 TVICHW32;TVICHW32;\??\C:\WINDOWS\system32\DRIVERS\TVICHW32.SYS
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service;"C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe"

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp


Contents of the 'Scheduled Tasks' folder
2007-06-29 15:44:48 C:\WINDOWS\Tasks\1-Click Maintenance.job - C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
2007-07-28 21:53:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
2007-07-31 17:34:05 C:\WINDOWS\Tasks\MP Scheduled Scan.job - C:\Program Files\Windows Defender\MpCmdRun.exe
2007-07-31 00:05:48 C:\WINDOWS\Tasks\Scheduled scanning task.job
2007-07-29 02:17:41 C:\WINDOWS\Tasks\Uniblue SpyEraser Nag.job
2007-07-29 02:17:40 C:\WINDOWS\Tasks\Uniblue SpyEraser.job - C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-31 21:18:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-31 21:20:10

--- E O F ---
ere is the combofix:

#6 Srki

Srki
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:06 PM

Posted 31 July 2007 - 02:32 PM

HComboFix 07-07-31 - "Srki" 2007-07-31 21:15:59.1 [GMT 2:00] - NTFS
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.True
* Created a new restore point


((((((((((((((((((((((((( Files Created from 2007-06-28 to 2007-07-31 )))))))))))))))))))))))))))))))


2007-07-31 21:04 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-07-31 21:04 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-07-31 21:04 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-07-31 20:58 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-31 02:58 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-07-31 00:09 2,320,000 --a------ C:\WINDOWS\system32\TUKernel.exe
2007-07-30 21:16 <DIR> d-------- C:\Program Files\PC Drivers HeadQuarters
2007-07-30 20:46 <DIR> d-------- C:\Program Files\Driver-Soft
2007-07-30 20:14 <DIR> d-------- C:\DOCUME~1\Srki\APPLIC~1\ArcSoft
2007-07-30 20:05 20 ---h----- C:\DOCUME~1\ALLUSE~1\APPLIC~1\PKP_DLec.DAT
2007-07-30 20:05 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Ultima_T15
2007-07-30 20:05 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\EnterNHelp
2007-07-30 20:01 974,848 --a------ C:\WINDOWS\system32\mfc70.dll
2007-07-30 20:01 765,952 --a------ C:\WINDOWS\system32\msvcp71d.dll
2007-07-30 20:01 544,768 --a------ C:\WINDOWS\system32\msvcr71d.dll
2007-07-30 20:01 2,867,200 -ra------ C:\WINDOWS\system32\NkNEFPlugin.dll
2007-07-30 20:01 2,179,072 --a------ C:\WINDOWS\system32\mfc71d.dll
2007-07-30 20:01 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2007-07-30 20:01 <DIR> d-------- C:\DOCUME~1\Srki\APPLIC~1\Nikon
2007-07-30 20:00 73,728 --a------ C:\WINDOWS\system32\LFFAX12N.DLL
2007-07-30 20:00 60,416 --a------ C:\WINDOWS\system32\LFPCT12N.DLL
2007-07-30 20:00 54,784 -ra------ C:\WINDOWS\system32\RedEye.dll
2007-07-30 20:00 495,616 -ra------ C:\WINDOWS\system32\DRAGNKL1.dll
2007-07-30 20:00 48,128 -ra------ C:\WINDOWS\system32\picn20.dll
2007-07-30 20:00 434,176 --a------ C:\WINDOWS\system32\DC120V15_32.DLL
2007-07-30 20:00 406,016 --a------ C:\WINDOWS\system32\LTKRN12N.DLL
2007-07-30 20:00 36,864 --a------ C:\WINDOWS\system32\LFPSD12N.DLL
2007-07-30 20:00 358,912 --a------ C:\WINDOWS\system32\LFCMP12N.DLL
2007-07-30 20:00 30,720 --a------ C:\WINDOWS\system32\LFBMP12N.DLL
2007-07-30 20:00 26,112 --a------ C:\WINDOWS\system32\LFPCX12N.DLL
2007-07-30 20:00 259,072 --a------ C:\WINDOWS\system32\LTDIS12N.DLL
2007-07-30 20:00 230,400 --a------ C:\WINDOWS\system32\DC265.DLL
2007-07-30 20:00 212,480 --a------ C:\WINDOWS\system32\PCDLIB32.DLL
2007-07-30 20:00 207,872 --a------ C:\WINDOWS\system32\LTEFX12N.DLL
2007-07-30 20:00 19,968 --a------ C:\WINDOWS\system32\LFPCD12N.DLL
2007-07-30 20:00 181,248 --a------ C:\WINDOWS\system32\LFPNG12N.DLL
2007-07-30 20:00 180,224 -ra------ C:\WINDOWS\system32\picn1120.dll
2007-07-30 20:00 176,128 -ra------ C:\WINDOWS\system32\Strato4.dll
2007-07-30 20:00 164,864 --a------ C:\WINDOWS\system32\LTIMG12N.DLL
2007-07-30 20:00 155,648 -ra------ C:\WINDOWS\system32\picn1020.dll
2007-07-30 20:00 141,312 --a------ C:\WINDOWS\system32\LFTIF12N.DLL
2007-07-30 20:00 131,072 --a------ C:\WINDOWS\system32\LTFIL12N.DLL
2007-07-30 20:00 110,592 -ra------ C:\WINDOWS\system32\RCSigProc.dll
2007-07-30 20:00 <DIR> d-------- C:\Program Files\Nikon
2007-07-30 20:00 <DIR> d-------- C:\Program Files\Common Files\muvee Technologies
2007-07-30 19:59 212,480 --------- C:\WINDOWS\PCDLIB32.DLL
2007-07-30 19:59 <DIR> d-------- C:\Program Files\ArcSoft
2007-07-30 19:58 <DIR> d-------- C:\Program Files\Common Files\Nikon
2007-07-30 03:37 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-07-30 02:46 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-07-30 01:41 <DIR> d-------- C:\Program Files\Trend Micro
2007-07-29 04:08 <DIR> d-------- C:\DOCUME~1\Srki\APPLIC~1\Uniblue
2007-07-27 21:49 <DIR> d-------- C:\DOCUME~1\Srki\APPLIC~1\Tenebril
2007-07-27 21:42 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tenebril
2007-07-27 21:13 180,224 --a-s---- C:\WINDOWS\system32\archlib.dll
2007-07-27 21:13 <DIR> d-------- C:\WINDOWS\system32\tenarchlib
2007-07-27 01:33 <DIR> d-------- C:\Program Files\Crawler
2007-07-26 19:48 <DIR> d-------- C:\Program Files\MSXML 6.0
2007-07-25 07:31 <DIR> d-------- C:\WINDOWS\spywareb
2007-07-25 07:04 <DIR> d-------- C:\Program Files\WhatsRunning
2007-07-25 01:49 83,024 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-07-25 01:49 57,424 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-07-25 01:49 53,840 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-07-25 01:49 39,376 --a------ C:\WINDOWS\system32\drivers\ikfileflt.sys
2007-07-25 01:49 29,264 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-07-25 01:48 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-07-25 01:48 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-07-25 01:48 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2007-07-25 01:48 <DIR> d-------- C:\DOCUME~1\Srki\APPLIC~1\PC Tools
2007-07-24 01:34 <DIR> d-------- C:\Program Files\ATITool
2007-07-24 01:04 <DIR> d-------- C:\Program Files\Titan Backup
2007-07-24 00:53 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Earthsim
2007-07-23 18:18 684,032 --a------ C:\WINDOWS\system32\libeay32.dll
2007-07-23 18:18 155,648 --a------ C:\WINDOWS\system32\ssleay32.dll
2007-07-23 17:40 <DIR> d-------- C:\DOCUME~1\Srki\APPLIC~1\Lavasoft
2007-07-23 07:38 <DIR> d-------- C:\DOCUME~1\Srki\APPLIC~1\SLAutoSave
2007-07-23 07:35 <DIR> d-------- C:\DOCUME~1\Srki\APPLIC~1\12Ghosts
2007-07-23 07:35 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\12Ghosts
2007-07-23 07:26 <DIR> d-------- C:\WINDOWS\pss
2007-07-23 06:59 5,242,880 --a------ C:\DOCUME~1\Srki\ntuser.dat
2007-07-23 04:55 427,864 --a------ C:\WINDOWS\system32\XceedZip.dll
2007-07-22 03:34 <DIR> d-------- C:\Program Files\iTunes
2007-07-22 03:34 <DIR> d-------- C:\Program Files\iPod
2007-07-22 01:01 <DIR> d-------- C:\Program Files\QuickTime
2007-07-22 00:34 <DIR> d--hs---- C:\Diskeeper
2007-07-21 05:53 <DIR> d-------- C:\Program Files\Diskeeper Corporation
2007-07-21 05:53 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Diskeeper Corporation
2007-07-21 05:38 <DIR> d-------- C:\DOCUME~1\Srki\X86
2007-07-21 05:38 <DIR> d-------- C:\DOCUME~1\Srki\X64
2007-07-21 03:01 <DIR> d-------- C:\DOCUME~1\Srki\APPLIC~1\WinRAR
2007-07-21 02:36 <DIR> d-------- C:\Program Files\MSBuild
2007-07-21 02:33 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2007-07-21 02:32 <DIR> d-------- C:\Program Files\Reference Assemblies
2007-07-21 02:30 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2007-07-20 23:23 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2007-07-20 22:11 <DIR> d-------- C:\Program Files\MadOnion.com
2007-07-20 19:34 <DIR> d-------- C:\Program Files\Prime95
2007-07-20 03:19 36,352 --------- C:\WINDOWS\system32\tsgqec.dll
2007-07-20 03:19 288,768 --------- C:\WINDOWS\system32\rhttpaa.dll
2007-07-20 03:19 116,736 --------- C:\WINDOWS\system32\aaclient.dll


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-01 05:24 4314112 --a------ C:\WINDOWS\system32\logonuiX.exe
2007-06-13 21:50 43152 --a------ C:\WINDOWS\system32\drivers\ativvpxx.vp


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2004-10-27 15:21 C:\WINDOWS\system32\HdAShCut.exe]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6066\SiteAdv.exe" [2007-03-30 17:42]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-06-27 21:49]
"F-Secure Manager"="C:\Program Files\F-Secure Internet Security\Common\FSM32.exe" [2005-06-03 00:37]
"F-Secure TNB"="C:\Program Files\F-Secure Internet Security\TNB\TNBUtil.exe" [2005-07-18 16:51]
"F-Secure Startup Wizard"="C:\Program Files\F-Secure Internet Security\FSGUI\FSSW.exe" [2005-08-23 15:38]
"Gnetmous"="C:\Program Files\Samsung\Samsung Optical Wheel Mouse\gnetmous.exe" [2002-08-02 10:34]
"LogonStudio"="C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" [2002-09-03 18:38]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 11:25]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
F-Secure 2006 OEM.lnk - C:\Program Files\F-Secure Internet Security\backweb\1245240\Program\fspex.exe [2007-06-27 23:41:52]
NkbMonitor.exe.lnk - C:\Program Files\Nikon\PictureProject\NkbMonitor.exe [2007-07-30 20:00:55]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"LinkResolveIgnoreLinkInfo"=0 (0x0)
"NoResolveSearch"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"LinkResolveIgnoreLinkInfo"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=secuload.dll C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

R0 FSFW;F-Secure Firewall Driver;C:\WINDOWS\system32\drivers\fsdfw.sys
R0 RecAgent;RecAgent;C:\WINDOWS\system32\DRIVERS\SLDRV\RecAgent.sys
R0 speedfan;speedfan;C:\WINDOWS\system32\speedfan.sys
R1 aslm75;aslm75;\??\C:\WINDOWS\system32\drivers\aslm75.sys
R1 ATITool;ATITool Overclocking Utility;C:\WINDOWS\system32\DRIVERS\ATITool.sys
R2 BackWeb Plug-in - 1245240;F-Secure 2006 OEM;C:\PROGRA~1\F-SECU~1\backweb\1245240\Program\SERVIC~1.EXE
R2 F-Secure Filter;F-Secure File System Filter;\??\C:\Program Files\F-Secure Internet Security\Anti-Virus\Win2K\FSfilter.sys
R2 F-Secure Gatekeeper;F-Secure Gatekeeper;\??\C:\Program Files\F-Secure Internet Security\Anti-Virus\Win2K\FSgk.sys
R2 F-Secure Recognizer;F-Secure File System Recognizer;\??\C:\Program Files\F-Secure Internet Security\Anti-Virus\Win2K\FSrec.sys
R2 PStrip;PStrip;C:\WINDOWS\system32\drivers\pstrip.sys
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe -k netsvcs
R3 ADIHdAudAddService;ADI UAA Function Driver for High Definition Audio Service;C:\WINDOWS\system32\drivers\ADIHdAud.sys
R3 AEAudioService;AEAudio Service;C:\WINDOWS\system32\drivers\AEAudio.sys
R3 genmcmn;Scroll Mouse Driver;C:\WINDOWS\system32\DRIVERS\gmfiltr.sys
R3 Mtlmnt5;Mtlmnt5;C:\WINDOWS\system32\DRIVERS\SLDRV\Mtlmnt5.sys
R3 Mtlstrm;Mtlstrm;C:\WINDOWS\system32\DRIVERS\SLDRV\Mtlstrm.sys
R3 SaiHFF0C;SaiHFF0C;C:\WINDOWS\system32\DRIVERS\SaiHFF0C.sys
R3 SaiMini;SaiMini;C:\WINDOWS\system32\DRIVERS\SaiMini.sys
R3 SaiNtBus;SaiNtBus;C:\WINDOWS\system32\drivers\SaiNtBus.sys
R3 SaiUFF0C;SaiUFF0C;C:\WINDOWS\system32\DRIVERS\SaiUFF0C.sys
R3 SenFiltService;SenFilt Service;C:\WINDOWS\system32\drivers\Senfilt.sys
R3 Slntamr;SmartLink AMR_PCI Driver;C:\WINDOWS\system32\DRIVERS\SLDRV\slntamr.sys
R3 SlNtHal;SlNtHal;C:\WINDOWS\system32\DRIVERS\SLDRV\Slnthal.sys
R3 SlWdmSup;SlWdmSup;C:\WINDOWS\system32\DRIVERS\SLDRV\SlWdmSup.sys
S2 HDDlife HDD Access service;HDDlife HDD Access service;"C:\Program Files\BinarySense\HDDlife 3\hldasvc.exe"
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0;C:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
S3 GVCplDrv;GVCplDrv;C:\WINDOWS\system32\drivers\GVCplDrv.sys
S3 HdAudAddService;Microsoft UAA Function Driver for High Definition Audio Service;C:\WINDOWS\system32\drivers\HdAudio.sys
S3 idsvc;Windows CardSpace;"C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe"
S3 IKFileFlt;File Filter Driver;C:\WINDOWS\system32\drivers\ikfileflt.sys
S3 IKFileSec;File Security Driver;C:\WINDOWS\system32\drivers\ikfilesec.sys
S3 IkSysFlt;System Filter Driver;C:\WINDOWS\system32\drivers\iksysflt.sys
S3 IKSysSec;System Security Driver;C:\WINDOWS\system32\drivers\iksyssec.sys
S3 MagicTune;MagicTune;C:\WINDOWS\system32\drivers\MTiCtwl.sys
S3 TVICHW32;TVICHW32;\??\C:\WINDOWS\system32\DRIVERS\TVICHW32.SYS
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service;"C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe"

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp


Contents of the 'Scheduled Tasks' folder
2007-06-29 15:44:48 C:\WINDOWS\Tasks\1-Click Maintenance.job - C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
2007-07-28 21:53:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
2007-07-31 17:34:05 C:\WINDOWS\Tasks\MP Scheduled Scan.job - C:\Program Files\Windows Defender\MpCmdRun.exe
2007-07-31 00:05:48 C:\WINDOWS\Tasks\Scheduled scanning task.job
2007-07-29 02:17:41 C:\WINDOWS\Tasks\Uniblue SpyEraser Nag.job
2007-07-29 02:17:40 C:\WINDOWS\Tasks\Uniblue SpyEraser.job - C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-31 21:18:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-31 21:20:10

--- E O F ---
ere is the combofix:

#7 Srki

Srki
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:06 PM

Posted 31 July 2007 - 02:35 PM

Sorry because double combofix post,here is the Smitfraudfix:
SmitFraudFix v2.207

Scan done at 21:28:31.96, Tue 07/31/2007
Run from C:\Documents and Settings\Srki\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\F-SECU~1\backweb\1245240\Program\SERVIC~1.EXE
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure Internet Security\backweb\1245240\program\fsbwsys.exe
C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
C:\Program Files\F-Secure Internet Security\Common\FSMB32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fssm32.exe
C:\Program Files\F-Secure Internet Security\Common\FCH32.EXE
C:\Program Files\F-Secure Internet Security\Common\FAMEH32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsqh.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\SiteAdvisor\6066\SAService.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsrw.exe
C:\Program Files\F-Secure Internet Security\FSPC\fspc.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsav32.exe
C:\Program Files\SiteAdvisor\6066\SiteAdv.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Samsung\Samsung Optical Wheel Mouse\gnetmous.exe
C:\PROGRA~1\F-SECU~1\ANTI-S~1\fsaw.exe
C:\Program Files\F-Secure Internet Security\FSGUI\fsguidll.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\F-Secure Internet Security\backweb\1245240\Program\fspex.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\slrundll.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\Crawler\Toolbar\CToolbar.exe
C:\WINDOWS\system32\cmd.exe

hosts


C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\WINDOWS\system32\LogFiles


C:\Documents and Settings\Srki


C:\Documents and Settings\Srki\Application Data


Start Menu


C:\DOCUME~1\Srki\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="secuload.dll C:\\PROGRA~1\\Google\\GOOGLE~1\\GOEC62~1.DLL"
"LoadAppInit_DLLs"=dword:00000001


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


Rustock



DNS

Description: WAN (PPP/SLIP) Interface
DNS Server Search Order: 212.200.191.166
DNS Server Search Order: 212.200.190.166

HKLM\SYSTEM\CCS\Services\Tcpip\..\{A7E46D43-E6EB-461D-9188-DD40CD27F31E}: NameServer=212.200.191.166 212.200.190.166
HKLM\SYSTEM\CS1\Services\Tcpip\..\{A7E46D43-E6EB-461D-9188-DD40CD27F31E}: NameServer=212.200.191.166 212.200.190.166


Scanning for wininet.dll infection


End

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:08:06 PM

Posted 31 July 2007 - 02:35 PM

Follow the SmitfraudFix instructions,post the SmitfraudFix report and a new HijackThis log please.
Posted Image
Posted Image

#9 Srki

Srki
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:06 PM

Posted 31 July 2007 - 02:38 PM

And finally here is the new hjt:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:37:02 PM, on 7/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\F-SECU~1\backweb\1245240\Program\SERVIC~1.EXE
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure Internet Security\backweb\1245240\program\fsbwsys.exe
C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
C:\Program Files\F-Secure Internet Security\Common\FSMB32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fssm32.exe
C:\Program Files\F-Secure Internet Security\Common\FCH32.EXE
C:\Program Files\F-Secure Internet Security\Common\FAMEH32.EXE
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsqh.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\SiteAdvisor\6066\SAService.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsrw.exe
C:\Program Files\F-Secure Internet Security\FSPC\fspc.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\F-Secure Internet Security\Anti-Virus\fsav32.exe
C:\Program Files\SiteAdvisor\6066\SiteAdv.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Samsung\Samsung Optical Wheel Mouse\gnetmous.exe
C:\PROGRA~1\F-SECU~1\ANTI-S~1\fsaw.exe
C:\Program Files\F-Secure Internet Security\FSGUI\fsguidll.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\F-Secure Internet Security\backweb\1245240\Program\fspex.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\slrundll.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\Crawler\Toolbar\CToolbar.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher\SCActiveBlock.dll (file missing)
O2 - BHO: ClickCatcher MSIE handler - {16664845-0E00-11D2-8059-000000000000} - C:\Program Files\Common Files\ReGet Shared\Catcher.dll
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: ReGet Bar - {17939A30-18E2-471E-9D3A-56DD725F1215} - C:\Program Files\ReGet Software\ReGet Deluxe 5.1\IEBar.dll
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6066\SiteAdv.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure Internet Security\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\F-Secure Internet Security\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [Gnetmous] "C:\Program Files\Samsung\Samsung Optical Wheel Mouse\gnetmous.exe"
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: F-Secure 2006 OEM.lnk = C:\Program Files\F-Secure Internet Security\backweb\1245240\Program\fspex.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure Internet Security\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\F-Secure Internet Security\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\F-Secure Internet Security\FSPC\fspcmsie.dll
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure Internet Security\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure Internet Security\Anti-Spyware\ieshield.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A7E46D43-E6EB-461D-9188-DD40CD27F31E}: NameServer = 212.200.191.166 212.200.190.166
O18 - Protocol: hddlife - {BD758015-47D9-477A-8873-4B688A2BC0E2} - "C:\Program Files\BinarySense\HDDlife 3\hlAPP.dll" (file missing)
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O20 - AppInit_DLLs: secuload.dll C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: F-Secure 2006 OEM (BackWeb Plug-in - 1245240) - F-Secure Internet Security 2005 - C:\PROGRA~1\F-SECU~1\backweb\1245240\Program\SERVIC~1.EXE
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\F-Secure Internet Security\backweb\1245240\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure HTTP Server (fshttps) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\FSPC\fshttps\fshttps.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE
O23 - Service: HDDlife HDD Access service - BinarySense, Inc. - C:\Program Files\BinarySense\HDDlife 3\hldasvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XI.SP2\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XI.SP2\RpcSandraSrv.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6066\SAService.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 10907 bytes

#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:08:06 PM

Posted 31 July 2007 - 02:56 PM

Your Hijackthis log is clean,hows your pc running now.
Posted Image
Posted Image

#11 Srki

Srki
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:06 PM

Posted 31 July 2007 - 03:29 PM

It's running normaly i dont have the two shields on the taskbar,but i am alfraid that thay will come back on the next start up,what should i do now?

#12 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:08:06 PM

Posted 31 July 2007 - 03:34 PM

Restart your pc,let me know what happens.
Posted Image
Posted Image

#13 Srki

Srki
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:06 PM

Posted 31 July 2007 - 03:53 PM

Ok,i have rebooted,no shields on the taskbar,but now there is a windows security alert(the real one)window saying this:to help protect your computer windows firewall has blocked some features of this program.Do you want to keep blocking this program?name: F-SECURE 2006 oem,publisher F-SECURE interner security 2005.This is the first time i am getting windows firewall worning for the f-secure.Should i keep blocking it or no?Also i think i should restart my pc at least 6-7 times to make sure.

#14 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:08:06 PM

Posted 31 July 2007 - 04:09 PM

This is the first time i am getting windows firewall worning for the f-secure.Should i keep blocking it or no?

No,you should not be blocking F-Secure.
Posted Image
Posted Image

#15 Srki

Srki
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:06 PM

Posted 31 July 2007 - 04:38 PM

:huh: :huh: Well, it seems you really are a malware assassin haha!7 reboots and no sign of the manice :flowers: I just can't beleive it,i was starting to think it's mission impossible.Thank you very very much! :thumbsup: I only hope it will not return and that it's gone for good!Is there anything else i should do about this?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users