Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Please Help Me Admins/people!


  • Please log in to reply
20 replies to this topic

#1 skyaries89

skyaries89

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:29 AM

Posted 31 August 2007 - 07:21 AM

Please i cant get rid of this one trojan, its geardgr.dll ,something bout a generic downloader or something, also im getting 2 run.dll errors everytime i login to windows , and its really slow, can someone please help me on which programs to delete with hijack, here is my log PLEASE HELP ME, ive had this problem for so long!!!


Logfile of HijackThis v1.99.1
Scan saved at 8:12:43 AM, on 8/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\MSN Webcam Recorder\ml20gui.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Network Associates\VirusScan\scan32.exe
C:\Documents and Settings\Thanh\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://seek.yisou.com/srchcust.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: URLLink - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet7_48.dll
O2 - BHO: YDragSearch - {62EED7C6-9F02-42f9-B634-98E2899E147B} - C:\PROGRA~1\Yahoo!\ASSIST~1\Assist\YDRAGS~1.DLL (file missing)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {C6039E6C-BDE9-4de5-BB40-768CAA584FDC} - C:\WINDOWS\system32\tmp109.tmp.dll
O2 - BHO: (no name) - {c6487a9b-d11c-4907-a660-46c34afa4036} - C:\WINDOWS\system32\GEARdgr.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,ClientStartup -s
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [BootService] rundll32.exe "C:\WINDOWS\opmjhe.dll",realset
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MSN Webcam Recorder] "C:\Program Files\MSN Webcam Recorder\ml20gui.exe" -silent
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Thanh\Start Menu\Programs\IMVU\Run IMVU.lnk
O16 - DPF: {0CBF7EDC-17EC-442C-8AE9-5E804707B6CA} (NeffyClient Class) - http://dist.cdnetworks.co.kr/cdndist/neffy/Neffy.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.2.0.84.cab
O16 - DPF: {7B41B7AC-3496-4C13-A70F-DE6B60A6A8A8} (MGAME manager Class) - http://www.legendofares.com/download/mgusamanagerv1001.cab
O16 - DPF: {938527D1-CDB7-4147-998A-B20FCA5CC976} (Cdmcco Class) - http://cafeimg.hanmail.net/activex/dmcc2.c...ersion=1,0,0,10
O16 - DPF: {AA33C66F-71DB-43E9-B559-3CBE4398E9A9} (BugsGameStarts Class) - http://au.bugsgames.net/game/GBugsGameStart.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {BEED76B7-F5FF-4FBE-99CE-E8529591BC9F} (FantaTennisActiveX Control) - http://www.fantatennis.jp/FantaDownLoad/Ac...nnisActiveX.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab
O16 - DPF: {CEA3052D-65B9-44E2-A501-5E14024BC66F} (TricksterActiveX Control) - http://www.tricksteronline.com/control/tricksterActiveX.cab
O16 - DPF: {D88C7675-7CEE-4C9A-BDD4-7A43EED7794D} (Logout Class) - http://www.tricksteronline.com/control/KALogoutComponent.cab
O16 - DPF: {E1CE4482-98E9-48F8-8D0D-EF03BC9E26F3} (BugsGameStarts Class) - http://audition.bugs.co.kr/Game/BugsGameStart.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - AppInit_DLLs:
O20 - Winlogon Notify: GEARdgr - C:\WINDOWS\SYSTEM32\GEARdgr.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

Attached Files



BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:29 AM

Posted 31 August 2007 - 09:03 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum skyaries89 :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

Please move HijackThis to a permanent folder on the hard drive such as C:\HJT.
Create a new folder and place HijackThis.exe inside that folder so that the backups of log changes it creates are saved in the same folder and can be used to reverse any line entry deletion if found to be necessary.
If you run Hijackthis from the desktop, the files it removes will not be backed up properly.

How to create a new folder named HJT
1. Click Start/My Computer,in the 'My Computer' window,open the window in which you want to create the new folder,click on Local Disk C:
2. From the 'File' menu choose 'New'.
3. From the 'New' menu choose 'Folder'.
4. Type the folder name: HJT
5. Then press Enter.

Your version of Sun Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older versions of Sun Java,and then update.
1. Download the latest version of Java Runtime Environment (JRE)
2. Scroll down to where it says 'Java Runtime Environment (JRE) 6u2'.
3. Click the "Download" button to the right.
4. Check the box that says: "Accept License Agreement".
5. The page will refresh.
6. Click on the link to download 'Windows Offline Installation, Multi-language' and save to your desktop.
7. Close any programs you may have running - especially your web browser.
8. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
9. Check any item with Java Runtime Environment (JRE or J2SE) in the name.
10. Click the Change/Remove button.
11. Repeat as many times as necessary to remove each Java versions.
12. Reboot your computer once all Java components are removed.
13. Then from your desktop double-click on jre-6u2-windows-i586-p.exe to install the newest version.

Download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.

Also post a new Hijackthis log please.
Posted Image
Posted Image

#3 skyaries89

skyaries89
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:29 AM

Posted 31 August 2007 - 08:33 PM

ComboFix 07-08-30.3 - "Thanh" 2007-08-31 21:25:40.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.587 [GMT -4:00]
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\Thanh\APPLIC~1\macromedia\Flash Player\#SharedObjects\XF4SLT8H\www.broadcaster.com
C:\DOCUME~1\Thanh\APPLIC~1\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Program Files\newdotnet
C:\Program Files\newdotnet\newdotnet7_48.dll
C:\Program Files\newdotnet\readme.html
C:\Program Files\newdotnet\uninstall6_38.exe
C:\Program Files\newdotnet\uninstall7_48.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\NDNuninstall6_38.exe
C:\WINDOWS\NDNuninstall7_22.exe
C:\WINDOWS\NDNuninstall7_48.exe
C:\WINDOWS\system32\cns.dat
C:\WINDOWS\system32\GEARdgr.dll
C:\WINDOWS\system32\tmp109.tmp.dll
C:\WINDOWS\system32\tmp212.tmp.dll
C:\WINDOWS\system32\tmp338.tmp.dll
C:\WINDOWS\system32\tmpD0.tmp.dll


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CNSMINKP
-------\LEGACY_DOMAINSERVICE


((((((((((((((((((((((((( Files Created from 2007-08-01 to 2007-09-01 )))))))))))))))))))))))))))))))


2007-08-31 21:25 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-31 21:16 <DIR> d-------- C:\HJT
2007-08-26 11:02 <DIR> d-------- C:\Program Files\iPod
2007-08-26 10:59 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-08-26 10:59 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-08-26 10:42 <DIR> d-------- C:\Program Files\Windows Live
2007-08-26 10:42 <DIR> d-------- C:\Program Files\Messenger Plus! Live
2007-08-26 10:39 <DIR> d-------- C:\Program Files\StuffPlug3
2007-08-16 10:46 <DIR> d-------- C:\Program Files\Common Files\Skype


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-31 21:31 --------- d-------- C:\DOCUME~1\Thanh\APPLIC~1\Skype
2007-08-29 14:20 --------- d-------- C:\Program Files\Warcraft III
2007-08-27 23:09 --------- d-------- C:\Program Files\Common Files\AOL
2007-08-27 23:09 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL
2007-08-27 20:57 --------- d-------- C:\Program Files\AV Vcs 4.0 DIAMOND
2007-08-26 11:02 --------- d-------- C:\Program Files\iTunes
2007-08-26 11:01 --------- d-------- C:\Program Files\QuickTime
2007-08-26 10:42 --------- d-------- C:\Program Files\MSN Messenger
2007-08-26 10:31 --------- d-------- C:\Program Files\Google
2007-08-26 10:31 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
2007-08-26 10:26 --------- d-------- C:\Program Files\Yahoo!
2007-08-24 23:14 --------- d-------- C:\DOCUME~1\Thanh\APPLIC~1\IMVU
2007-08-23 12:02 --------- d-------- C:\Program Files\MSN Webcam Recorder
2007-08-22 03:05 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Microsoft Help
2007-08-21 13:25 --------- d-------- C:\DOCUME~1\Thanh\APPLIC~1\AdobeUM
2007-08-16 10:46 --------- d-------- C:\Program Files\Skype
2007-08-16 10:46 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Skype
2007-08-11 14:55 --------- d-------- C:\Program Files\IMVU
2007-08-06 22:06 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-05 16:47 --------- d-------- C:\Program Files\AviSynth 2.5
2007-07-28 17:01 --------- d-------- C:\DOCUME~1\Thanh\APPLIC~1\dvdcss
2007-07-17 00:48 --------- d-------- C:\Program Files\Logitech


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004-11-15 06:20 C:\WINDOWS\SOUNDMAN.EXE]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-07-16 18:09]
"nwiz"="nwiz.exe" [2005-07-16 18:09 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-07-16 18:09]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2004-08-18 12:00]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 18:17]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2005-07-19 17:32]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [2005-06-08 15:24]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [2005-06-08 15:14]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-08-15 20:15]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 21:07]
"LogitechSoftwareUpdate"="C:\Program Files\Logitech\Video\ManifestEngine.exe" [2005-06-08 14:44]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-08-06 12:43]
"MSN Webcam Recorder"="C:\Program Files\MSN Webcam Recorder\ml20gui.exe" [2006-01-30 21:14]

C:\DOCUME~1\Thanh\STARTM~1\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 23:16:50]
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 20:24:54]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 nwprovau

R1 NaiAvTdi1;NaiAvTdi1;C:\WINDOWS\system32\drivers\mvstdi5x.sys
R2 nvcap;nVidia WDM Video Capture (universal);C:\WINDOWS\system32\DRIVERS\nvcap.sys
R2 NVXBAR;nVidia WDM A/V Crossbar;C:\WINDOWS\system32\DRIVERS\NVxbar.sys
R3 itchfltr;iTouch Keyboard Filter;C:\WINDOWS\system32\DRIVERS\itchfltr.sys
R3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys
S3 Dua1;Dua1;\??\C:\Documents and Settings\Thanh\Desktop\MShack\DualEngi.sys
S3 EntDrv51;EntDrv51;\??\C:\WINDOWS\system32\drivers\EntDrv51.sys
S3 kaspersky1;kaspersky1;\??\C:\DOCUME~1\Thanh\LOCALS~1\Temp\Rar$EX00.187\kaspersky.sys
S3 npkycryp;npkycryp;\??\C:\Program Files\Gravity\RO\npkycryp.sys
S3 PhilCam8116;Logitech QuickCam Pro 3000(PID_08B0);C:\WINDOWS\system32\DRIVERS\CamDrL21.sys
S3 SE27bus;Sony Ericsson Device 039 Driver driver (WDM);C:\WINDOWS\system32\DRIVERS\SE27bus.sys
S3 SE27mdfl;Sony Ericsson Device 039 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\SE27mdfl.sys
S3 SE27mdm;Sony Ericsson Device 039 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\SE27mdm.sys
S3 w300bus;Sony Ericsson W300 Driver driver (WDM);C:\WINDOWS\system32\DRIVERS\w300bus.sys
S3 w300mdfl;Sony Ericsson W300 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\w300mdfl.sys
S3 w300mdm;Sony Ericsson W300 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\w300mdm.sys
S3 w300mgmt;Sony Ericsson W300 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\w300mgmt.sys
S3 w300obex;Sony Ericsson W300 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\w300obex.sys
S3 ZSMC302;VIMICRO USB PC Camera;C:\WINDOWS\system32\Drivers\usbVM31b.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- D:\setup.exe


Contents of the 'Scheduled Tasks' folder
2007-08-26 14:56:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-31 21:30:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-31 21:31:57 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-31 21:31

--- E O F ---

Attached Files



#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:29 AM

Posted 01 September 2007 - 02:44 AM

Could you post the new Hijackthis log please.
Posted Image
Posted Image

#5 skyaries89

skyaries89
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:29 AM

Posted 01 September 2007 - 04:17 AM

Logfile of HijackThis v1.99.1
Scan saved at 5:16:43 AM, on 9/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\MSN Webcam Recorder\ml20gui.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MSN Webcam Recorder] "C:\Program Files\MSN Webcam Recorder\ml20gui.exe" -silent
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Thanh\Start Menu\Programs\IMVU\Run IMVU.lnk
O16 - DPF: {0CBF7EDC-17EC-442C-8AE9-5E804707B6CA} (NeffyClient Class) - http://dist.cdnetworks.co.kr/cdndist/neffy/Neffy.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.2.0.84.cab
O16 - DPF: {7B41B7AC-3496-4C13-A70F-DE6B60A6A8A8} (MGAME manager Class) - http://www.legendofares.com/download/mgusamanagerv1001.cab
O16 - DPF: {938527D1-CDB7-4147-998A-B20FCA5CC976} (Cdmcco Class) - http://cafeimg.hanmail.net/activex/dmcc2.c...ersion=1,0,0,10
O16 - DPF: {AA33C66F-71DB-43E9-B559-3CBE4398E9A9} (BugsGameStarts Class) - http://au.bugsgames.net/game/GBugsGameStart.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {BEED76B7-F5FF-4FBE-99CE-E8529591BC9F} (FantaTennisActiveX Control) - http://www.fantatennis.jp/FantaDownLoad/Ac...nnisActiveX.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab
O16 - DPF: {CEA3052D-65B9-44E2-A501-5E14024BC66F} (TricksterActiveX Control) - http://www.tricksteronline.com/control/tricksterActiveX.cab
O16 - DPF: {D88C7675-7CEE-4C9A-BDD4-7A43EED7794D} (Logout Class) - http://www.tricksteronline.com/control/KALogoutComponent.cab
O16 - DPF: {E1CE4482-98E9-48F8-8D0D-EF03BC9E26F3} (BugsGameStarts Class) - http://audition.bugs.co.kr/Game/BugsGameStart.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - AppInit_DLLs:
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

Attached Files


Edited by skyaries89, 01 September 2007 - 04:21 AM.


#6 skyaries89

skyaries89
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:29 AM

Posted 01 September 2007 - 04:20 AM

sry i uploaded twice by accident- its up above

Edited by skyaries89, 01 September 2007 - 04:24 AM.


#7 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:29 AM

Posted 01 September 2007 - 04:25 AM

Copy and paste the following blue text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: fix.reg to your desktop.
Then double click on the fix.reg file on your desktopPosted Imageand agree to merge the imformation into the registry,then restart your pc.

REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=-


Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,exit SuperAntiSpyware.

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O20 - AppInit_DLLs:

Exit Hijackthis.

Start SuperAntiSpyware.
On the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.
Also post a new Hijackthis log,let me know how your pc is running now.

Posted Image
Posted Image

#8 skyaries89

skyaries89
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:29 AM

Posted 01 September 2007 - 06:27 AM

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/01/2007 at 06:53 AM

Application Version : 3.9.1008

Core Rules Database Version : 3298
Trace Rules Database Version: 1306

Scan type : Complete Scan
Total Scan Time : 01:16:35

Memory items scanned : 510
Memory threats detected : 0
Registry items scanned : 6469
Registry threats detected : 0
File items scanned : 155564
File threats detected : 156

Adware.Tracking Cookie
C:\Documents and Settings\Thanh\Cookies\thanh@cgi-bin[4].txt
C:\Documents and Settings\Thanh\Cookies\thanh@i.screensavers[1].txt
C:\Documents and Settings\Thanh\Cookies\thanh@008.free-counter.co[1].txt
C:\Documents and Settings\Thanh\Cookies\thanh@optimost[2].txt
C:\Documents and Settings\Thanh\Cookies\thanh@free-popular-screensavers[2].txt
C:\Documents and Settings\Thanh\Cookies\thanh@cpvfeed[2].txt
C:\Documents and Settings\Thanh\Cookies\thanh@winantispyware[1].txt
C:\Documents and Settings\Thanh\Cookies\thanh@media.pc.ign[2].txt
C:\Documents and Settings\Thanh\Cookies\thanh@www.winantiviruspro[1].txt
C:\Documents and Settings\Thanh\Cookies\thanh@stat.alleba[1].txt
C:\Documents and Settings\Thanh\Cookies\thanh@focalex[1].txt
C:\Documents and Settings\Thanh\Cookies\thanh@drivecleaner[2].txt
C:\Documents and Settings\Thanh\Cookies\thanh@cgi-bin[2].txt
C:\Documents and Settings\Thanh\Cookies\thanh@www.amaena[2].txt
C:\Documents and Settings\Thanh\Cookies\thanh@adopt.specificclick[1].txt
C:\Documents and Settings\Thanh\Cookies\thanh@www.sexgamesfree[2].txt
C:\Documents and Settings\Thanh\Cookies\thanh@ads.asia1.com[1].txt
C:\Documents and Settings\Thanh\Cookies\thanh@lynxtrack[2].txt
C:\Documents and Settings\Thanh\Cookies\thanh@cgi-bin[3].txt
C:\Documents and Settings\Thanh\Cookies\thanh@www.2adultflashgames[1].txt
C:\Documents and Settings\Thanh\Cookies\thanh@ads.adbrite[1].txt
C:\Documents and Settings\Thanh\Cookies\thanh@cgi-bin[1].txt
C:\Documents and Settings\Thanh\Cookies\thanh@indiads[1].txt
C:\Documents and Settings\Thanh\Cookies\thanh@ads.mobiledia[1].txt
C:\Documents and Settings\Thanh\Cookies\thanh@adultadworld[1].txt
C:\Documents and Settings\Thanh\Cookies\thanh@sexgamesfree[2].txt
C:\Documents and Settings\Thanh\Cookies\thanh@60960915[1].txt
C:\Documents and Settings\Thanh\Cookies\thanh@html[1].txt
C:\Documents and Settings\Thanh\Cookies\thanh@atdmt[2].txt
C:\Documents and Settings\Thanh\Cookies\thanh@audit.median[1].txt
C:\Documents and Settings\Thanh\Cookies\thanh@www.screensavers[1].txt
C:\Documents and Settings\Thanh\Cookies\thanh@ads.habbogroup[1].txt
C:\Documents and Settings\Thanh\Cookies\thanh@ads.thestar[1].txt
C:\Documents and Settings\Thanh\Cookies\thanh@clicksor[1].txt
C:\Documents and Settings\Thanh\Cookies\thanh@ads.hi5[1].txt
C:\Documents and Settings\Thanh\Cookies\thanh@mtr.splash.sexsearch[2].txt
C:\Documents and Settings\Thanh\Cookies\thanh@stats.absolut[1].txt
C:\Documents and Settings\Thanh\Cookies\thanh@toplist[1].txt
C:\Documents and Settings\Thanh\Cookies\thanh@mb[3].txt
C:\Documents and Settings\Thanh\Cookies\thanh@www.burstbeacon[1].txt
C:\Documents and Settings\Thanh\Cookies\thanh@www.drivecleaner[2].txt
C:\Documents and Settings\Thanh\Cookies\thanh@cgi-bin[5].txt
C:\Documents and Settings\Thanh\Cookies\thanh@anad.tacoda[1].txt
C:\Documents and Settings\Thanh\Cookies\thanh@atwola[2].txt
C:\Documents and Settings\Thanh\Cookies\thanh@image.masterstats[1].txt
C:\Documents and Settings\Thanh\Cookies\thanh@ads.realtechnetwork[2].txt
C:\Documents and Settings\Thanh\Cookies\thanh@nac.nasmedia.co[1].txt
C:\Documents and Settings\Thanh\Cookies\thanh@adsrevenue[2].txt
C:\Documents and Settings\Thanh\Cookies\thanh@partner2profit[1].txt
C:\Documents and Settings\Thanh\Cookies\thanh@ad.bannerconnect[2].txt
C:\Documents and Settings\Thanh\Cookies\thanh@www.upspiral[1].txt
C:\Documents and Settings\Thanh\Cookies\thanh@data2.perf.overture[1].txt
C:\Documents and Settings\Thanh\Cookies\thanh@phpmv2[2].txt
C:\Documents and Settings\Thanh\Cookies\thanh@ad[2].txt
C:\Documents and Settings\Thanh\Cookies\thanh@stats[2].txt
C:\Documents and Settings\Thanh\Cookies\thanh@azjmp[1].txt
C:\Documents and Settings\Thanh\Cookies\thanh@[1].txt
C:\Documents and Settings\Thanh\Cookies\thanh@click.cybertvpartner[2].txt
C:\Documents and Settings\Thanh\Cookies\thanh@server.cpmstar[2].txt
C:\Documents and Settings\Thanh\Cookies\thanh@dist.belnk[2].txt
C:\Documents and Settings\Thanh\Cookies\thanh@ads.gametrust[2].txt
C:\Documents and Settings\Thanh\Cookies\thanh@usenext[2].txt
C:\Documents and Settings\Thanh\Cookies\thanh@ad1.clickhype[1].txt
C:\Documents and Settings\Thanh\Cookies\thanh@mb[5].txt
C:\Documents and Settings\Thanh\Cookies\thanh@mb[2].txt
C:\Documents and Settings\Thanh\Cookies\thanh@ads.gamershell[2].txt
C:\Documents and Settings\Thanh\Cookies\thanh@adverticum[1].txt
C:\Documents and Settings\Thanh\Cookies\thanh@adcentriconline[1].txt
C:\Documents and Settings\Thanh\Cookies\thanh@login.tracking101[1].txt
C:\Documents and Settings\Thanh\Cookies\thanh@network-ca.247realmedia[2].txt
C:\Documents and Settings\Thanh\Cookies\thanh@ads.cnn[1].txt
C:\Documents and Settings\Thanh\Cookies\thanh@try.screensavers[1].txt
C:\Documents and Settings\Thanh\Cookies\thanh@ads.newgrounds[1].txt
C:\Documents and Settings\Thanh\Cookies\thanh@www.popundersupply[1].txt
C:\Documents and Settings\Thanh\Cookies\thanh@ads.ak.facebook[2].txt
C:\Documents and Settings\Thanh\Cookies\thanh@date.ventivmedia[1].txt
C:\Documents and Settings\Thanh\Cookies\thanh@winantivirus[2].txt
C:\Documents and Settings\Thanh\Cookies\thanh@1067316134[1].txt
C:\Documents and Settings\Thanh\Cookies\thanh@xiti[1].txt
C:\Documents and Settings\Thanh\Cookies\thanh@upspiral[1].txt
C:\Documents and Settings\Thanh\Cookies\thanh@screensavers[2].txt
C:\Documents and Settings\Thanh\Cookies\thanh@a.websponsors[1].txt
C:\Documents and Settings\Thanh\Cookies\thanh@stats.drivecleaner[2].txt
C:\Documents and Settings\Thanh\Cookies\thanh@amaena[2].txt
C:\Documents and Settings\Thanh\Cookies\thanh@cassava[1].txt
C:\Documents and Settings\Thanh\Cookies\thanh@ad.zanox[1].txt
C:\Documents and Settings\Thanh\Cookies\thanh@belnk[1].txt
C:\Documents and Settings\Thanh\Cookies\thanh@ads.monster[2].txt
C:\Documents and Settings\Thanh\Cookies\thanh@mediaplex[1].txt
C:\Documents and Settings\Thanh\Cookies\thanh@888[2].txt
E:\Users\Thanh\AppData\Roaming\Microsoft\Windows\Cookies\thanh@3.adbrite[2].txt
E:\Users\Thanh\AppData\Roaming\Microsoft\Windows\Cookies\thanh@acvs.mediaonenetwork[1].txt
E:\Users\Thanh\AppData\Roaming\Microsoft\Windows\Cookies\thanh@ad.zanox[1].txt
E:\Users\Thanh\AppData\Roaming\Microsoft\Windows\Cookies\thanh@ad1.clickhype[1].txt
E:\Users\Thanh\AppData\Roaming\Microsoft\Windows\Cookies\thanh@adcentriconline[2].txt
E:\Users\Thanh\AppData\Roaming\Microsoft\Windows\Cookies\thanh@adknowledge[2].txt
E:\Users\Thanh\AppData\Roaming\Microsoft\Windows\Cookies\thanh@adopt.specificclick[2].txt
E:\Users\Thanh\AppData\Roaming\Microsoft\Windows\Cookies\thanh@ads.adbrite[1].txt
E:\Users\Thanh\AppData\Roaming\Microsoft\Windows\Cookies\thanh@ads.ak.facebook[1].txt
E:\Users\Thanh\AppData\Roaming\Microsoft\Windows\Cookies\thanh@ads.cnn[1].txt
E:\Users\Thanh\AppData\Roaming\Microsoft\Windows\Cookies\thanh@ads.mediamayhemcorp[1].txt
E:\Users\Thanh\AppData\Roaming\Microsoft\Windows\Cookies\thanh@ads.mininova[2].txt
E:\Users\Thanh\AppData\Roaming\Microsoft\Windows\Cookies\thanh@ads.realtechnetwork[2].txt
E:\Users\Thanh\AppData\Roaming\Microsoft\Windows\Cookies\thanh@ads.revsci[1].txt
E:\Users\Thanh\AppData\Roaming\Microsoft\Windows\Cookies\thanh@adultadworld[2].txt
E:\Users\Thanh\AppData\Roaming\Microsoft\Windows\Cookies\thanh@adverticum[2].txt
E:\Users\Thanh\AppData\Roaming\Microsoft\Windows\Cookies\thanh@anad.tacoda[2].txt
E:\Users\Thanh\AppData\Roaming\Microsoft\Windows\Cookies\thanh@atwola[1].txt
E:\Users\Thanh\AppData\Roaming\Microsoft\Windows\Cookies\thanh@audit.median[1].txt
E:\Users\Thanh\AppData\Roaming\Microsoft\Windows\Cookies\thanh@azjmp[1].txt
E:\Users\Thanh\AppData\Roaming\Microsoft\Windows\Cookies\thanh@burstnet[2].txt
E:\Users\Thanh\AppData\Roaming\Microsoft\Windows\Cookies\thanh@calltones.tripod[1].txt
E:\Users\Thanh\AppData\Roaming\Microsoft\Windows\Cookies\thanh@counter.plugin[1].txt
E:\Users\Thanh\AppData\Roaming\Microsoft\Windows\Cookies\thanh@cpvfeed[2].txt
E:\Users\Thanh\AppData\Roaming\Microsoft\Windows\Cookies\thanh@drivecleaner[1].txt
E:\Users\Thanh\AppData\Roaming\Microsoft\Windows\Cookies\thanh@hentaicounter[2].txt
E:\Users\Thanh\AppData\Roaming\Microsoft\Windows\Cookies\thanh@image.masterstats[1].txt
E:\Users\Thanh\AppData\Roaming\Microsoft\Windows\Cookies\thanh@imrworldwide[2].txt
E:\Users\Thanh\AppData\Roaming\Microsoft\Windows\Cookies\thanh@m1.webstats4u[1].txt
E:\Users\Thanh\AppData\Roaming\Microsoft\Windows\Cookies\thanh@mediaonenetwork[1].txt
E:\Users\Thanh\AppData\Roaming\Microsoft\Windows\Cookies\thanh@nextag[2].txt
E:\Users\Thanh\AppData\Roaming\Microsoft\Windows\Cookies\thanh@server.cpmstar[2].txt
E:\Users\Thanh\AppData\Roaming\Microsoft\Windows\Cookies\thanh@sexgamesfree[1].txt
E:\Users\Thanh\AppData\Roaming\Microsoft\Windows\Cookies\thanh@stats.drivecleaner[2].txt
E:\Users\Thanh\AppData\Roaming\Microsoft\Windows\Cookies\thanh@toplist[1].txt
E:\Users\Thanh\AppData\Roaming\Microsoft\Windows\Cookies\thanh@tracking.foxnews[1].txt
E:\Users\Thanh\AppData\Roaming\Microsoft\Windows\Cookies\thanh@tracking.summitmedia.co[1].txt
E:\Users\Thanh\AppData\Roaming\Microsoft\Windows\Cookies\thanh@trackitdown[2].txt
E:\Users\Thanh\AppData\Roaming\Microsoft\Windows\Cookies\thanh@vitamine.networldmedia[2].txt
E:\Users\Thanh\AppData\Roaming\Microsoft\Windows\Cookies\thanh@www.3dstats[1].txt
E:\Users\Thanh\AppData\Roaming\Microsoft\Windows\Cookies\thanh@www.burstbeacon[1].txt
E:\Users\Thanh\AppData\Roaming\Microsoft\Windows\Cookies\thanh@www.clickmanage[2].txt
E:\Users\Thanh\AppData\Roaming\Microsoft\Windows\Cookies\thanh@www.drivecleaner[1].txt
E:\Users\Thanh\AppData\Roaming\Microsoft\Windows\Cookies\thanh@www.ezytrack[2].txt
E:\Users\Thanh\AppData\Roaming\Microsoft\Windows\Cookies\thanh@www.googleadservices[1].txt
E:\Users\Thanh\AppData\Roaming\Microsoft\Windows\Cookies\thanh@www.googleadservices[2].txt
E:\Users\Thanh\AppData\Roaming\Microsoft\Windows\Cookies\thanh@www.googleadservices[3].txt
E:\Users\Thanh\AppData\Roaming\Microsoft\Windows\Cookies\thanh@www3.addfreestats[2].txt
E:\Users\Thanh\AppData\Roaming\Microsoft\Windows\Cookies\thanh@xiti[1].txt
E:\Users\Thanh\AppData\Roaming\Microsoft\Windows\Cookies\thanh@yadro[1].txt

Trojan.NewDotNet
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\NEWDOTNET\NEWDOTNET7_48.DLL.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\NEWDOTNET\UNINSTALL6_38.EXE.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\NEWDOTNET\UNINSTALL7_48.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\NDNUNINSTALL6_38.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\NDNUNINSTALL7_22.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\NDNUNINSTALL7_48.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6234A527-9F8C-4B94-9595-7D37DDAB2341}\RP571\A0179266.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6234A527-9F8C-4B94-9595-7D37DDAB2341}\RP571\A0179267.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6234A527-9F8C-4B94-9595-7D37DDAB2341}\RP571\A0179268.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6234A527-9F8C-4B94-9595-7D37DDAB2341}\RP571\A0179273.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6234A527-9F8C-4B94-9595-7D37DDAB2341}\RP571\A0179274.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6234A527-9F8C-4B94-9595-7D37DDAB2341}\RP571\A0179275.EXE

Unclassified.Unknown Origin
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\TMP212.TMP.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\TMP338.TMP.DLL.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6234A527-9F8C-4B94-9595-7D37DDAB2341}\RP571\A0179270.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6234A527-9F8C-4B94-9595-7D37DDAB2341}\RP571\A0179271.DLL


------------------------------------------------------------------------------------------------------------------------------------------------------------------------


Logfile of HijackThis v1.99.1
Scan saved at 7:26:34 AM, on 9/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\MSN Webcam Recorder\ml20gui.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MSN Webcam Recorder] "C:\Program Files\MSN Webcam Recorder\ml20gui.exe" -silent
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Thanh\Start Menu\Programs\IMVU\Run IMVU.lnk
O16 - DPF: {0CBF7EDC-17EC-442C-8AE9-5E804707B6CA} (NeffyClient Class) - http://dist.cdnetworks.co.kr/cdndist/neffy/Neffy.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.2.0.84.cab
O16 - DPF: {7B41B7AC-3496-4C13-A70F-DE6B60A6A8A8} (MGAME manager Class) - http://www.legendofares.com/download/mgusamanagerv1001.cab
O16 - DPF: {938527D1-CDB7-4147-998A-B20FCA5CC976} (Cdmcco Class) - http://cafeimg.hanmail.net/activex/dmcc2.c...ersion=1,0,0,10
O16 - DPF: {AA33C66F-71DB-43E9-B559-3CBE4398E9A9} (BugsGameStarts Class) - http://au.bugsgames.net/game/GBugsGameStart.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {BEED76B7-F5FF-4FBE-99CE-E8529591BC9F} (FantaTennisActiveX Control) - http://www.fantatennis.jp/FantaDownLoad/Ac...nnisActiveX.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab
O16 - DPF: {CEA3052D-65B9-44E2-A501-5E14024BC66F} (TricksterActiveX Control) - http://www.tricksteronline.com/control/tricksterActiveX.cab
O16 - DPF: {D88C7675-7CEE-4C9A-BDD4-7A43EED7794D} (Logout Class) - http://www.tricksteronline.com/control/KALogoutComponent.cab
O16 - DPF: {E1CE4482-98E9-48F8-8D0D-EF03BC9E26F3} (BugsGameStarts Class) - http://audition.bugs.co.kr/Game/BugsGameStart.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

Attached Files



#9 skyaries89

skyaries89
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:29 AM

Posted 01 September 2007 - 06:29 AM

it runs a bit better, but i still have the problem, when i firs tlogin or start my pc, it takes long for my screen to show up, i would only see my start bar on the bottom and background but, it takes like 2-3mins for all my desktops icons to pop up, is it cause alot of programs r starting up at once?

#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:29 AM

Posted 01 September 2007 - 07:00 AM

If you have the McAfee [Network Associates] installation disk,try uninstalling/reinstalling McAfee.

If still no joy,try this:
Disconnect from the internet.
Click on Start>Run,type msconfig then press Enter.
Under the 'Startup' tab uncheck EVERYTHING,then reboot.
If your pc seems to be back up to speed at startup,start adding items/entries back by rechecking the boxes one at a time.
Restart your pc in between each one.
Using trial and error,keep trying that until you find the problem program/process.
*Note*
Don't forget to make sure your antivirus and firewall are running before you reconnect to the internet.

Let me know how you get on.

Edited by RichieUK, 01 September 2007 - 07:00 AM.

Posted Image
Posted Image

#11 skyaries89

skyaries89
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:29 AM

Posted 01 September 2007 - 07:26 AM

it still goes pretty slow at start up, and no i dont have a installation disk for mccafee anymore, is there a way for me to reinstall without a cd?, or any other anti virus just as good?, i also have another problem, iuno if its related, , my resolution is 1280x1024, b4 when i used smaller resolution wallpapers, and stretched it, i would still have perfect quality, but now, when i do that, its gets blurry, and i would now have to find wallpapers exactly 1280x1024 or it wud be ugly, my graphic card is geforce 7800GT, would u know any solution to this?

#12 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:29 AM

Posted 01 September 2007 - 07:43 AM

Uninstall/remove SUPERAntiSpyware via Add or Remove Programs,then restart your pc.

Find and delete:
C:\QOOBOX

Clear your 'System Restore' points by doing the following:
Right-click on 'My Computer' and select 'Properties'.
Select 'System Restore'.
Select 'Turn Off System Restore On All Drives'.
Select 'Apply'.
You will then get the following warning:
"You have chosen to turn off System Restore.
If you continue,all existing restore points will be deleted,and you will not be able to track or undo changes to your computer.
Do you want to turn off System Restore?".
Then select 'Yes',your 'System Restore' directories will be purged.

Restart your pc.

Turn 'System Restore' back on:

Right click on 'My Computer' and select 'Properties'.
Select 'System Restore'.
Unselect 'Turn Off System Restore On All Drives'.
Select 'Apply',then click 'Ok'.


Download ATF Cleaner by Atribune:
http://www.atribune.org/ccount/click.php?id=1

Double-click ATF-Cleaner.exe to run the program.
Click 'Select All' found at the bottom of the list.
Click the 'Empty Selected' button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

If you use Opera browser,do this also:
Click Opera at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.
Click 'Exit' on the Main menu to close the program.


Run this online virus scan:Activescan using Internet Explorer.
Once you are on the Panda site click the Scan your PC button
A new window will open...click the Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on Local Disks to start the scan
When the scan completes,click the See Report button, then Save Report, and save it to your desktop.
Post the Activescan report in your next reply.


Download\unzip SilentRunners.vbs to your desktop:
http://www.silentrunners.org/Silent%20Runners.zip
Run Silent Runner's by double clicking the 'SilentRunners.vbs' icon.
You will see a text file appear on the desktop - it's not done, let it run (it won't appear to be doing anything!)
Once you receive the prompt All Done!, open the text file on the desktop, copy that entire log, and paste it into your next reply.
*NOTE*
If you receive any warning message about scripts,please choose to allow the script to run.
Posted Image
Posted Image

#13 skyaries89

skyaries89
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:29 AM

Posted 01 September 2007 - 11:32 AM

Incident Status Location

Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Thanh\Application Data\Mozilla\Firefox\Profiles\jlisx5vn.default\cookies.txt[.2o7.net/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Thanh\Application Data\Mozilla\Firefox\Profiles\jlisx5vn.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Thanh\Application Data\Mozilla\Firefox\Profiles\jlisx5vn.default\cookies.txt[.com.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Thanh\Application Data\Mozilla\Firefox\Profiles\jlisx5vn.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Thanh\Application Data\Mozilla\Firefox\Profiles\jlisx5vn.default\cookies.txt[.burstnet.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Thanh\Application Data\Mozilla\Firefox\Profiles\jlisx5vn.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Thanh\Application Data\Mozilla\Firefox\Profiles\jlisx5vn.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Thanh\Application Data\Mozilla\Firefox\Profiles\jlisx5vn.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Thanh\Application Data\Mozilla\Firefox\Profiles\jlisx5vn.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Thanh\Application Data\Mozilla\Firefox\Profiles\jlisx5vn.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Thanh\Application Data\Mozilla\Firefox\Profiles\jlisx5vn.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Thanh\Application Data\Mozilla\Firefox\Profiles\jlisx5vn.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/Screensavers Not disinfected C:\Documents and Settings\Thanh\Application Data\Mozilla\Firefox\Profiles\jlisx5vn.default\cookies.txt[.i.screensavers.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Thanh\Application Data\Mozilla\Firefox\Profiles\jlisx5vn.default\cookies.txt[.statcounter.com/]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Thanh\Desktop\ComboFix.exe[nircmd.exe]
Virus:Trj/Downloader.MDW Disinfected C:\GMouse20\Gmouse.exe
Adware:Adware/WebSearch Not disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\tmp109.tmp.dll.vir
Virus:Generic Trojan Disinfected C:\qoobox\Quarantine\catchme2007-08-31_213030.84.zip[GEARdgr.dll]
Adware:Adware/GoodSearchNow Not disinfected C:\QUARANTINE\A0134210.sys.Vir
Adware:Adware/GoodSearchNow Not disinfected C:\QUARANTINE\A0135181.sys.Vir
Adware:Adware/GoodSearchNow Not disinfected C:\QUARANTINE\A0135214.sys.Vir
Virus:Trj/Agent.EUG Disinfected C:\QUARANTINE\bugoga[1].Vir
Virus:Generic Trojan Disinfected C:\QUARANTINE\drf1175556594[1].htm.exe.Vir
Virus:Generic Trojan Disinfected C:\QUARANTINE\drf1175556594[1].htm.Vir
Adware:Adware/GoodSearchNow Not disinfected C:\QUARANTINE\kaspersky.sys.Vir
Adware:Adware/GoodSearchNow Not disinfected C:\QUARANTINE\kaspersky.sys.Vir.0
Adware:Adware/GoodSearchNow Not disinfected C:\QUARANTINE\kaspersky.sys.Vir.1
Adware:Adware/GoodSearchNow Not disinfected C:\QUARANTINE\kaspersky.sys.Vir.2
Virus:Trj/Agent.FCA Disinfected C:\QUARANTINE\nauj_20070426[1].Vir
Virus:Trj/Agent.EUG Disinfected C:\QUARANTINE\tmp212.tmp.exe.Vir
Virus:Trj/Agent.FCA Disinfected C:\QUARANTINE\tmp3.tmp.exe.Vir
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\nircmd.exe
Virus:Generic Backdoor Disinfected E:\$Recycle.Bin\S-1-5-21-874465183-3058979884-3266257376-1000\$RWXKWXL.exe
Spyware:Cookie/Go Not disinfected E:\Users\Thanh\AppData\Roaming\Microsoft\Windows\Cookies\thanh@go[1].txt
Spyware:Cookie/myaffiliateprogram Not disinfected E:\Users\Thanh\AppData\Roaming\Microsoft\Windows\Cookies\thanh@www.myaffiliateprogram[1].txt

---------------------------------------------------------------------------------------------------------------------------------------------



"Silent Runners.vbs", revision 52, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"ShStatEXE" = ""C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE" ["Network Associates, Inc."]
"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Groove GFS Browser Helper"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL" [MS]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll" ["Sun Microsystems, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\windows\system32\hticons.dll" ["Hilgraeve, Inc."]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {HKLM...CLSID} = "DesktopContext Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {HKLM...CLSID} = "NVIDIA CPL Extension"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {HKLM...CLSID} = "Desktop Explorer"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {HKLM...CLSID} = "nView Desktop Context Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{8e9d6600-f84a-11ce-8daa-00aa004a5691}" = "Shell extensions for NetWare"
-> {HKLM...CLSID} = "NetWare Objects"
\InProcServer32\(Default) = "nwprovau.dll" [MS]
"{e3f2bac0-099f-11cf-8daa-00aa004a5691}" = "Shell extensions for NetWare"
-> {HKLM...CLSID} = "NetWare UNC Folder Menu"
\InProcServer32\(Default) = "nwprovau.dll" [MS]
"{52c68510-09a0-11cf-8daa-00aa004a5691}" = "Shell extensions for NetWare"
-> {HKLM...CLSID} = "NetWare Hood Verbs"
\InProcServer32\(Default) = "nwprovau.dll" [MS]
"{329E4C0E-9B95-4EA9-83AF-5B6FBD190477}" = "*"
-> {HKLM...CLSID} = "Burn My Files ( New ) "
\InProcServer32\(Default) = "C:\PROGRA~1\GetData\BURNMY~1\BURNMY~1.DLL" ["GetData Pty Ltd"]
"{A5110426-177D-4e08-AB3F-785F10B4439C}" = "Sony Ericsson File Manager"
-> {HKLM...CLSID} = "Sony Ericsson File Manager"
\InProcServer32\(Default) = "C:\Program Files\Sony Ericsson\Mobile2\File Manager\fmgrgui.dll" ["Sony Ericsson Mobile Communications AB"]
"{72853161-30C5-4D22-B7F9-0BBC1D38A37E}" = "Groove GFS Browser Helper"
-> {HKLM...CLSID} = "Groove GFS Browser Helper"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL" [MS]
"{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}" = "Groove GFS Explorer Bar"
-> {HKLM...CLSID} = "Groove Folder Synchronization"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL" [MS]
"{A449600E-1DC6-4232-B948-9BD794D62056}" = "Groove GFS Stub Icon Handler"
-> {HKLM...CLSID} = "Groove GFS Stub Icon Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL" [MS]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}" = "Groove GFS Stub Execution Hook"
-> {HKLM...CLSID} = "Groove GFS Stub Execution Hook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL" [MS]
"{6C467336-8281-4E60-8204-430CED96822D}" = "Groove GFS Context Menu Handler"
-> {HKLM...CLSID} = "Groove GFS Context Menu Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL" [MS]
"{387E725D-DC16-4D76-B310-2C93ED4752A0}" = "Groove XML Icon Handler"
-> {HKLM...CLSID} = "Groove XML Icon Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL" [MS]
"{16F3DD56-1AF5-4347-846D-7C10C4192619}" = "Groove Explorer Icon Overlay 3 (GFS Folder)"
-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 3 (GFS Folder)"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL" [MS]
"{AB5C5600-7E6E-4B06-9197-9ECEF74D31CC}" = "Groove Explorer Icon Overlay 2 (GFS Stub)"
-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 2 (GFS Stub)"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL" [MS]
"{2916C86E-86A6-43FE-8112-43ABE6BF8DCC}" = "Groove Explorer Icon Overlay 4 (GFS Unread Mark)"
-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 4 (GFS Unread Mark)"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL" [MS]
"{99FD978C-D287-4F50-827F-B2C658EDA8E7}" = "Groove Explorer Icon Overlay 1 (GFS Unread Stub)"
-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 1 (GFS Unread Stub)"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL" [MS]
"{920E6DB1-9907-4370-B3A0-BAFC03D81399}" = "Groove Explorer Icon Overlay 2.5 (GFS Unread Folder)"
-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 2.5 (GFS Unread Folder)"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office12\OLKFSTUB.DLL" [MS]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office12\MLSHEXT.DLL" [MS]
"{5858A72C-C2B4-4dd7-B2BF-B76DB1BD9F6C}" = "Microsoft Office OneNote Namespace Extension for Windows Desktop Search"
-> {HKLM...CLSID} = "Microsoft Office OneNote Namespace Extension for Windows Desktop Search"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office12\ONFILTER.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\msohevi.dll" [MS]
"{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler"
-> {HKLM...CLSID} = "Microsoft Office Metadata Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler"
-> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{400CFEE2-39D0-46DC-96DF-E0BB5A4324B3}" = "My Logitech Pictures"
-> {HKLM...CLSID} = "My Logitech Pictures"
\InProcServer32\(Default) = "C:\Program Files\Logitech\Video\Namespc2.dll" ["Logitech Inc."]
"{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders"
-> {HKLM...CLSID} = "My Sharing Folders"
\InProcServer32\(Default) = "C:\Program Files\MSN Messenger\fsshext.8.1.0178.00.dll" [MS]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {HKLM...CLSID} = "iTunes"
\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{B5A7F190-DDA6-4420-B3BA-52453494E6CD}" = "Groove GFS Stub Execution Hook"
-> {HKLM...CLSID} = "Groove GFS Stub Execution Hook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL" [MS]

HKLM\System\CurrentControlSet\Control\Session Manager\
<<!>> "BootExecute" = "autocheck autochk *"|"pfdnnt C:\WINDOWS\system32\pfdnnt_actions.sys" ["Panda Software International"]

HKLM\Software\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807563E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = "Microsoft Office InfoPath XML Mime Filter"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
VirusScan\(Default) = "{cda2863e-2497-4c49-9b89-06840e070a87}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Network Associates\VirusScan\shext.dll" ["Network Associates, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}"
-> {HKLM...CLSID} = "Groove GFS Context Menu Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL" [MS]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
VirusScan\(Default) = "{cda2863e-2497-4c49-9b89-06840e070a87}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Network Associates\VirusScan\shext.dll" ["Network Associates, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}"
-> {HKLM...CLSID} = "Groove GFS Context Menu Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL" [MS]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
NetWareUNCMenu\(Default) = "{e3f2bac0-099f-11cf-8daa-00aa004a5691}"
-> {HKLM...CLSID} = "NetWare UNC Folder Menu"
\InProcServer32\(Default) = "nwprovau.dll" [MS]
VirusScan\(Default) = "{cda2863e-2497-4c49-9b89-06840e070a87}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Network Associates\VirusScan\shext.dll" ["Network Associates, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}"
-> {HKLM...CLSID} = "Groove GFS Context Menu Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL" [MS]

HKLM\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
*\(Default) = "{329E4C0E-9B95-4EA9-83AF-5B6FBD190477}"
-> {HKLM...CLSID} = "Burn My Files ( New ) "
\InProcServer32\(Default) = "C:\PROGRA~1\GetData\BURNMY~1\BURNMY~1.DLL" ["GetData Pty Ltd"]
XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}"
-> {HKLM...CLSID} = "Groove GFS Context Menu Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL" [MS]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be enabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "%APPDATA%\Mozilla\Firefox\Desktop Background.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Thanh\Application Data\Mozilla\Firefox\Desktop Background.bmp"


Enabled Scheduled Tasks:
------------------------

"AppleSoftwareUpdate" -> launches: "C:\Program Files\Apple Software Update\SoftwareUpdate.exe -Task" ["Apple Computer, Inc."]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\System32\nwprovau.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 22
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\

HKLM\Software\Classes\CLSID\{014DA6CE-189F-421A-88CD-07CFE51CFF10}\(Default) = "My Search Bar Quick View"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]

HKLM\Software\Classes\CLSID\{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}\(Default) = "Groove Folder Synchronization"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL" [MS]

HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in 1.6.0_02"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.6.0_02"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll" ["Sun Microsystems, Inc."]

{2670000A-7350-4F3C-8081-5663EE0C6C49}\
"ButtonText" = "Send to OneNote"
"MenuText" = "S&end to OneNote"
"CLSIDExtension" = "{48E73304-E1D6-4330-914C-F5F514E3486C}"
-> {HKLM...CLSID} = "Send to OneNote from Internet Explorer button"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll" [MS]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"

{D9288080-1BAA-4BC4-9CF8-A92D743DB949}\
"ButtonText" = "Run IMVU"
"Exec" = "C:\Documents and Settings\Thanh\Start Menu\Programs\IMVU\Run IMVU.lnk" [null data]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Apple Mobile Device, Apple Mobile Device, ""C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"" ["Apple, Inc."]
Client Service for NetWare, NWCWorkstation, "C:\WINDOWS\system32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\nwwks.dll" [MS]}
McAfee Framework Service, McAfeeFramework, "C:\Program Files\Network Associates\Common Framework\FrameworkService.exe /ServiceStart" ["Network Associates, Inc."]
Network Associates McShield, McShield, ""C:\Program Files\Network Associates\VirusScan\Mcshield.exe"" ["Network Associates, Inc."]
Network Associates Task Manager, McTaskManager, ""C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe"" ["Network Associates, Inc."]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
Send To Microsoft OneNote Monitor\Driver = "msonpmon.dll" [MS]


---------- (launch time: 2007-09-01 12:30:21)
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 37 seconds, including 12 seconds for message boxes)

#14 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:29 AM

Posted 01 September 2007 - 12:25 PM

C:\QUARANTINE<= Delete everything inside this folder,then empty the Recycle Bin.
If your pc is still a little slow,read and follow the info in the link below:
Help! My computer is slow!
http://users.telenet.be/bluepatchy/miekiem...owcomputer.html

Let me know how you get on.
Posted Image
Posted Image

#15 skyaries89

skyaries89
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:29 AM

Posted 01 September 2007 - 12:33 PM

doesnt help




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users