Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cant Get Rid Of Mmdmm.exe


  • This topic is locked This topic is locked
13 replies to this topic

#1 sexecutioner

sexecutioner

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:08 PM

Posted 20 October 2007 - 05:11 AM

Hi guys i cant get rid of mmdmm.exe trojan

i used hijackthis sdfix combofix and everytime i reset it comes back

here is the latest hijackthis log

hope someone can help me coz im out of ideas

Thanks
----------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:11:20 PM, on 10/20/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Eset\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\System32\PnkBstrA.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\012Net\012Net-Cable dialer\FWPortal.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\FlashGet\FlashGet.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\012Net\012Net-Cable dialer\fts.exe
C:\Program Files\Eset\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\WINDOWS\System32\mmdmm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
E:\HiJackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [%FP%012-L2TP FWPortal.exe] "C:\Program Files\012Net\012Net-Cable dialer\FWPortal.exe" -no_dialog
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SoftPerfect Personal Firewall] C:\Program Files\SoftPerfect Personal Firewall\fw.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Flashget] C:\Program Files\FlashGet\FlashGet.exe /min
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [%FP%012-L2TP fts.exe] "C:\Program Files\012Net\012Net-Cable dialer\fts.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\wianmpa.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\Eset\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [mmsass] mmdmm.exe
O4 - HKLM\..\RunServices: [mmsass] mmdmm.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-21-1220945662-2049760794-839522115-1003\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{22D6345F-E193-4DFD-8E01-EFE98D0168CB}: NameServer = 212.117.129.5 212.116.161.38
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\Eset\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - Eset - C:\Program Files\Eset\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: NBService - Nero AG - E:\nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\System32\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

BC AdBot (Login to Remove)

 


m

#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:04:08 AM

Posted 20 October 2007 - 06:49 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum sexecutioner :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

If you have previously downloaded ComboFix,please delete that version now.
Now download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Click on Start/Run,copy and paste the following bold text into the 'Open:' space,then press OK:
"%userprofile%\desktop\combofix.exe" /killall
Combofix.exe will start,please follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.

Also post a new Hijackthis log please.
Posted Image
Posted Image

#3 sexecutioner

sexecutioner
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:08 PM

Posted 20 October 2007 - 11:02 AM

thanks Richie

here is the Combofix log

--------------------------------------------------------------------------

ComboFix 07-10-20.7 - sergey 2007-10-20 17:57:17.5 - FAT32x86
Running from: C:\Documents and Settings\sergey\desktop\combofix.exe
Command switches used :: /killall
.

((((((((((((((((((((((((( Files Created from 2007-09-20 to 2007-10-20 )))))))))))))))))))))))))))))))
.

2007-10-20 13:06 0 --a------ C:\WINDOWS\system32\dload.exe
2007-10-20 12:43 <DIR> d-------- C:\HJT
2007-10-20 11:51 507,392 --a------ C:\WINDOWS\system32\msoft62042.exe
2007-10-20 11:49 507,392 -r-hs---- C:\WINDOWS\wuaurpl.exe
2007-10-20 11:47 507,392 --a------ C:\WINDOWS\system32\msoft57568.exe
2007-10-20 11:46 507,392 --a------ C:\WINDOWS\system32\msoft27550.exe
2007-10-19 21:25 <DIR> d-------- C:\Program Files\InCode Solutions
2007-10-19 21:23 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Eset
2007-10-19 20:37 507,392 --a------ C:\WINDOWS\system32\msoft12401.exe
2007-10-19 20:06 <DIR> d--hs---- C:\FOUND.001
2007-10-19 18:30 55,712 --ah----- C:\WINDOWS\system32\ycmhspa.exe
2007-10-19 18:17 <DIR> d-------- C:\WINDOWS\rdrive
2007-10-19 15:10 <DIR> d---s---- C:\Documents and Settings\sergey\UserData
2007-10-14 21:54 <DIR> d--hs---- C:\FOUND.000
2007-10-12 20:43 <DIR> d-------- C:\Program Files\Canopus
2007-10-12 20:43 <DIR> d-------- C:\CanopusTemp
2007-10-12 20:43 149,504 --a------ C:\WINDOWS\system32\CSEDV.DLL
2007-10-12 20:43 93,696 --a------ C:\WINDOWS\system32\CSCCDVC.DLL
2007-10-12 20:43 32,256 --a------ C:\WINDOWS\system32\CDVCCODC.DLL
2007-10-12 20:43 30,208 --a------ C:\WINDOWS\system32\DECCDVC.DLL
2007-10-06 18:41 <DIR> d-------- C:\Downloads
2007-10-02 17:45 561 --a------ C:\u2.reg
2007-09-21 09:59 <DIR> d-------- C:\Program Files\Interplay Productions
2007-09-21 09:59 <DIR> d-------- C:\Conquest
2007-09-21 09:41 <DIR> d-------- C:\Documents and Settings\sergey\Application Data\Ahead
2007-09-21 09:41 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Ahead
2007-09-21 09:39 <DIR> d-------- C:\Program Files\Common Files\Ahead
2007-09-21 09:39 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Nero
2007-09-21 09:17 28,680 --a------ C:\WINDOWS\system32\drivers\epfwtdir.sys
2007-09-21 09:15 33,288 --a------ C:\WINDOWS\system32\drivers\eamon.sys
2007-09-21 09:15 25,096 --a------ C:\WINDOWS\system32\drivers\easdrv.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-20 15:09 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-10-20 15:09 103,736 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2007-10-04 13:17 66,872 ----a-w C:\WINDOWS\system32\PnkBstrA.exe
2007-09-19 18:50 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2007-08-28 10:58 --------- d-----w C:\Program Files\VentSrv
2007-08-23 13:25 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\sentinel
2007-08-23 13:10 --------- d-----w C:\Program Files\Common Files\Panda Software
2007-08-23 13:05 --------- d-----w C:\Program Files\mIRC
2007-08-23 13:05 --------- d-----w C:\Documents and Settings\sergey\Application Data\mIRC
2007-08-23 10:20 --------- d-----w C:\Program Files\LIUtilities
2007-08-23 09:41 --------- d-----w C:\Documents and Settings\sergey\Application Data\Uniblue
2007-08-23 09:40 --------- d-----w C:\Program Files\Uniblue
2007-02-28 13:39 271 --sh--w C:\Program Files\desktop.ini
2007-02-28 13:39 21,952 ---h--w C:\Program Files\folder.htt
2007-02-28 16:41:12 476,275 --sh--w C:\WINDOWS\system32\orutv.bak1
2002-08-29 01:41:24 66,713 --sh--r C:\WINDOWS\system32\mmdmm.exe
2007-03-01 09:54:20 486,996 --sh--w C:\WINDOWS\system32\orutv.ini2
.

((((((((((((((((((((((((((((( snapshot@2007-10-20_11.06.21.68 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-09-28 07:06:10 135,168 ----a-w C:\WINDOWS\catchme.exe
+ 2007-10-20 04:03:32 136,192 ----a-w C:\WINDOWS\catchme.exe
- 2007-08-25 21:30:20 380,928 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat
+ 2007-10-20 09:40:14 589,824 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat
- 2007-08-25 21:30:20 8,192 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2007-10-20 09:40:14 8,192 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
- 2007-10-20 08:28:22 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2007-10-20 09:55:48 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2007-10-20 08:28:22 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-10-20 09:55:48 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-04-02 12:21:28 139,776 ----a-w C:\WINDOWS\system32\swreg.exe
+ 2007-10-05 08:07:32 279,552 ----a-w C:\WINDOWS\system32\swreg.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVMixerTray"="C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-12-20 17:12]
"%FP%012-L2TP FWPortal.exe"="C:\Program Files\012Net\012Net-Cable dialer\FWPortal.exe" [2005-02-03 14:32]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-01-23 15:44 C:\WINDOWS\KHALMNPR.Exe]
"SoftPerfect Personal Firewall"="C:\Program Files\SoftPerfect Personal Firewall\fw.exe" [2005-07-15 01:30]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"Flashget"="C:\Program Files\FlashGet\FlashGet.exe" [2007-04-29 10:26]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-10-28 21:05]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"%FP%012-L2TP fts.exe"="C:\Program Files\012Net\012Net-Cable dialer\fts.exe" [2004-01-07 14:37]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 15:57]
"WinampAgent"="C:\Program Files\Winamp\wianmpa.exe" []
"egui"="C:\Program Files\Eset\ESET NOD32 Antivirus\egui.exe" [2007-09-21 09:16]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-29 03:41]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 19:03]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-02-28 19:11:20]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
C:\WINDOWS\System32\\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoveIT Pro XT]
C:\Program Files\InCode Solutions\RemoveIT Pro v4-Trial\removeit.exe


*Newly Created Service* - PNKBSTRK
.
Contents of the 'Scheduled Tasks' folder
"2007-10-19 17:40:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
.
**************************************************************************

catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-20 17:58:32
Windows 5.1.2600 Service Pack 1 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-20 17:58:59
C:\ComboFix2.txt ... 2007-10-20 12:57
C:\ComboFix3.txt ... 2007-10-20 11:21
.
--- E O F ---


-------------------------------------------------------------------------------------------------------


here is the hijackthis log

-------------------------------------------------------------------------------------------------------


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:01:21 PM, on 10/20/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Eset\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\System32\PnkBstrA.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HiJackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [%FP%012-L2TP FWPortal.exe] "C:\Program Files\012Net\012Net-Cable dialer\FWPortal.exe" -no_dialog
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SoftPerfect Personal Firewall] C:\Program Files\SoftPerfect Personal Firewall\fw.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Flashget] C:\Program Files\FlashGet\FlashGet.exe /min
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [%FP%012-L2TP fts.exe] "C:\Program Files\012Net\012Net-Cable dialer\fts.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\wianmpa.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\Eset\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-21-1220945662-2049760794-839522115-1003\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{22D6345F-E193-4DFD-8E01-EFE98D0168CB}: NameServer = 212.117.129.5 212.116.161.38
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\Eset\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - Eset - C:\Program Files\Eset\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: NBService - Nero AG - E:\nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\System32\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 5526 bytes

---------------------------------------------------------------------------------------------------

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:04:08 AM

Posted 20 October 2007 - 11:49 AM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
C:\WINDOWS\system32\dload.exe
C:\WINDOWS\system32\msoft62042.exe
C:\WINDOWS\wuaurpl.exe
C:\WINDOWS\system32\msoft57568.exe
C:\WINDOWS\system32\msoft27550.exe
C:\WINDOWS\system32\msoft12401.exe
C:\WINDOWS\system32\ycmhspa.exe
C:\WINDOWS\system32\orutv.bak1
C:\WINDOWS\system32\mmdmm.exe
C:\WINDOWS\system32\orutv.ini2
Folder::
C:\WINDOWS\rdrive

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.

Edited by RichieUK, 20 October 2007 - 11:50 AM.

Posted Image
Posted Image

#5 sexecutioner

sexecutioner
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:08 PM

Posted 20 October 2007 - 08:04 PM

ok here are the results

-----------------------------------------------------------------------------------------------------------------------------

ComboFix 07-10-20.7 - sergey 2007-10-21 2:58:15.6 - FAT32x86
Running from: C:\Documents and Settings\sergey\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\sergey\Desktop\CFScript.txt

FILE::
C:\WINDOWS\system32\dload.exe
C:\WINDOWS\system32\mmdmm.exe
C:\WINDOWS\system32\msoft12401.exe
C:\WINDOWS\system32\msoft27550.exe
C:\WINDOWS\system32\msoft57568.exe
C:\WINDOWS\system32\msoft62042.exe
C:\WINDOWS\system32\orutv.bak1
C:\WINDOWS\system32\orutv.ini2
C:\WINDOWS\system32\ycmhspa.exe
C:\WINDOWS\wuaurpl.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\rdrive
C:\WINDOWS\rdrive\aff.exe
C:\WINDOWS\rdrive\apm.exe
C:\WINDOWS\rdrive\system32.bat
C:\WINDOWS\system32\dload.exe
C:\WINDOWS\system32\mmdmm.exe
C:\WINDOWS\system32\msoft12401.exe
C:\WINDOWS\system32\msoft27550.exe
C:\WINDOWS\system32\msoft57568.exe
C:\WINDOWS\system32\msoft62042.exe
C:\WINDOWS\system32\orutv.bak1
C:\WINDOWS\system32\orutv.ini2
C:\WINDOWS\system32\ycmhspa.exe
C:\WINDOWS\wuaurpl.exe

.
((((((((((((((((((((((((( Files Created from 2007-09-21 to 2007-10-21 )))))))))))))))))))))))))))))))
.

2007-10-20 12:43 <DIR> d-------- C:\HJT
2007-10-19 21:25 <DIR> d-------- C:\Program Files\InCode Solutions
2007-10-19 21:23 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Eset
2007-10-19 20:06 <DIR> d--hs---- C:\FOUND.001
2007-10-19 15:10 <DIR> d---s---- C:\Documents and Settings\sergey\UserData
2007-10-14 21:54 <DIR> d--hs---- C:\FOUND.000
2007-10-12 20:43 <DIR> d-------- C:\Program Files\Canopus
2007-10-12 20:43 <DIR> d-------- C:\CanopusTemp
2007-10-12 20:43 149,504 --a------ C:\WINDOWS\system32\CSEDV.DLL
2007-10-12 20:43 93,696 --a------ C:\WINDOWS\system32\CSCCDVC.DLL
2007-10-12 20:43 32,256 --a------ C:\WINDOWS\system32\CDVCCODC.DLL
2007-10-12 20:43 30,208 --a------ C:\WINDOWS\system32\DECCDVC.DLL
2007-10-06 18:41 <DIR> d-------- C:\Downloads
2007-10-02 17:45 561 --a------ C:\u2.reg
2007-09-21 09:59 <DIR> d-------- C:\Program Files\Interplay Productions
2007-09-21 09:59 <DIR> d-------- C:\Conquest
2007-09-21 09:41 <DIR> d-------- C:\Documents and Settings\sergey\Application Data\Ahead
2007-09-21 09:41 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Ahead
2007-09-21 09:39 <DIR> d-------- C:\Program Files\Common Files\Ahead
2007-09-21 09:39 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Nero
2007-09-21 09:17 28,680 --a------ C:\WINDOWS\system32\drivers\epfwtdir.sys
2007-09-21 09:15 33,288 --a------ C:\WINDOWS\system32\drivers\eamon.sys
2007-09-21 09:15 25,096 --a------ C:\WINDOWS\system32\drivers\easdrv.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-20 15:09 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-10-20 15:09 103,736 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2007-10-04 13:17 66,872 ----a-w C:\WINDOWS\system32\PnkBstrA.exe
2007-09-19 18:50 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2007-08-28 10:58 --------- d-----w C:\Program Files\VentSrv
2007-08-23 13:25 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\sentinel
2007-08-23 13:10 --------- d-----w C:\Program Files\Common Files\Panda Software
2007-08-23 13:05 --------- d-----w C:\Program Files\mIRC
2007-08-23 13:05 --------- d-----w C:\Documents and Settings\sergey\Application Data\mIRC
2007-08-23 10:20 --------- d-----w C:\Program Files\LIUtilities
2007-08-23 09:41 --------- d-----w C:\Documents and Settings\sergey\Application Data\Uniblue
2007-08-23 09:40 --------- d-----w C:\Program Files\Uniblue
2007-02-28 13:39 271 --sh--w C:\Program Files\desktop.ini
2007-02-28 13:39 21,952 ---h--w C:\Program Files\folder.htt
.

((((((((((((((((((((((((((((( snapshot@2007-10-20_11.06.21.68 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-09-28 07:06:10 135,168 ----a-w C:\WINDOWS\catchme.exe
+ 2007-10-20 04:03:32 136,192 ----a-w C:\WINDOWS\catchme.exe
- 2007-08-25 21:30:20 380,928 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat
+ 2007-10-20 09:40:14 589,824 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat
- 2007-08-25 21:30:20 8,192 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2007-10-20 09:40:14 8,192 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
- 2007-10-20 08:28:22 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2007-10-20 09:55:48 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2007-10-20 08:28:22 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-10-20 09:55:48 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-04-02 12:21:28 139,776 ----a-w C:\WINDOWS\system32\swreg.exe
+ 2007-10-05 08:07:32 279,552 ----a-w C:\WINDOWS\system32\swreg.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVMixerTray"="C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-12-20 17:12]
"%FP%012-L2TP FWPortal.exe"="C:\Program Files\012Net\012Net-Cable dialer\FWPortal.exe" [2005-02-03 14:32]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-01-23 15:44 C:\WINDOWS\KHALMNPR.Exe]
"SoftPerfect Personal Firewall"="C:\Program Files\SoftPerfect Personal Firewall\fw.exe" [2005-07-15 01:30]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"Flashget"="C:\Program Files\FlashGet\FlashGet.exe" [2007-04-29 10:26]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-10-28 21:05]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"%FP%012-L2TP fts.exe"="C:\Program Files\012Net\012Net-Cable dialer\fts.exe" [2004-01-07 14:37]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 15:57]
"WinampAgent"="C:\Program Files\Winamp\wianmpa.exe" []
"egui"="C:\Program Files\Eset\ESET NOD32 Antivirus\egui.exe" [2007-09-21 09:16]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-29 03:41]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 19:03]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-02-28 19:11:20]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
C:\WINDOWS\System32\\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoveIT Pro XT]
C:\Program Files\InCode Solutions\RemoveIT Pro v4-Trial\removeit.exe


*Newly Created Service* - PNKBSTRK
.
Contents of the 'Scheduled Tasks' folder
"2007-10-19 17:40:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
.
**************************************************************************

catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-21 03:01:03
Windows 5.1.2600 Service Pack 1 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-21 3:01:25
C:\ComboFix2.txt ... 2007-10-20 17:59
C:\ComboFix3.txt ... 2007-10-20 12:57
.
--- E O F ---



-------------------------------------------------------------------------------------------------------------


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:03:38 AM, on 10/21/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Eset\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\System32\PnkBstrA.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\system32\cmd.exe
E:\emulekk2\emule.exe
C:\Program Files\ICQ6\ICQ.exe
C:\Program Files\SoftPerfect Personal Firewall\fw.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\HJT\HiJackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [%FP%012-L2TP FWPortal.exe] "C:\Program Files\012Net\012Net-Cable dialer\FWPortal.exe" -no_dialog
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SoftPerfect Personal Firewall] C:\Program Files\SoftPerfect Personal Firewall\fw.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Flashget] C:\Program Files\FlashGet\FlashGet.exe /min
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [%FP%012-L2TP fts.exe] "C:\Program Files\012Net\012Net-Cable dialer\fts.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\wianmpa.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\Eset\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-21-1220945662-2049760794-839522115-1003\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{22D6345F-E193-4DFD-8E01-EFE98D0168CB}: NameServer = 212.117.129.5 212.116.161.38
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\Eset\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - Eset - C:\Program Files\Eset\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: NBService - Nero AG - E:\nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\System32\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 5684 bytes

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:04:08 AM

Posted 21 October 2007 - 03:02 AM

Do you recognise the following as either a Domain or your Internet Service Provider:
212.117.129.5 - 212.116.161.38
Golden Lines International Communication Services Ltd.

Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,on the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.

Run this online virus/spyware scan using Internet Explorer:
Kaspersky WebScanner
Next click Kaspersky Online Scanner
You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
• Now click on Scan Settings
• In the scan settings make that the following are selected:
• Scan using the following Anti-Virus database:
• Standard
• Scan Options:
• Scan Archives
• Scan Mail Bases
• Click OK
• Now under select a target to scan:
• Select My Computer
• This will start the program and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
• Now click on the Save as Text button:
• Save the file to your desktop.
Copy and paste the contents of that file into your next reply.

Also post a new Hijackthis log,let me know how your pc is running now.
Posted Image
Posted Image

#7 sexecutioner

sexecutioner
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:08 PM

Posted 21 October 2007 - 08:18 AM

yes Golden lines is my isp

here is the Superantispyware log

----------------------------------------------
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 10/21/2007 at 01:32 PM

Application Version : 3.9.1008

Core Rules Database Version : 3328
Trace Rules Database Version: 1329

Scan type : Complete Scan
Total Scan Time : 00:50:49

Memory items scanned : 482
Memory threats detected : 0
Registry items scanned : 5306
Registry threats detected : 0
File items scanned : 40738
File threats detected : 20

Adware.Tracking Cookie
C:\Documents and Settings\sergey\Cookies\sergey@2o7[2].txt
C:\Documents and Settings\sergey\Cookies\sergey@perf.overture[1].txt
C:\Documents and Settings\sergey\Cookies\sergey@statcounter[2].txt
C:\Documents and Settings\sergey\Cookies\sergey@adbrite[2].txt
C:\Documents and Settings\sergey\Cookies\sergey@atdmt[1].txt
C:\Documents and Settings\sergey\Cookies\sergey@advertising[2].txt
C:\Documents and Settings\sergey\Cookies\sergey@V02537_full[2].txt
C:\Documents and Settings\sergey\Cookies\sergey@3.adbrite[2].txt
C:\Documents and Settings\sergey\Cookies\sergey@ad.yieldmanager[1].txt
C:\Documents and Settings\sergey\Cookies\sergey@atwola[2].txt
C:\Documents and Settings\sergey\Cookies\sergey@adecn[1].txt
C:\Documents and Settings\sergey\Cookies\sergey@adserver.adreactor[1].txt
C:\Documents and Settings\sergey\Cookies\sergey@msnportal.112.2o7[1].txt
C:\Documents and Settings\sergey\Cookies\sergey@doubleclick[1].txt
C:\Documents and Settings\LocalService\Cookies\system@onlinesexfriends[1].txt
C:\Documents and Settings\LocalService\Cookies\system@adultfriendfinder[1].txt
C:\Documents and Settings\sergey\Cookies\sergey@hitbox[1].txt
C:\Documents and Settings\sergey\Cookies\sergey@ehg-kasperskylab.hitbox[1].txt

Trojan.Downloader-Gen/Suspicious
C:\PROGRAM FILES\STREAMDOWN\COCSOFT.STREAM.DOWN.V.5.9_CRK.EXE

Trojan.Download-Gen/OZBoots
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\MMDMM.EXE.VIR
-------------------------------------------------------------------------------------------------------------


here is the kaspersky report


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, October 21, 2007 3:08:53 PM
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 21/10/2007
Kaspersky Anti-Virus database records: 415031
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
H:\

Scan Statistics:
Total number of scanned objects: 77299
Number of viruses found: 9
Number of infected objects: 16
Number of suspicious objects: 0
Duration of the scan process: 01:27:19

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users.WINDOWS\Application Data\Eset\ESET NOD32 Antivirus\Logs\virlog.dat Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Eset\ESET NOD32 Antivirus\Logs\warnlog.dat Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Eset\ESET NOD32 Antivirus\Charon\CACHE.NDB Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\sergey\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\sergey\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\sergey\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\sergey\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\sergey\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\sergey\Local Settings\Application Data\Mozilla\Firefox\Profiles\54h8w53a.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\sergey\Local Settings\Application Data\Mozilla\Firefox\Profiles\54h8w53a.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\sergey\Local Settings\Application Data\Mozilla\Firefox\Profiles\54h8w53a.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\sergey\Local Settings\Application Data\Mozilla\Firefox\Profiles\54h8w53a.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\sergey\Local Settings\Temp\JETB389.tmp Object is locked skipped
C:\Documents and Settings\sergey\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\sergey\Application Data\Mozilla\Firefox\Profiles\54h8w53a.default\history.dat Object is locked skipped
C:\Documents and Settings\sergey\Application Data\Mozilla\Firefox\Profiles\54h8w53a.default\flashgot.log Object is locked skipped
C:\Documents and Settings\sergey\Application Data\Mozilla\Firefox\Profiles\54h8w53a.default\cert8.db Object is locked skipped
C:\Documents and Settings\sergey\Application Data\Mozilla\Firefox\Profiles\54h8w53a.default\key3.db Object is locked skipped
C:\Documents and Settings\sergey\Application Data\Mozilla\Firefox\Profiles\54h8w53a.default\parent.lock Object is locked skipped
C:\Documents and Settings\sergey\Application Data\Mozilla\Firefox\Profiles\54h8w53a.default\search.sqlite Object is locked skipped
C:\Documents and Settings\sergey\Application Data\Mozilla\Firefox\Profiles\54h8w53a.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\sergey\Application Data\Mozilla\Firefox\Profiles\54h8w53a.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\sergey\Application Data\ICQ\Application.mdb Object is locked skipped
C:\Documents and Settings\sergey\Application Data\ICQ\329667344\Owner.mdb Object is locked skipped
C:\Documents and Settings\sergey\Application Data\ICQ\329667344\Messages.mdb Object is locked skipped
C:\Documents and Settings\sergey\Application Data\Sun\Java\Deployment\cache\6.0\16\5e752950-45386403/BaaaaBaa.class Infected: Exploit.Java.Gimsh.a skipped
C:\Documents and Settings\sergey\Application Data\Sun\Java\Deployment\cache\6.0\16\5e752950-45386403 ZIP: infected - 1 skipped
C:\Documents and Settings\sergey\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SUPERANTISPYWARE.LOG Object is locked skipped
C:\Documents and Settings\sergey\ntuser.dat.LOG Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbspark.dll Infected: Trojan-Dropper.Win32.Agent.azv skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\TEMP\HTT2367.tmp Object is locked skipped
C:\WINDOWS\TEMP\HTT23DA.tmp Object is locked skipped
C:\WINDOWS\TEMP\HTT23CC.tmp Object is locked skipped
C:\WINDOWS\TEMP\HTT24FE.tmp Object is locked skipped
C:\WINDOWS\TEMP\HTT241B.tmp Object is locked skipped
C:\WINDOWS\TEMP\HTT254A.tmp Object is locked skipped
C:\WINDOWS\TEMP\HTT255A.tmp Object is locked skipped
C:\WINDOWS\TEMP\HTT25E3.tmp Object is locked skipped
C:\WINDOWS\TEMP\HTT2640.tmp Object is locked skipped
C:\WINDOWS\TEMP\HTT26B1.tmp Object is locked skipped
C:\WINDOWS\TEMP\HTT271B.tmp Object is locked skipped
C:\WINDOWS\TEMP\HTT2806.tmp Object is locked skipped
C:\WINDOWS\TEMP\HTT2A08.tmp Object is locked skipped
C:\WINDOWS\TEMP\HTT4417.tmp Object is locked skipped
C:\WINDOWS\TEMP\HTT4B28.tmp Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Debug\oakley.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\System Volume Information\_restore{78C18916-F750-4409-8CE3-3B1C7D4C3E7F}\RP71\change.log Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\rdrive\aff.exe.vir Infected: Trojan-Downloader.Win32.VB.bmv skipped
C:\QooBox\Quarantine\C\WINDOWS\rdrive\apm.exe.vir Infected: Trojan-Downloader.Win32.VB.bmv skipped
E:\backups\backup-20070825-155048-627.dll Infected: Trojan-Downloader.Win32.Agent.dto skipped
E:\emulekk2\Temp\001.part Object is locked skipped
E:\emulekk2\Temp\003.part Object is locked skipped
E:\emulekk2\Temp\004.part Object is locked skipped
E:\emulekk2\Temp\005.part Object is locked skipped
E:\emulekk2\Temp\006.part Object is locked skipped
E:\emulekk2\Temp\007.part Object is locked skipped
E:\emulekk2\Temp\009.part Object is locked skipped
E:\emulekk2\Temp\011.part Object is locked skipped
E:\emulekk2\Temp\012.part Object is locked skipped
E:\emulekk2\Temp\013.part Object is locked skipped
E:\emulekk2\Temp\015.part Object is locked skipped
E:\emulekk2\Temp\016.part Object is locked skipped
E:\emulekk2\Temp\017.part Object is locked skipped
E:\emulekk2\Temp\018.part Object is locked skipped
E:\emulekk2\Temp\019.part Object is locked skipped
E:\emulekk2\Temp\020.part Object is locked skipped
E:\emulekk2\Temp\021.part Object is locked skipped
E:\emulekk2\Temp\022.part Object is locked skipped
E:\emulekk2\Temp\023.part Object is locked skipped
E:\emulekk2\Temp\024.part Object is locked skipped
E:\emulekk2\Temp\025.part Object is locked skipped
E:\emulekk2\Temp\026.part Object is locked skipped
E:\emulekk2\Temp\029.part Object is locked skipped
E:\programs\index.htm Infected: Trojan-Downloader.JS.Psyme.hz skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
E:\utorrent\Uniblue RegistryBooster 2 - Serial+Keygen_rar.vir/Uniblue RegistryBooster 2 Keygen.exe Infected: Backdoor.Win32.Ciadoor.gn skipped
E:\utorrent\Uniblue RegistryBooster 2 - Serial+Keygen_rar.vir RAR: infected - 1 skipped
E:\utorrent\XoftSpySE 4.33 + Crack\XoftSpySE 4.33 Trial.exe/data.rar/01.exe/data.rar/msnmsg.exe Infected: Trojan-Downloader.Win32.Agent.cad skipped
E:\utorrent\XoftSpySE 4.33 + Crack\XoftSpySE 4.33 Trial.exe/data.rar/01.exe/data.rar/sallip.exe Infected: Trojan.Win32.Delf.agd skipped
E:\utorrent\XoftSpySE 4.33 + Crack\XoftSpySE 4.33 Trial.exe/data.rar/01.exe/data.rar Infected: Trojan.Win32.Delf.agd skipped
E:\utorrent\XoftSpySE 4.33 + Crack\XoftSpySE 4.33 Trial.exe/data.rar/01.exe Infected: Trojan.Win32.Delf.agd skipped
E:\utorrent\XoftSpySE 4.33 + Crack\XoftSpySE 4.33 Trial.exe/data.rar/bda.exe Infected: Trojan-Downloader.Win32.Agent.dmj skipped
E:\utorrent\XoftSpySE 4.33 + Crack\XoftSpySE 4.33 Trial.exe/data.rar Infected: Trojan-Downloader.Win32.Agent.dmj skipped
E:\utorrent\XoftSpySE 4.33 + Crack\XoftSpySE 4.33 Trial.exe RarSFX: infected - 6 skipped

Scan process completed.

-------------------------------------------------------------------

and the hijackthis log

-------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:17:06 PM, on 10/21/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\012Net\012Net-Cable dialer\FWPortal.exe
C:\Program Files\Eset\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\FlashGet\FlashGet.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\012Net\012Net-Cable dialer\fts.exe
C:\Program Files\Eset\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\PnkBstrA.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\System32\mmdmm.exe
C:\Program Files\Java\jre1.6.0_02\bin\jucheck.exe
C:\HJT\HiJackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [%FP%012-L2TP FWPortal.exe] "C:\Program Files\012Net\012Net-Cable dialer\FWPortal.exe" -no_dialog
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SoftPerfect Personal Firewall] C:\Program Files\SoftPerfect Personal Firewall\fw.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Flashget] C:\Program Files\FlashGet\FlashGet.exe /min
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [%FP%012-L2TP fts.exe] "C:\Program Files\012Net\012Net-Cable dialer\fts.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\wianmpa.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\Eset\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [mmsass] mmdmm.exe
O4 - HKLM\..\RunServices: [mmsass] mmdmm.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-21-1220945662-2049760794-839522115-1003\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{22D6345F-E193-4DFD-8E01-EFE98D0168CB}: NameServer = 212.116.161.39 212.117.129.200
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\Eset\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - Eset - C:\Program Files\Eset\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: NBService - Nero AG - E:\nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\System32\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 6639 bytes

-------------------------------------------------------------


at the end the mmdmm.exe is still there :thumbsup:

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:04:08 AM

Posted 21 October 2007 - 09:10 AM

Delete the entire contents of this cache:
C:\Documents and Settings\sergey\Application Data\Sun\Java\Deployment\cache

Please download OTMoveIt by OldTimer:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe

Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths inside the quote box below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'):

C:\QooBox
E:\programs\index.htm
C:\WINDOWS\System32\mmdmm.exe
C:\WINDOWS\system32\wbspark.dll
E:\backups\backup-20070825-155048-627.dll
E:\utorrent\Uniblue RegistryBooster 2 - Serial+Keygen_rar.vir
E:\utorrent\Uniblue RegistryBooster 2 - Serial+Keygen_rar.vir RAR
E:\utorrent\XoftSpySE 4.33 + Crack

Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button Posted Image

Copy everything on the 'Results' window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'), and paste it into your next reply.
Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes.


Please run the F-Secure online virus/spyware scan using Internet Explorer:
http://support.f-secure.com/enu/home/ols.shtml
Follow the directions in the F-Secure page for proper Installation.
Accept the License Agreement.
Once the ActiveX installs,Click ‘Custom Scan’ and be sure the following are checked:
1.Scan whole System
2.Scan all files
3.Scan whole system for rootkits
4.Scan whole system for spyware
5.Scan inside archives
6.Use advanced heuristics
Once the download completes,the scan will begin automatically.
The scan will take some time to finish,so please be patient.
When the scan completes, click the ‘I want to decide item by item’ button.
For each item found,Select ‘Disinfect’ and click ‘Next’.
Click the ‘Show Report’ button,then copy and paste the entire report into your next reply.

Also post a new Hijackthis log.
Posted Image
Posted Image

#9 sexecutioner

sexecutioner
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:08 PM

Posted 21 October 2007 - 01:10 PM

deleted the cache

here are the otmoveit results

-----------------------------------------
File/Folder C:\QooBox not found.
File/Folder E:\programs\index.htm not found.
C:\WINDOWS\System32\mmdmm.exe moved successfully.
File/Folder C:\WINDOWS\system32\wbspark.dll not found.
File/Folder E:\backups\backup-20070825-155048-627.dll not found.
File/Folder E:\utorrent\Uniblue RegistryBooster 2 - Serial+Keygen_rar.vir not found.
File/Folder E:\utorrent\Uniblue RegistryBooster 2 - Serial+Keygen_rar.vir RAR not found.
File/Folder E:\utorrent\XoftSpySE 4.33 + Crack not found.

Created on 10/21/2007 20:09:14

---------------------------------------------


here is the f-secure report

---------------------------------------------

Scanning Report
Sunday, October 21, 2007 16:38:39 - 20:08:44

Computer name: SERGEY-GB7TWSV8
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\ D:\ E:\
Result: 21 malware found
Backdoor.Win32.Ciadoor.gn (virus)

* C:\_OTMoveIt\MovedFiles\utorrent\Uniblue RegistryBooster 2 - Serial+Keygen_rar.vir\Uniblue RegistryBooster 2 Keygen.exe

SDBot.gen8 (virus)

* C:\WINDOWS\system\msnrav.exe
* C:\WINDOWS\system32\fu1.exe (Submitted)

Suspicious_Y.gen (virus)

* C:\Program Files\CRS-MegaDev\MegaTrainer XL\MegaTrainerXL.exe (Submitted)

Text/BotFTP.gen (virus)

* C:\SDFix\backups_old1\backups.zip\backups\i
* C:\SDFix\backups_old2\backups.zip\backups\i
* C:\WINDOWS\system32\i (Submitted)

Tracking Cookie (spyware)

* System (Disinfected)

Trojan-Downloader.JS.Psyme.hz (virus)

* C:\_OTMoveIt\MovedFiles\programs\index.htm (Renamed & Submitted)

Trojan-Downloader.Win32.Agent.dto (virus)

* C:\_OTMoveIt\MovedFiles\backups\backup-20070825-155048-627.dll (Renamed & Submitted)

Trojan-Downloader.Win32.VB.bmv (virus)

* C:\_OTMoveIt\MovedFiles\QooBox\Quarantine\C\WINDOWS\rdrive\aff.exe.vir (Renamed & Submitted)
* C:\_OTMoveIt\MovedFiles\QooBox\Quarantine\C\WINDOWS\rdrive\apm.exe.vir (Renamed & Submitted)

Trojan-Dropper.Win32.Agent.azv (virus)

* C:\_OTMoveIt\MovedFiles\WINDOWS\System32\wbspark.dll (Renamed & Submitted)

W32/Downloader.FZC.dropper (virus)

* D:\Programs\stopzilla\STOPzilla_Setup.exe (Submitted)
* E:\programs\STOPzilla_Setup.exe (Submitted)

W32/Ircbot.dam (virus)

* C:\_OTMoveIt\MovedFiles\QooBox\Quarantine\C\WINDOWS\system32\ycmhspa.exe.vir (Submitted)
* C:\SDFix\backups_old1\backups.zip\backups\TFTP1448

W32/Keylog.CGA (virus)

* E:\SETTLERS.2.TNG.VIKING.PLUS1TRN.JUST4FUN.ZIP\j4f_s2dng_wikinger_trn.exe

W32/Malware.QWN (virus)

* E:\195a182a2ce11791d82d8cb5f9868c5c3fb.zip\CoCsoft.StreamDown.v5.9-ENGiNE\Crack\cocsoft.stream.down.v.5.9_Crk.exe
* E:\cocsoftstreamdownv5.9crackengine.zip\CoCsoft.StreamDown.v5.9-ENGiNE\Crack\cocsoft.stream.down.v.5.9_Crk.exe

Win32.Backdoor.SDBot (spyware)

* System (Disinfected)

Statistics
Scanned:

* Files: 192235
* System: 4206
* Not scanned: 87

Actions:

* Disinfected: 2
* Renamed: 5
* Deleted: 0
* None: 14
* Submitted: 11

Files not scanned:

xz�?�

Options
Scanning engines:

* F-Secure Libra: 2.4.2, 2007-10-19
* F-Secure AVP: 7.0.171, 2007-10-21
* F-Secure Orion: 1.2.37, 2007-10-19
* F-Secure Blacklight: 1.0.64
* F-Secure Draco: 1.0.35, 0597-150-72
* F-Secure Pegasus: 1.19.0, 2007-09-18

Scanning options:

* Scan all files
* Scan inside archives
* Use Advanced heuristics
---------------------------------------------------------

here is the hijackthis log


---------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:12:09 PM, on 10/21/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\012Net\012Net-Cable dialer\FWPortal.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\FlashGet\FlashGet.exe
C:\Program Files\Eset\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\012Net\012Net-Cable dialer\fts.exe
C:\Program Files\Eset\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system\msnrav.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\WINDOWS\System32\PnkBstrA.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\sergey\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk32.exe
C:\DOCUME~1\sergey\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fssm32.exe
C:\Program Files\VentriloMIX\Ventrilo 2.3.0.exe
C:\Program Files\ICQ6\ICQ.exe
E:\emulekk2\emule.exe
C:\Documents and Settings\sergey\Desktop\OTMoveIt.exe
C:\HJT\HiJackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [%FP%012-L2TP FWPortal.exe] "C:\Program Files\012Net\012Net-Cable dialer\FWPortal.exe" -no_dialog
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SoftPerfect Personal Firewall] C:\Program Files\SoftPerfect Personal Firewall\fw.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Flashget] C:\Program Files\FlashGet\FlashGet.exe /min
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [%FP%012-L2TP fts.exe] "C:\Program Files\012Net\012Net-Cable dialer\fts.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\wianmpa.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\Eset\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [mmsass] mmdmm.exe
O4 - HKLM\..\RunServices: [mmsass] mmdmm.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-21-1220945662-2049760794-839522115-1003\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{22D6345F-E193-4DFD-8E01-EFE98D0168CB}: NameServer = 84.95.14.250 212.116.161.40
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\Eset\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - Eset - C:\Program Files\Eset\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: NBService - Nero AG - E:\nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\System32\PnkBstrA.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 6944 bytes

#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:04:08 AM

Posted 21 October 2007 - 02:31 PM

You have a Backdoor Trojan present on your pc
A Backdoor is a software program that gives an attacker unauthorized access to a machine and the means for remotely controlling the machine without the user's knowledge. A Backdoor compromises system integrity by making changes to the system that allow it to be used by the attacker for malicious purposes unknown to the user.

They are typically installed without user interaction through security exploits, and may allow an attacker to remotely control the infected machine. Such risks may allow the attacker to install additional malware and use the compromised machine to participate in denial of service attacks, spamming, and bot nets, or to transmit sensitive data to a remote server. The malware may be cloaked and not visible to the user. These risks severely compromise the system by lowering security settings, installing 'backdoors,' infecting system files, or spreading to other networked machines.

If your computer was used for online banking or has credit card information on it, all passwords should be changed immediately to include those used for email, eBay and forums.
You should consider them to be compromised.
They should be changed by using a different computer and not the infected one,if not an attacker may get the new passwords and transaction information.
Banking and credit card institutions should be notified of the possible security breech.

Since your computer was compromised read:
How to report ID theft, fraud, drive-by installs, hijacking and malware:
http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall:
http://www.dslreports.com/faq/10063

Let me know what you want to do in your next reply,even when we've finished i cannot guarantee your pc to be 100% safe.
Posted Image
Posted Image

#11 sexecutioner

sexecutioner
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:08 PM

Posted 21 October 2007 - 02:48 PM

as i understand i have to format and reinstall windows
to be sure that my pc is clean

in that case is it ok if i format just the partition with the operating system on it
or i have to format all the harddrives and partitions ?

Thanks for all the help Richie i appreciate it :D

#12 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:04:08 AM

Posted 21 October 2007 - 02:58 PM

in that case is it ok if i format just the partition with the operating system on it
or i have to format all the harddrives and partitions ?

I realise its going to mean a lot of work but i personally would format all hard drives and partitions,just to be sure.
Posted Image
Posted Image

#13 sexecutioner

sexecutioner
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:08 PM

Posted 21 October 2007 - 03:01 PM

Well then guess iam screwed

Thanks again for all the help Richie :thumbsup:

#14 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:04:08 AM

Posted 21 October 2007 - 03:31 PM

You're welcome and hope all goes well.

This thread will now be closed.
If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you.
Include the address of this thread in your request.
If you should have a new issue, please start a new topic.
This applies only to the original topic starter.
Everyone else please begin a New Topic.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users