Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Privacy_dangerrivacy_danger Removal


  • This topic is locked This topic is locked
3 replies to this topic

#1 Shredder71

Shredder71

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:12 AM

Posted 23 December 2007 - 01:42 AM

I read through and followed the advice given to archiebrown. I didn't wanna piggyback on his thread so i started a new one. Can someone review my log and make sure all is clear? Thanx

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:39:15 PM, on 12/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\PROGRA~1\IZArc\IZArc.exe
C:\Documents and Settings\Raymond Guillory\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=...6Ojg5&lid=2
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: The retnsrp - {941FB260-9D22-480E-84D6-10DB7849180E} - C:\WINDOWS\retnsrp.dll (file missing)
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunOnce: [SpybotDeletingA7863] command /c del "C:\WINDOWS\leorop.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9854] cmd /c del "C:\WINDOWS\leorop.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA3575] command /c del "C:\WINDOWS\leorop.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4087] cmd /c del "C:\WINDOWS\leorop.dll_old"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB3795] command /c del "C:\WINDOWS\leorop.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD5011] cmd /c del "C:\WINDOWS\leorop.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB8091] command /c del "C:\WINDOWS\leorop.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2767] cmd /c del "C:\WINDOWS\leorop.dll_old"
O4 - Startup: IMVU.lnk = C:\Program Files\IMVU\IMVUClient.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Raymond Guillory\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02ECD07A-22D0-4AF0-BA0A-3F6B06086D08} (GamesCampus Control) - http://xiah.gamescampus.com/luncher/GamesCampus.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O21 - SSODL: leorop - {E7DC5819-00BA-43EC-841A-69D7D6B30170} - (no file)
O21 - SSODL: nopzet - {CDE2403E-3DBA-4A90-8CC9-C47151F49980} - (no file)
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

--
End of file - 7545 bytes

BC AdBot (Login to Remove)

 


#2 Shredder71

Shredder71
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:12 AM

Posted 23 December 2007 - 01:53 AM

SDFix: Version 1.119

Run by Administrator on Sat 12/22/2007 at 09:27 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Default HomePage Value
Restoring Default Desktop Components Value

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINDOWS\jokvip.exe - Deleted
C:\WINDOWS\nopzet.dll - Deleted




Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1333.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-22 21:36:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"="C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe:*:Enabled:McAfee Network Agent"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Documents and Settings\\Raymond Guillory\\Local Settings\\Temp\\nso16.tmp\\utorrent.exe"="C:\\Documents and Settings\\Raymond Guillory\\Local Settings\\Temp\\nso16.tmp\\utorrent.exe:*:Enabled:ęTorrent"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"



ComboFix 07-12-23.1 - Raymond Guillory 2007-12-22 21:50:29.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.488 [GMT -8:00]
Running from: C:\Documents and Settings\Raymond Guillory\Local Settings\Temporary Internet Files\Content.IE5\P0JYVJXF\ComboFix[1].exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Raymond Guillory\Favorites\Error Cleaner.url
C:\Documents and Settings\Raymond Guillory\Favorites\Privacy Protector.url
C:\Documents and Settings\Raymond Guillory\Favorites\Spyware&Malware Protection.url
C:\WINDOWS\system32\launcher.exe

.
((((((((((((((((((((((((( Files Created from 2007-11-23 to 2007-12-23 )))))))))))))))))))))))))))))))
.

2007-12-22 21:26 . 2007-12-22 21:26 <DIR> d-------- C:\WINDOWS\ERUNT
2007-12-21 21:57 . 2007-12-21 21:57 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\CyberLink
2007-12-14 04:31 . 2007-12-14 07:16 131 --a------ C:\WINDOWS\wininit.ini
2007-12-14 03:50 . 2007-12-14 04:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-13 19:25 . 2007-12-13 19:29 <DIR> d-------- C:\Program Files\SmartVideoCodec
2007-12-11 03:00 . 2007-12-11 03:00 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-12-09 22:19 . 2007-12-09 22:24 <DIR> d-------- C:\Documents and Settings\Raymond Guillory\Application Data\DivX
2007-12-09 19:49 . 1998-10-29 16:45 306,688 --a------ C:\WINDOWS\IsUninst.exe
2007-12-09 19:39 . 2007-12-09 19:39 <DIR> d-------- C:\Documents and Settings\Raymond Guillory\Application Data\CyberLink
2007-12-09 19:39 . 2007-12-09 19:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CyberLink
2007-12-09 19:38 . 2006-06-04 15:48 1,060,864 --------- C:\WINDOWS\system32\MFC71.dll
2007-12-09 19:38 . 2006-06-04 15:48 1,047,552 --------- C:\WINDOWS\system32\MFC71u.dll
2007-12-09 19:38 . 2006-06-04 15:48 499,712 --------- C:\WINDOWS\system32\msvcp71.dll
2007-12-09 19:38 . 2006-06-04 15:48 348,160 --------- C:\WINDOWS\system32\msvcr71.dll
2007-12-09 19:38 . 2006-06-04 15:48 89,088 --------- C:\WINDOWS\system32\atl71.dll
2007-12-09 19:38 . 2006-06-04 15:48 82,432 --a------ C:\WINDOWS\system32\msxml4r.dll
2007-12-09 19:38 . 2006-06-04 15:48 44,544 --a------ C:\WINDOWS\system32\msxml4a.dll
2007-12-09 19:36 . 2007-12-09 19:36 <DIR> d-------- C:\Program Files\Digital Photo Navigator 1.5
2007-12-09 19:36 . 2007-12-09 19:50 <DIR> d-------- C:\Program Files\CyberLink
2007-12-09 19:36 . 2007-12-22 04:51 <DIR> d-------- C:\MyWorks
2007-12-09 19:31 . 2000-03-29 16:18 139,264 --a------ C:\WINDOWS\system32\Mpeg2Decoder.ax
2007-12-09 19:26 . 2007-12-09 19:26 <DIR> d-------- C:\Program Files\Xvid
2007-12-09 19:26 . 2007-06-28 18:52 765,952 --a------ C:\WINDOWS\system32\xvidcore.dll
2007-12-09 19:26 . 2007-06-28 18:54 180,224 --a------ C:\WINDOWS\system32\xvidvfw.dll
2007-12-09 19:26 . 2007-06-28 18:55 77,824 --a------ C:\WINDOWS\system32\xvid.ax
2007-12-09 19:20 . 2007-12-09 19:20 <DIR> d-------- C:\Program Files\AC3Filter
2007-12-09 12:16 . 2007-12-09 12:16 <DIR> d-------- C:\Documents and Settings\Raymond Guillory\Application Data\Pegasys Inc
2007-12-08 23:05 . 2007-12-08 23:38 <DIR> d-------- C:\Documents and Settings\Raymond Guillory\Shared
2007-12-08 23:05 . 2007-12-08 23:50 <DIR> d-------- C:\Documents and Settings\Raymond Guillory\Incomplete
2007-12-08 23:05 . 2007-12-08 23:50 <DIR> d-------- C:\Documents and Settings\Raymond Guillory\Application Data\LimeWire
2007-12-08 23:05 . 2007-07-12 02:22 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-12-03 17:33 . 2007-12-03 17:33 823,296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-12-03 17:33 . 2007-12-03 17:33 823,296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-12-03 17:33 . 2007-12-03 17:33 802,816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-12-03 17:33 . 2007-12-03 17:33 682,496 --a------ C:\WINDOWS\system32\DivX.dll
2007-12-03 17:33 . 2007-12-03 17:33 630,784 --a------ C:\WINDOWS\system32\divxdec.ax
2007-11-29 14:30 . 2007-11-29 14:30 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-11-29 14:30 . 2007-11-29 14:30 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-11-29 14:30 . 2007-11-29 14:30 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-11-29 14:30 . 2007-11-29 14:30 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-11-29 14:30 . 2007-11-29 14:30 4,816 --a------ C:\WINDOWS\system32\divxsm.tlb
2007-11-29 14:28 . 2007-11-29 14:28 196,608 --a------ C:\WINDOWS\system32\dtu100.dll
2007-11-29 14:28 . 2007-11-29 14:28 81,920 --a------ C:\WINDOWS\system32\dpl100.dll
2007-11-29 14:28 . 2007-11-29 14:28 416 --a------ C:\WINDOWS\system32\dtu100.dll.manifest
2007-11-29 14:28 . 2007-11-29 14:28 416 --a------ C:\WINDOWS\system32\dpl100.dll.manifest
2007-11-28 13:55 . 2007-11-28 13:55 156,992 --a------ C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-11-28 13:53 . 2007-11-28 13:53 593,920 --a------ C:\WINDOWS\system32\dpuGUI11.dll
2007-11-28 13:53 . 2007-11-28 13:53 352,401 --a------ C:\WINDOWS\system32\DivXMedia.ax
2007-11-28 13:53 . 2007-11-28 13:53 344,064 --a------ C:\WINDOWS\system32\dpus11.dll
2007-11-28 13:53 . 2007-11-28 13:53 294,912 --a------ C:\WINDOWS\system32\dpu11.dll
2007-11-28 13:53 . 2007-11-28 13:53 294,912 --a------ C:\WINDOWS\system32\dpu10.dll
2007-11-28 13:53 . 2007-11-28 13:53 57,344 --a------ C:\WINDOWS\system32\dpv11.dll
2007-11-28 13:53 . 2007-11-28 13:53 53,248 --a------ C:\WINDOWS\system32\dpuGUI10.dll
2007-11-28 13:52 . 2007-11-28 13:52 12,288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-23 05:45 --------- d-----w C:\Documents and Settings\Raymond Guillory\Application Data\IMVU
2007-12-23 04:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-12-10 06:18 --------- d-----w C:\Program Files\DivX
2007-12-10 03:49 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-10 03:36 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-12-09 07:05 --------- d-----w C:\Program Files\Java
2007-12-07 12:20 --------- d-----w C:\Program Files\Amazing Photo Editor
2007-11-29 22:30 9,464 ------w C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-11-29 22:30 9,336 ------w C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-11-29 22:30 43,528 ------w C:\WINDOWS\system32\drivers\PxHelp20.sys
2007-11-29 22:30 129,784 ------w C:\WINDOWS\system32\pxafs.dll
2007-11-29 22:30 120,056 ------w C:\WINDOWS\system32\pxcpyi64.exe
2007-11-29 22:30 118,520 ------w C:\WINDOWS\system32\pxinsi64.exe
2007-11-22 00:37 --------- d-----w C:\Program Files\McAfee
2007-11-17 21:28 --------- d-----w C:\Program Files\Realtek Sound Manager
2007-11-17 21:28 --------- d-----w C:\Program Files\Realtek AC97
2007-11-17 21:28 --------- d-----w C:\Program Files\AvRack
2007-11-15 22:04 --------- d-----w C:\Program Files\Red Stone
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-12 18:59 --------- d-----w C:\Documents and Settings\Raymond Guillory\Application Data\Yahoo!
2007-11-12 18:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-11-12 18:51 --------- d-----w C:\Program Files\Yahoo!
2007-11-12 18:36 --------- d-----w C:\Program Files\Knight Online
2007-11-12 02:41 --------- d-----w C:\Program Files\Darkeden
2007-11-11 23:20 --------- d-----w C:\Documents and Settings\Raymond Guillory\Application Data\uTorrent
2007-11-11 21:28 --------- d-----w C:\Program Files\IMVU
2007-11-09 02:59 --------- d-----w C:\Program Files\Codemasters
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-29 03:36 --------- d-----w C:\Program Files\Common Files\Java
2007-10-28 01:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-26 02:22 --------- d-----w C:\Program Files\IZArc
2007-10-25 04:22 --------- d-----w C:\Program Files\Phoenix Dynasty Online
2007-10-11 23:47 245,408 ----a-w C:\WINDOWS\system32\unicows.dll
2007-10-06 06:42 86,016 ----a-w C:\WINDOWS\system32\OpenAL32.dll
2007-10-06 06:42 413,696 ----a-w C:\WINDOWS\system32\wrap_oal.dll
2007-07-20 08:19 855,886 ----a-w C:\Program Files\AUG2007_d3dx10_35_x64.cab
2007-07-20 08:19 800,467 ----a-w C:\Program Files\AUG2007_d3dx10_35_x86.cab
2007-07-20 08:19 1,803,760 ----a-w C:\Program Files\AUG2007_d3dx9_35_x64.cab
2007-07-20 08:18 44,684 ----a-w C:\Program Files\dxdllreg_x86.cab
2007-07-20 08:18 201,696 ----a-w C:\Program Files\AUG2007_XACT_x64.cab
2007-07-20 08:18 156,612 ----a-w C:\Program Files\AUG2007_XACT_x86.cab
2007-07-20 08:18 1,711,752 ----a-w C:\Program Files\AUG2007_d3dx9_35_x86.cab
2007-07-20 07:48 976,020 ------w C:\Program Files\BDAXP.cab
2007-07-20 07:48 917,318 ------w C:\Program Files\Apr2006_MDX1_x86.cab
2007-07-20 07:48 88,102 ------w C:\Program Files\AUG2006_xinput_x64.cab
2007-07-20 07:48 87,989 ------w C:\Program Files\Apr2006_xinput_x64.cab
2007-07-20 07:48 86,925 ------w C:\Program Files\Oct2005_xinput_x64.cab
2007-07-20 07:48 86,709 ----a-w C:\Program Files\dxupdate.cab
2007-07-20 07:48 77,160 ----a-w C:\Program Files\DSETUP.dll
2007-07-20 07:48 702,644 ------w C:\Program Files\JUN2007_d3dx10_34_x64.cab
2007-07-20 07:48 702,212 ------w C:\Program Files\APR2007_d3dx10_33_x64.cab
2007-07-20 07:48 702,072 ------w C:\Program Files\JUN2007_d3dx10_34_x86.cab
2007-07-20 07:48 699,465 ------w C:\Program Files\APR2007_d3dx10_33_x86.cab
2007-07-20 07:48 56,902 ------w C:\Program Files\APR2007_xinput_x86.cab
2007-07-20 07:48 503,144 ----a-w C:\Program Files\DXSETUP.exe
2007-07-20 07:48 47,018 ------w C:\Program Files\AUG2006_xinput_x86.cab
2007-07-20 07:48 46,898 ------w C:\Program Files\Apr2006_xinput_x86.cab
2007-07-20 07:48 46,247 ------w C:\Program Files\Oct2005_xinput_x86.cab
2007-07-20 07:48 4,163,518 ------w C:\Program Files\Apr2006_MDX1_x86_Archive.cab
2007-07-20 07:48 213,767 ------w C:\Program Files\DEC2006_d3dx10_00_x64.cab
2007-07-20 07:48 200,722 ------w C:\Program Files\JUN2007_XACT_x64.cab
2007-07-20 07:48 199,366 ------w C:\Program Files\APR2007_XACT_x64.cab
2007-07-20 07:48 198,275 ------w C:\Program Files\FEB2007_XACT_x64.cab
2007-07-20 07:48 193,435 ------w C:\Program Files\DEC2006_XACT_x64.cab
2007-07-20 07:48 192,680 ------w C:\Program Files\DEC2006_d3dx10_00_x86.cab
2007-07-20 07:48 183,863 ------w C:\Program Files\AUG2006_XACT_x64.cab
2007-07-20 07:48 183,321 ------w C:\Program Files\OCT2006_XACT_x64.cab
2007-07-20 07:48 181,745 ------w C:\Program Files\JUN2006_XACT_x64.cab
2007-07-20 07:48 180,021 ------w C:\Program Files\Apr2006_XACT_x64.cab
2007-07-20 07:48 179,247 ------w C:\Program Files\Feb2006_XACT_x64.cab
2007-07-20 07:48 156,509 ------w C:\Program Files\JUN2007_XACT_x86.cab
2007-07-20 07:48 154,825 ------w C:\Program Files\APR2007_XACT_x86.cab
2007-07-20 07:48 151,583 ------w C:\Program Files\FEB2007_XACT_x86.cab
2007-07-20 07:48 146,559 ------w C:\Program Files\DEC2006_XACT_x86.cab
2007-07-20 07:48 138,977 ------w C:\Program Files\OCT2006_XACT_x86.cab
2007-07-20 07:48 138,195 ------w C:\Program Files\AUG2006_XACT_x86.cab
2007-07-20 07:48 134,631 ------w C:\Program Files\JUN2006_XACT_x86.cab
2007-07-20 07:48 133,991 ------w C:\Program Files\Apr2006_XACT_x86.cab
2007-07-20 07:48 133,297 ------w C:\Program Files\Feb2006_XACT_x86.cab
2007-07-20 07:48 13,265,040 ------w C:\Program Files\dxnt.cab
2007-07-20 07:48 100,417 ------w C:\Program Files\APR2007_xinput_x64.cab
2007-07-20 07:48 1,673,576 ----a-w C:\Program Files\dsetup32.dll
2007-07-20 07:48 1,611,374 ------w C:\Program Files\JUN2007_d3dx9_34_x64.cab
2007-07-20 07:48 1,610,958 ------w C:\Program Files\APR2007_d3dx9_33_x64.cab
2007-07-20 07:48 1,610,886 ------w C:\Program Files\JUN2007_d3dx9_34_x86.cab
2007-07-20 07:48 1,609,639 ------w C:\Program Files\APR2007_d3dx9_33_x86.cab
2007-07-20 07:48 1,575,336 ------w C:\Program Files\DEC2006_d3dx9_32_x86.cab
2007-07-20 07:48 1,572,114 ------w C:\Program Files\DEC2006_d3dx9_32_x64.cab
2007-07-20 07:48 1,413,862 ------w C:\Program Files\OCT2006_d3dx9_31_x64.cab
2007-07-20 07:48 1,398,718 ------w C:\Program Files\Apr2006_d3dx9_30_x64.cab
2007-07-20 07:48 1,363,684 ------w C:\Program Files\Feb2006_d3dx9_29_x64.cab
2007-07-20 07:48 1,358,864 ------w C:\Program Files\Dec2005_d3dx9_28_x64.cab
2007-07-20 07:48 1,351,430 ------w C:\Program Files\Aug2005_d3dx9_27_x64.cab
2007-07-20 07:48 1,348,242 ------w C:\Program Files\Apr2005_d3dx9_25_x64.cab
2007-07-20 07:48 1,336,890 ------w C:\Program Files\Jun2005_d3dx9_26_x64.cab
2007-07-20 07:48 1,248,387 ------w C:\Program Files\Feb2005_d3dx9_24_x64.cab
2007-07-20 07:48 1,156,363 ------w C:\Program Files\BDANT.cab
2007-07-20 07:48 1,128,177 ------w C:\Program Files\OCT2006_d3dx9_31_x86.cab
2007-07-20 07:48 1,116,109 ------w C:\Program Files\Apr2006_d3dx9_30_x86.cab
2007-07-20 07:48 1,085,608 ------w C:\Program Files\Feb2006_d3dx9_29_x86.cab
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{EF99BD32-C1FB-11D2-892F-0090271D4F88}
{941FB260-9D22-480E-84D6-10DB7849180E}

[HKEY_CLASSES_ROOT\clsid\{941fb260-9d22-480e-84d6-10db7849180e}]
[HKEY_CLASSES_ROOT\retnsrp.ToolBar.1]
[HKEY_CLASSES_ROOT\TypeLib\{A0AEBF0A-F3F0-417C-A8AE-162361E6425F}]
[HKEY_CLASSES_ROOT\retnsrp.ToolBar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 08:24]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-09-29 12:22]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SpybotDeletingB3795"="command /c del C:\WINDOWS\leorop.dll_old" []
"SpybotDeletingD5011"="cmd /c del C:\WINDOWS\leorop.dll_old" []
"SpybotDeletingB8091"="command /c del C:\WINDOWS\leorop.dll_old" []
"SpybotDeletingD2767"="cmd /c del C:\WINDOWS\leorop.dll_old" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" [2005-03-07 19:33 C:\WINDOWS\system32\VTTimer.exe]
"VTTrayp"="VTtrayp.exe" [2005-03-11 09:33 C:\WINDOWS\system32\VTTrayp.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"C-Media Mixer"="Mixer.exe" [2002-10-15 18:00 C:\WINDOWS\mixer.exe]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SpybotDeletingA7863"="command /c del C:\WINDOWS\leorop.dll_old" []
"SpybotDeletingC9854"="cmd /c del C:\WINDOWS\leorop.dll_old" []
"SpybotDeletingA3575"="command /c del C:\WINDOWS\leorop.dll_old" []
"SpybotDeletingC4087"="cmd /c del C:\WINDOWS\leorop.dll_old" []

C:\Documents and Settings\Raymond Guillory\Start Menu\Programs\Startup\
IMVU.lnk - C:\Program Files\IMVU\IMVUClient.exe [2007-11-05 11:43:24]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= file:///C:\WINDOWS\privacy_danger\index.htm
FriendlyName= Privacy Protection

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

R3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service;C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys [2006-12-20 06:00]
S3 XDva039;XDva039;C:\WINDOWS\system32\XDva039.sys []
S3 XDva041;XDva041;C:\WINDOWS\system32\XDva041.sys []

*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
"2007-12-15 09:24:34 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2007-12-01 09:00:03 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-22 21:51:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-22 21:52:15
.
2007-12-20 11:00:48 --- E O F ---

#3 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:10:12 AM

Posted 23 December 2007 - 03:20 AM

Hello Shredder71 and welcome to BC :thumbsup:

My name is SNOWHITE and I will be helping you with your Malware problem.

Please follow the steps below exactly in the order they are written:

Step #1


While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.
  • Open Spybot Search & Destroy.
  • In the Mode menu click "Advanced mode" if not already selected.
  • Choose "Yes" at the Warning prompt.
  • Expand the "Tools" menu.
  • Click "Resident".
  • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  • In the File menu click "Exit" to exit Spybot Search & Destroy.
Step #2

Please re-open HiJackThis and click on "Do a system scan only". Check the boxes next to all the entries listed below.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=...6Ojg5&lid=2
O3 - Toolbar: The retnsrp - {941FB260-9D22-480E-84D6-10DB7849180E} - C:\WINDOWS\retnsrp.dll (file missing)
O21 - SSODL: leorop - {E7DC5819-00BA-43EC-841A-69D7D6B30170} - (no file)
O21 - SSODL: nopzet - {CDE2403E-3DBA-4A90-8CC9-C47151F49980} - (no file)
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm


Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

Step #3

- Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only
  • - Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
    http://www.ewido.net/en/download/
    • Install AVG Anti-Spyware by double clicking the installer.
    • Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
    • On the main screen under Your Computer's security.
    • Click on Change state next to Resident shield. It should now change to inactive.
    • Click on Change state next to Automatic updates. It should now change to inactive.
    • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
    • Wait until you see the Update succesfull message.
  • Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.

- Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.
- Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

- Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
  • Click on Scanner on the toolbar.
  • Click on the Settings tab.
    • Under How to act?
      • Click on Recommended Action and choose Quarantine from the popup menu.
    • Under How to scan?
      • All checkboxes should be ticked.
    • Under Possibly unwanted software:
      • All checkboxes should be ticked.
    • Under Reports:
      • Select Automatically generate report after every scan and uncheck Only if threats were found.
    • Under What to scan?
      • Select Scan every file.
  • Click on the Scan tab.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan the machine.
  • When the scan has finished, follow the instructions below.
    IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
    • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
    • At the bottom of the window click on the Apply all Actions button. (3)
      Posted Image
  • When done, click the Save Scan Report button. (4)
    • Click the Save Report as button.
    • Save the report to your Desktop.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.


Step #4

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.
What DSS will do:
  • create a new System Restore point in Windows XP and Vista.
  • clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
  • check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.
Note: If you don't have HijackThis installed on your computer, dss will prompt you to download and install it for you, please allow this to happen !

In your next post please include the following reports:
  • AVG Anti-Spyware report
  • dss scan reports main.txt and extra.txt
Let me know how the things went.

Regards,
SNOWHITE
Posted Image

#4 SNOWHITE

SNOWHITE

    missy malware magnet


  • Members
  • 2,676 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Bitola, Macedonia
  • Local time:10:12 AM

Posted 04 January 2008 - 08:46 AM

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.

Thank you :thumbsup:
SNOWHITE
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users