Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Problem With Delnew.exe And Locop.exe


  • Please log in to reply
57 replies to this topic

#1 kaido

kaido

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:05:47 AM

Posted 23 December 2007 - 09:19 PM

heres my hijackthis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:18:21, on 24.12.2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\system32\svshost.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware .exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system\nadlocop.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\ftp.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.reporter.ee/
F3 - REG:win.ini: load=C:\WINDOWS\System32\ddayx.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\wianmpa.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [ocxloader .exe] C:\WINDOWS\System32\ocxloader .exe
O4 - HKLM\..\Run: [ocxloader .exe] C:\WINDOWS\System32\ocxloader .exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-21-1078081533-1343024091-1801674531-1003\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: E-Color.lnk = C:\Program Files\E-Color\Common\IconMgr.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v8.cab
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/Windows...ggPublisher.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{D0293C35-6A3A-423B-9411-E14FEF5C4837}: NameServer = 192.168.0.1
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 3035 bytes

BC AdBot (Login to Remove)

 


#2 kaido

kaido
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:05:47 AM

Posted 23 December 2007 - 09:30 PM

done scan log:
Deckard's System Scanner v20071014.68
Run by Kaidoo on 2007-12-24 04:20:09
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Kaidoo.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:20:15, on 24.12.2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\system32\svshost.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware .exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system\nadlocop.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\ftp.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\Kaidoo\Desktop\virusprotect!\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Kaidoo.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.reporter.ee/
F3 - REG:win.ini: load=C:\WINDOWS\System32\ddayx.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {68961DC0-AE5F-4443-B671-1405043BECFC} - C:\WINDOWS\System32\ddayx.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\wianmpa.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [ocxloader .exe] C:\WINDOWS\System32\ocxloader .exe
O4 - HKLM\..\Run: [ocxloader .exe] C:\WINDOWS\System32\ocxloader .exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-21-1078081533-1343024091-1801674531-1003\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: E-Color.lnk = C:\Program Files\E-Color\Common\IconMgr.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v8.cab
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/Windows...ggPublisher.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{D0293C35-6A3A-423B-9411-E14FEF5C4837}: NameServer = 192.168.0.1
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: byxwwvt - C:\WINDOWS\SYSTEM32\byxwwvt.dll
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 3635 bytes

-- Files created between 2007-11-24 and 2007-12-24 -----------------------------

2007-12-24 04:16:14 0 --a------ C:\WINDOWS\System32\setup_11431.exe
2007-12-24 03:54:28 39936 --a------ C:\WINDOWS\System32\byxwwvt.dll
2007-12-24 03:54:27 38400 --a------ C:\WINDOWS\System32\opnmkhg.dll
2007-12-24 03:53:54 30720 -----n--- C:\WINDOWS\System32\svshost.exe
2007-12-24 03:39:40 0 dr-h----- C:\Documents and Settings\Kaidoo\Recent
2007-12-24 03:36:37 0 d-------- C:\VundoFix Backups
2007-12-24 03:25:47 331776 -----n--- C:\WINDOWS\System32\ddayx.dll
2007-12-24 03:25:22 0 --a------ C:\WINDOWS\System32\eraseme_32486.exe
2007-12-24 03:25:20 0 --a------ C:\WINDOWS\System32\setup_32486.exe
2007-12-24 03:16:22 30720 --a------ C:\WINDOWS\System32\setup_08464.exe
2007-12-24 02:46:35 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-24 02:46:28 0 d-------- C:\Program Files\SUPERAntiSpyware
2007-12-24 02:46:28 0 d-------- C:\Documents and Settings\Kaidoo\Application Data\SUPERAntiSpyware.com
2007-12-24 02:46:09 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-24 02:28:15 0 d-------- C:\Program Files\Trend Micro
2007-12-24 02:22:35 30720 --a------ C:\WINDOWS\System32\setup_57082.exe
2007-12-24 02:19:57 30720 --a------ C:\WINDOWS\System32\setup_41343.exe
2007-12-24 02:17:12 30720 --a------ C:\WINDOWS\System32\setup_73452.exe
2007-12-24 02:15:18 30720 --a------ C:\WINDOWS\System32\eraseme_70472.exe
2007-12-24 02:07:45 7547 --ahs---- C:\WINDOWS\System32\xyadd.ini2
2007-12-23 01:16:32 30720 --a------ C:\WINDOWS\System32\setup_66377.exe
2007-12-23 01:15:00 30720 --a------ C:\WINDOWS\System32\setup_15445.exe
2007-12-23 00:47:27 30720 --a------ C:\WINDOWS\System32\setup_68417.exe
2007-12-23 00:36:27 57856 --a------ C:\WINDOWS\system\nadlocop .exe
2007-12-22 23:37:44 30720 --a------ C:\WINDOWS\System32\setup_80530.exe
2007-12-22 23:35:19 30720 --a------ C:\WINDOWS\System32\setup_71428.exe
2007-12-22 23:07:40 30720 --a------ C:\WINDOWS\System32\setup_35308.exe
2007-12-22 22:56:31 30720 --a------ C:\WINDOWS\System32\setup_30156.exe
2007-12-22 22:34:49 30720 --a------ C:\WINDOWS\System32\setup_35713.exe
2007-12-22 22:26:04 30720 --a------ C:\WINDOWS\System32\setup_20754.exe
2007-12-22 22:04:19 30720 --a------ C:\WINDOWS\System32\setup_60756.exe
2007-12-22 21:31:34 30720 --a------ C:\WINDOWS\System32\setup_74457.exe
2007-12-22 21:10:42 30720 --a------ C:\WINDOWS\System32\setup_32571.exe
2007-12-22 21:04:06 30720 --a------ C:\WINDOWS\System32\setup_68137.exe
2007-12-22 20:44:21 30720 --a------ C:\WINDOWS\System32\setup_45334.exe
2007-12-22 20:37:38 30720 --a------ C:\WINDOWS\System32\setup_10850.exe
2007-12-22 20:29:32 30720 --a------ C:\WINDOWS\System32\setup_06704.exe
2007-12-22 20:22:01 30720 --a------ C:\WINDOWS\System32\setup_23756.exe
2007-12-22 19:34:53 69 --a------ C:\WINDOWS\System32\i
2007-12-22 18:04:38 1215777 --a------ C:\SDFix.exe
2007-12-22 02:54:21 0 d-------- C:\WINDOWS\ERUNT
2007-12-22 02:47:45 4484 --a------ C:\tcp.exe
2007-12-22 02:46:21 4484 --a------ C:\WINDOWS\system\run.exe
2007-12-22 02:46:19 393216 --a------ C:\WINDOWS\system\nadlocop.exe
2007-12-22 02:41:17 7628 --a------ C:\WINDOWS\system\delnew.exe <Not Verified; Microsoft Update Service; Microsoft Update Service>
2007-12-22 02:41:15 48640 --a------ C:\WINDOWS\system\del.exe <Not Verified; Microsoft; Remote Winhost Manager>
2007-12-22 02:41:00 4592 --a------ C:\msu32.exe
2007-12-21 02:28:52 339456 --a------ C:\WINDOWS\System32\ocxloader .exe
2007-12-20 16:20:48 339456 --a------ C:\WINDOWS\System32\ocxloader .exe
2007-12-20 15:50:00 0 d-------- C:\Documents and Settings\LocalService\Application Data\Macromedia


-- Find3M Report ---------------------------------------------------------------

2007-12-24 04:13:47 0 d-------- C:\Program Files\PowerISO
2007-12-24 04:13:45 0 d-------- C:\Program Files\MSN Messenger
2007-12-24 03:39:40 0 d-------- C:\Program Files\Winamp
2007-12-24 02:46:09 0 d-------- C:\Program Files\Common Files
2007-12-22 01:38:03 0 d-------- C:\Program Files\Opera
2007-12-22 01:36:50 0 d-------- C:\Program Files\Webteh
2007-12-22 01:36:49 0 d-------- C:\Documents and Settings\Kaidoo\Application Data\BSplayer
2007-12-21 03:13:24 0 d-------- C:\Program Files\Counter-Strike 1.6
2007-12-20 16:29:59 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-12-20 15:28:04 47849 --a------ C:\WINDOWS\System32\cjpeg.exe
2007-12-20 15:27:50 5825 --a------ C:\WINDOWS\System32\ielog.dll
2007-11-16 12:46:32 0 d-------- C:\Documents and Settings\Kaidoo\Application Data\VideoEgg
2007-11-11 13:01:40 0 d-------- C:\Program Files\Common Files\3DO Shared
2007-11-11 13:00:03 0 d-------- C:\Program Files\3DO
2007-11-09 01:32:11 942 --a------ C:\WINDOWS\eReg.dat
2007-11-09 01:32:04 0 d-------- C:\Program Files\EA Games
2007-11-07 14:46:22 0 d-------- C:\Documents and Settings\Kaidoo\Application Data\Opera
2007-10-28 23:39:49 0 d-------- C:\Documents and Settings\Kaidoo\Application Data\BitTorrent
2007-10-21 16:37:20 21840 --a-----t C:\WINDOWS\System32\SIntfNT.dll
2007-10-21 16:37:20 17212 --a-----t C:\WINDOWS\System32\SIntf32.dll
2007-10-21 16:37:20 12067 --a-----t C:\WINDOWS\System32\SIntf16.dll
2007-10-19 17:02:12 3392 --a------ C:\WINDOWS\mozver.dat
2007-10-18 22:06:02 0 --a------ C:\WINDOWS\nsreg.dat
2007-10-18 22:05:59 100475 --a------ C:\WINDOWS\UninstallFirefox.exe
2007-10-06 07:46:42 98304 --a------ C:\WINDOWS\System32\CmdLineExt.dll <Not Verified; Sony DADC Austria AG.; >
2007-09-28 18:07:52 3596288 --a------ C:\WINDOWS\System32\qt-dx331.dll
2007-09-28 18:05:50 196608 --a------ C:\WINDOWS\System32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2007-09-28 18:05:50 81920 --a------ C:\WINDOWS\System32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2007-09-28 18:05:40 802816 --a------ C:\WINDOWS\System32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2007-09-28 18:05:40 823296 --a------ C:\WINDOWS\System32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX>
2007-09-28 18:05:40 823296 --a------ C:\WINDOWS\System32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX>
2007-09-28 18:05:40 739840 --a------ C:\WINDOWS\System32\DivX.dll <Not Verified; DivX, Inc.; DivX>
2007-09-28 18:05:08 12288 --a------ C:\WINDOWS\System32\DivXWMPExtType.dll


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{68961DC0-AE5F-4443-B671-1405043BECFC}]
24.12.2007 03:25 331776 --------- C:\WINDOWS\System32\ddayx.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cmaudio"="cmicnfg.cpl" []
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [22.10.2006 11:22]
"nwiz"="nwiz.exe" [22.10.2006 11:22 C:\WINDOWS\system32\nwiz.exe]
"WinampAgent"="C:\Program Files\Winamp\wianmpa.exe" []
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [24.12.2007 04:13]
"ocxloader .exe"="C:\WINDOWS\System32\ocxloader .exe" [24.12.2007 04:13]
"ocxloader .exe"="C:\WINDOWS\System32\ocxloader .exe" [24.12.2007 04:13]
"Advanced DHTML Enable"="C:\WINDOWS\system\nadlocop .exe" [24.12.2007 04:21]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\ctfmon.exe" [29.08.2002 05:41]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [24.12.2007 04:13]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [24.12.2007 04:13]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [20.12.2006 13:55 77824]
"{B0EEDC94-E177-43D2-B600-84E7AC69969B}"= C:\WINDOWS\System32\byxwwvt.dll [24.12.2007 03:54 39936]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 19.04.2007 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byxwwvt]
byxwwvt.dll 24.12.2007 03:54 39936 C:\WINDOWS\system32\byxwwvt.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\System32\ddayx




-- End of Deckard's System Scanner: finished at 2007-12-24 04:22:29 ------------

MY PROBLEM IS: (look at picture i attached)

Attached Files


Edited by kaido, 23 December 2007 - 09:33 PM.


#3 kaido

kaido
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:05:47 AM

Posted 27 December 2007 - 10:32 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:31:36, on 28.12.2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\RunDll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\svshost.exe
C:\Documents and Settings\Kaidoo\Desktop\virusprotect!\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Kaidoo.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.reporter.ee/
F3 - REG:win.ini: load=C:\WINDOWS\System32\awtqr.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {E66521EB-E9C5-4402-BB3C-819C40942A68} - C:\WINDOWS\System32\awtqr.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Advanced DHTML Enable] C:\windows\system\nadlocop.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - Global Startup: E-Color.lnk = C:\Program Files\E-Color\Common\IconMgr.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} - http://www.acclaim.com/cabs/acclaim_v8.cab
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/Windows...ggPublisher.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{D0293C35-6A3A-423B-9411-E14FEF5C4837}: NameServer = 192.168.0.1
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ddcaywt - C:\WINDOWS\
O20 - Winlogon Notify: efcdbcd - C:\WINDOWS\SYSTEM32\efcdbcd.dll
O20 - Winlogon Notify: mljiiij - C:\WINDOWS\
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Security Restore Services - Unknown owner - C:\WINDOWS\system32\svshost.exe

--
End of file - 2898 bytes

-- Files created between 2007-11-28 and 2007-12-28 -----------------------------

2007-12-28 05:29:09 37376 --a------ C:\WINDOWS\System32\khfcabb.dll
2007-12-28 05:29:08 38400 --a------ C:\WINDOWS\System32\urqqqnk.dll
2007-12-28 05:29:00 65024 --a------ C:\WINDOWS\system\lc.exe
2007-12-28 05:28:59 64512 --a------ C:\WINDOWS\system\zm.exe
2007-12-28 05:28:30 6601 --ahs---- C:\WINDOWS\System32\rqtwa.ini2
2007-12-28 05:28:30 348160 --a------ C:\WINDOWS\System32\awtqr.exe
2007-12-28 05:28:25 344576 --a------ C:\WINDOWS\System32\awtqr.dll
2007-12-28 05:27:27 37376 --a------ C:\WINDOWS\System32\yayvtst.dll
2007-12-28 05:27:26 38400 --a------ C:\WINDOWS\System32\iifcday.dll
2007-12-28 05:25:57 37376 --a------ C:\WINDOWS\System32\byxwvss.dll
2007-12-28 05:25:54 38400 --a------ C:\WINDOWS\System32\gebbcyv.dll
2007-12-28 05:25:08 37376 --a------ C:\WINDOWS\System32\urqqnlk.dll
2007-12-28 05:25:07 38400 --a------ C:\WINDOWS\System32\khfggfe.dll
2007-12-28 05:23:21 37376 --a------ C:\WINDOWS\System32\qomnlkj.dll
2007-12-28 05:23:21 38400 --a------ C:\WINDOWS\System32\efcdbcd.dll
2007-12-28 05:23:17 4484 --a------ C:\WINDOWS\system\run.exe
2007-12-28 05:23:16 7408 --a------ C:\WINDOWS\system\dc4all.exe <Not Verified; Winhost; Microsoft Update Service>
2007-12-28 05:23:12 7604 --a------ C:\WINDOWS\system\delnew.exe <Not Verified; Microsoft Office Service; Microsoft Office Service>
2007-12-28 05:23:06 48640 --a------ C:\WINDOWS\system\del.exe <Not Verified; Microsoft; Remote Winhost Manager>
2007-12-28 05:23:04 57856 --a------ C:\WINDOWS\system\nadlocop.exe
2007-12-28 05:22:59 60416 --a------ C:\WINDOWS\system\locop.exe
2007-12-28 05:22:59 5632 --a------ C:\WINDOWS\system\helper.exe
2007-12-28 05:22:58 4612 --a------ C:\msu32.exe
2007-12-28 05:22:44 30720 --a------ C:\WINDOWS\System32\eraseme_68156.exe
2007-12-28 05:22:43 30720 -r-hs---- C:\WINDOWS\System32\svshost.exe
2007-12-28 04:00:56 30720 --a------ C:\WINDOWS\System32\setup_74685.exe
2007-12-28 03:52:16 30720 --a------ C:\WINDOWS\System32\setup_58057.exe
2007-12-28 03:51:31 30720 --a------ C:\WINDOWS\System32\setup_44228.exe
2007-12-28 02:44:00 70 --a------ C:\WINDOWS\System32\i
2007-12-27 19:57:40 0 dr-h----- C:\Documents and Settings\Kaidoo\Recent
2007-12-27 13:25:17 0 d-------- C:\ijji
2007-12-27 13:23:53 692224 --a------ C:\WINDOWS\System32\ijjiSetup.exe <Not Verified; NHN USA; ijjiSetup Application>
2007-12-27 13:23:53 0 d-------- C:\Program Files\NHN USA
2007-12-27 12:49:40 0 d-------- C:\Program Files\DriftCity
2007-12-27 08:36:05 32768 --a------ C:\WINDOWS\System32\udaprop.dll <Not Verified; C-Media Corporation; CMI8738/CMI9738/CMI9739 Audio Device>
2007-12-27 08:36:05 755392 --a------ C:\WINDOWS\System32\drivers\cmuda.sys <Not Verified; C-Media Inc; C-Media Audio Driver (WDM)>
2007-12-27 08:36:05 118784 --a------ C:\WINDOWS\System32\cmuda.dll <Not Verified; C-Media; C-Media cmuda.dll>
2007-12-27 08:36:05 233472 --a------ C:\WINDOWS\System32\cmirmdrv.exe <Not Verified; ; CmiRemoveDriver Application>
2007-12-27 08:36:05 28672 --a------ C:\WINDOWS\System32\cmirmdrv.dll
2007-12-27 08:36:05 712704 --a------ C:\WINDOWS\System32\Audio3D.dll <Not Verified; Sensaura Ltd; Sensaura>
2007-12-27 08:36:05 712704 --a------ C:\WINDOWS\System32\a3d.dll <Not Verified; Sensaura Ltd; Sensaura>
2007-12-27 08:36:05 1454080 --a------ C:\WINDOWS\system\SmWizard.exe <Not Verified; C-Media Electronics Inc.; SmartWizard Application>
2007-12-27 08:36:05 917504 --a------ C:\WINDOWS\system\cmids3d.dll <Not Verified; C-Media Electronics Inc.; C-Media Cmids3d>
2007-12-27 08:05:22 0 d-------- C:\Program Files\C-Media
2007-12-27 06:39:56 0 d-------- C:\NVIDIA Display Driver
2007-12-27 04:52:53 0 d-------- C:\Program Files\Rockstar Games
2007-12-26 02:58:57 0 d-------- C:\Documents and Settings\Kaidoo\DoctorWeb
2007-12-25 21:00:13 0 d-------- C:\VundoFix Backups
2007-12-25 20:37:35 0 d-------- C:\WINDOWS\CSC
2007-12-24 04:49:53 0 d-------- C:\Program Files\CCleaner
2007-12-24 02:46:35 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-24 02:46:28 0 d-------- C:\Program Files\SUPERAntiSpyware
2007-12-24 02:46:28 0 d-------- C:\Documents and Settings\Kaidoo\Application Data\SUPERAntiSpyware.com
2007-12-24 02:46:09 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-24 02:28:15 0 d-------- C:\Program Files\Trend Micro
2007-12-22 02:54:21 0 d-------- C:\WINDOWS\ERUNT
2007-12-20 15:50:00 0 d-------- C:\Documents and Settings\LocalService\Application Data\Macromedia
2007-12-11 21:44:28 196608 --a------ C:\WINDOWS\System32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2007-12-11 21:44:28 81920 --a------ C:\WINDOWS\System32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2007-12-11 21:44:18 802816 --a------ C:\WINDOWS\System32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2007-12-11 21:44:18 823296 --a------ C:\WINDOWS\System32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX>
2007-12-11 21:44:18 823296 --a------ C:\WINDOWS\System32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX>
2007-12-11 21:44:18 682496 --a------ C:\WINDOWS\System32\DivX.dll <Not Verified; DivX, Inc.; DivX>
2007-12-11 21:43:44 12288 --a------ C:\WINDOWS\System32\DivXWMPExtType.dll


-- Find3M Report ---------------------------------------------------------------

2007-12-27 14:21:04 0 d--h----- C:\Documents and Settings\Kaidoo\Application Data\ijjigame
2007-12-27 13:23:53 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-12-27 13:04:06 0 d-------- C:\Program Files\Winamp
2007-12-26 02:59:46 0 d-------- C:\Program Files\PowerISO
2007-12-26 02:59:39 0 d-------- C:\Program Files\MSN Messenger
2007-12-26 02:43:32 0 d-------- C:\Program Files\DivX
2007-12-24 02:46:09 0 d-------- C:\Program Files\Common Files
2007-12-22 01:38:03 0 d-------- C:\Program Files\Opera
2007-12-22 01:36:50 0 d-------- C:\Program Files\Webteh
2007-12-22 01:36:49 0 d-------- C:\Documents and Settings\Kaidoo\Application Data\BSplayer
2007-12-21 03:13:24 0 d-------- C:\Program Files\Counter-Strike 1.6
2007-12-20 15:28:04 47849 --a------ C:\WINDOWS\System32\cjpeg.exe
2007-12-20 15:27:50 5825 --a------ C:\WINDOWS\System32\ielog.dll
2007-11-16 12:46:32 0 d-------- C:\Documents and Settings\Kaidoo\Application Data\VideoEgg
2007-11-11 13:01:40 0 d-------- C:\Program Files\Common Files\3DO Shared
2007-11-11 13:00:03 0 d-------- C:\Program Files\3DO
2007-11-09 01:32:11 942 --a------ C:\WINDOWS\eReg.dat
2007-11-09 01:32:04 0 d-------- C:\Program Files\EA Games
2007-11-07 14:46:22 0 d-------- C:\Documents and Settings\Kaidoo\Application Data\Opera
2007-10-28 23:39:49 0 d-------- C:\Documents and Settings\Kaidoo\Application Data\BitTorrent
2007-10-21 16:37:20 21840 --a-----t C:\WINDOWS\System32\SIntfNT.dll
2007-10-21 16:37:20 17212 --a-----t C:\WINDOWS\System32\SIntf32.dll
2007-10-21 16:37:20 12067 --a-----t C:\WINDOWS\System32\SIntf16.dll
2007-10-19 17:02:12 3392 --a------ C:\WINDOWS\mozver.dat
2007-10-18 22:06:02 0 --a------ C:\WINDOWS\nsreg.dat
2007-10-18 22:05:59 100475 --a------ C:\WINDOWS\UninstallFirefox.exe
2007-10-06 07:46:42 98304 --a------ C:\WINDOWS\System32\CmdLineExt.dll <Not Verified; Sony DADC Austria AG.; >


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E66521EB-E9C5-4402-BB3C-819C40942A68}]
28.12.2007 05:28 344576 --a------ C:\WINDOWS\System32\awtqr.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cmaudio"="cmicnfg.cpl" []
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [22.10.2006 11:22]
"nwiz"="nwiz.exe" [22.10.2006 11:22 C:\WINDOWS\system32\nwiz.exe]
"Advanced DHTML Enable"="C:\windows\system\nadlocop.exe" [28.12.2007 05:28]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [20.12.2006 13:55 77824]
"{A74F3FC3-CC9A-4D4C-AFB5-B56F0CAA445D}"= C:\WINDOWS\System32\efcdbcd.dll [28.12.2007 05:23 38400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 19.04.2007 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcaywt]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcdbcd]
efcdbcd.dll 28.12.2007 05:23 38400 C:\WINDOWS\system32\efcdbcd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljiiij]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\System32\awtqr

#4 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:11:47 PM

Posted 27 December 2007 - 11:38 PM

Hi,

Got quite the mess there. :thumbsup:
Seeing that you mentioned in chat that drweb found over 500 infections I am not sure we can fix all this up.
Before beginning I do advise to back up important docs, pics, etc (no programs) in case things go really bad and you end up formatting.

Once backed up --

1. Download this file and save it to your desktop.

In the event you already have Combofix, please delete it as this is a new version I need you to download.

http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe

2. Double click combofix.exe & follow the prompts.
You will temporarily lose desktop while scan is running. Once scan is done desktop will return to normal.
3. When finished, it shall produce a log for you. Post that log in your next reply to this thread.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

There will be more work to do.
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#5 kaido

kaido
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:05:47 AM

Posted 27 December 2007 - 11:48 PM

ComboFix 07-12-21.4 - Kaidoo 2007-12-28 6:43:24.10 - NTFSx86

Running from: C:\Documents and Settings\Kaidoo\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\awtqr.dll
C:\WINDOWS\system32\byxwvss.dll
C:\WINDOWS\system32\efcdbcd.dll
C:\WINDOWS\system32\gebbcyv.dll
C:\WINDOWS\system32\iifcday.dll
C:\WINDOWS\system32\khfcabb.dll
C:\WINDOWS\system32\khfggfe.dll
C:\WINDOWS\system32\qomnlkj.dll
C:\WINDOWS\system32\rqtwa.ini
C:\WINDOWS\system32\rqtwa.ini2
C:\WINDOWS\system32\urqqnlk.dll
C:\WINDOWS\system32\urqqqnk.dll
C:\WINDOWS\system32\yayvtst.dll

.
((((((((((((((((((((((((( Files Created from 2007-11-28 to 2007-12-28 )))))))))))))))))))))))))))))))
.

2007-12-28 06:33 . 2007-12-28 06:33 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-28 06:33 . 2007-12-28 06:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-28 06:25 . 2007-12-28 06:25 30,720 --a------ C:\WINDOWS\system32\setup_32455.exe
2007-12-28 06:21 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-12-28 06:21 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2007-12-28 06:20 . 2007-07-30 19:19 549,720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-12-28 06:20 . 2007-07-30 19:19 325,976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-12-28 06:20 . 2007-07-30 19:19 216,408 --a------ C:\WINDOWS\system32\wuaucpl.cpl
2007-12-28 06:20 . 2007-07-30 19:19 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2007-12-28 06:20 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2007-12-28 06:20 . 2007-07-30 19:18 33,624 --a------ C:\WINDOWS\system32\wups.dll
2007-12-28 06:20 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2007-12-28 06:20 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2007-12-28 06:20 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2007-12-28 06:02 . 2007-12-28 06:02 30,720 --a------ C:\WINDOWS\system32\setup_31756.exe
2007-12-28 05:41 . 2007-12-28 06:34 4,484 --a------ C:\tcp.exe
2007-12-28 05:28 . 2007-12-28 06:43 348,160 --a------ C:\WINDOWS\system32\awtqr.exe
2007-12-28 05:22 . 2007-12-28 05:22 30,720 --a------ C:\WINDOWS\system32\eraseme_68156.exe
2007-12-28 05:22 . 2007-12-28 05:29 4,612 --a------ C:\msu32.exe
2007-12-28 04:00 . 2007-12-28 04:00 30,720 --a------ C:\WINDOWS\system32\setup_74685.exe
2007-12-28 03:52 . 2007-12-28 03:52 30,720 --a------ C:\WINDOWS\system32\setup_58057.exe
2007-12-28 03:51 . 2007-12-28 03:51 30,720 --a------ C:\WINDOWS\system32\setup_44228.exe
2007-12-28 02:44 . 2007-12-28 06:25 69 --a------ C:\WINDOWS\system32\i
2007-12-27 13:25 . 2007-12-27 13:25 <DIR> d-------- C:\ijji
2007-12-27 13:24 . 2007-06-21 18:59 58,776 --a------ C:\WINDOWS\system32\ijjiPlugin2.dll
2007-12-27 13:23 . 2007-12-27 13:23 <DIR> d-------- C:\Program Files\NHN USA
2007-12-27 13:23 . 2007-09-27 12:08 692,224 --a------ C:\WINDOWS\system32\ijjiSetup.exe
2007-12-27 12:49 . 2007-12-27 14:19 <DIR> d-------- C:\Program Files\DriftCity
2007-12-27 08:05 . 2007-12-27 08:05 <DIR> d-------- C:\Program Files\C-Media
2007-12-27 06:39 . 2007-12-27 06:39 <DIR> d-------- C:\NVIDIA Display Driver
2007-12-27 04:52 . 2007-12-27 04:52 <DIR> d-------- C:\Program Files\Rockstar Games
2007-12-26 02:58 . 2007-12-26 03:19 <DIR> d-------- C:\Documents and Settings\Kaidoo\DoctorWeb
2007-12-25 21:00 . 2007-12-25 21:00 <DIR> d-------- C:\VundoFix Backups
2007-12-24 04:49 . 2007-12-24 04:49 <DIR> d-------- C:\Program Files\CCleaner
2007-12-24 02:46 . 2007-12-26 02:59 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-12-24 02:46 . 2007-12-24 02:46 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-24 02:46 . 2007-12-24 02:46 <DIR> d-------- C:\Documents and Settings\Kaidoo\Application Data\SUPERAntiSpyware.com
2007-12-24 02:46 . 2007-12-24 02:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-24 02:28 . 2007-12-24 02:28 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-22 02:54 . 2007-12-22 02:54 <DIR> d-------- C:\WINDOWS\ERUNT
2007-12-21 02:28 . 2007-12-25 21:13 13,312 --a------ C:\WINDOWS\system32\ctfmon .exe
2007-12-11 21:46 . 2007-12-11 21:46 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-12-11 21:46 . 2007-12-11 21:46 4,816 --a------ C:\WINDOWS\system32\divxsm.tlb
2007-12-11 21:45 . 2007-12-11 21:45 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-12-11 21:45 . 2007-12-11 21:45 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-12-11 21:43 . 2007-12-11 21:43 12,288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-27 12:21 --------- d--h--w C:\Documents and Settings\Kaidoo\Application Data\ijjigame
2007-12-27 11:23 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-27 11:04 --------- d-----w C:\Program Files\Winamp
2007-12-26 00:59 --------- d-----w C:\Program Files\PowerISO
2007-12-26 00:59 --------- d-----w C:\Program Files\MSN Messenger
2007-12-26 00:43 --------- d-----w C:\Program Files\DivX
2007-12-22 16:20 12,464 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-12-21 23:38 --------- d-----w C:\Program Files\Opera
2007-12-21 23:36 --------- d-----w C:\Program Files\Webteh
2007-12-21 23:36 --------- d-----w C:\Documents and Settings\Kaidoo\Application Data\BSplayer
2007-12-21 01:13 --------- d-----w C:\Program Files\Counter-Strike 1.6
2007-11-20 15:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-16 10:46 --------- d-----w C:\Documents and Settings\Kaidoo\Application Data\VideoEgg
2007-11-11 11:01 --------- d-----w C:\Program Files\Common Files\3DO Shared
2007-11-11 11:00 --------- d-----w C:\Program Files\3DO
2007-11-08 23:32 --------- d-----w C:\Program Files\EA Games
2007-10-28 21:39 --------- d-----w C:\Documents and Settings\Kaidoo\Application Data\BitTorrent
2007-10-18 20:05 100,475 ----a-w C:\WINDOWS\UninstallFirefox.exe
2001-11-23 10:08 712,704 ----a-w C:\WINDOWS\inf\OTHER\AUDIO3D.DLL
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cmaudio"="RunDll32 cmicnfg.cpl" []
"NvCplDaemon"="RUNDLL32.exe" [2001-08-23 14:00 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2006-10-22 11:22 C:\WINDOWS\system32\nwiz.exe]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcaywt]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljiiij]

S3 IlvMoneyDRIVER53;IlvMoneyDRIVER53;C:\Documents and Settings\Kaidoo\Desktop\moon\IlvMoney1055.sys [2007-07-27 20:31]

.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-28 06:46:10
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-28 6:46:48 - machine was rebooted

#6 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:11:47 PM

Posted 27 December 2007 - 11:52 PM

K.

Next:

Download SDFix and save it to your Desktop.

In the event you already have SDFix, please delete it as this is a new version I need you to download.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt. (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log

Thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#7 kaido

kaido
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:05:47 AM

Posted 28 December 2007 - 12:09 AM

SDFix: Version 1.120

Run by Kaidoo on R 28.12.2007 at 06:57

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINDOWS\system32\eraseme_68156.exe - Deleted
C:\WINDOWS\system32\i - Deleted
C:\WINDOWS\system32\setup_31756.exe - Deleted
C:\WINDOWS\system32\setup_32455.exe - Deleted
C:\WINDOWS\system32\setup_44228.exe - Deleted
C:\WINDOWS\system32\setup_58057.exe - Deleted
C:\WINDOWS\system32\setup_74685.exe - Deleted




Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1333.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-28 07:01:20
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:1e,93,52,69,62,1f,c7,90,2d,bd,dd,91,0a,fc,44,56,2c,21,3c,d9,bc,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"khjeh"=hex:a1,1e,f0,fd,ad,8d,96,53,ac,01,b9,0b,43,c7,ee,3a,c3,09,d4,2a,ee,..
"d0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:21,04,59,aa,72,c2,b5,f0,7d,1f,c1,da,a7,a7,37,c5,f4,e8,c2,fe,88,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:1e,93,52,69,62,1f,c7,90,2d,bd,dd,91,0a,fc,44,56,2c,21,3c,d9,bc,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"khjeh"=hex:a1,1e,f0,fd,ad,8d,96,53,ac,01,b9,0b,43,c7,ee,3a,c3,09,d4,2a,ee,..
"d0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:21,04,59,aa,72,c2,b5,f0,7d,1f,c1,da,a7,a7,37,c5,f4,e8,c2,fe,88,..

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]
"TracesProcessed"=dword:0000005a

scanning hidden files ...


scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 2


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:
---------------
C:\WINDOWS\system32\i Found

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Fri 28 Dec 2007 30,720 ..SHR --- "C:\WINDOWS\system32\svshost.exe"

Finished!




Deckard's System Scanner v20071014.68
Run by Kaidoo on 2007-12-28 07:05:08
Computer is in Normal Mode.
--------------------------------------------------------------------------------


-- HijackThis (run as Kaidoo.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:05:10, on 28.12.2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\svshost.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\Kaidoo\Desktop\virusprotect!\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Kaidoo.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.reporter.ee/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Advanced DHTML Enable] C:\WINDOWS\system\nadlocop.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - Global Startup: E-Color.lnk = C:\Program Files\E-Color\Common\IconMgr.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1198815572375
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} - http://www.acclaim.com/cabs/acclaim_v8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1198815555703
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/Windows...ggPublisher.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{D0293C35-6A3A-423B-9411-E14FEF5C4837}: NameServer = 192.168.0.1
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ddcaywt - C:\WINDOWS\
O20 - Winlogon Notify: mljiiij - C:\WINDOWS\
O20 - Winlogon Notify: ssqpnno - C:\WINDOWS\SYSTEM32\ssqpnno.dll
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Security Restore Services - Unknown owner - C:\WINDOWS\system32\svshost.exe

--
End of file - 3249 bytes

-- Files created between 2007-11-28 and 2007-12-28 -----------------------------

2007-12-28 07:02:44 37376 --a------ C:\WINDOWS\System32\xxyxyxv.dll
2007-12-28 07:02:44 38400 --a------ C:\WINDOWS\System32\ssqpnno.dll
2007-12-28 07:02:11 30720 -r-hs---- C:\WINDOWS\System32\svshost.exe
2007-12-28 07:02:06 71 --a------ C:\WINDOWS\System32\i
2007-12-28 06:33:40 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-28 06:33:39 0 d-------- C:\WINDOWS\System32\Kaspersky Lab
2007-12-28 06:19:25 0 d-------- C:\WINDOWS\SoftwareDistribution
2007-12-28 05:41:09 4484 --a------ C:\tcp.exe
2007-12-28 05:28:30 348160 --a------ C:\WINDOWS\System32\awtqr.exe
2007-12-28 05:22:58 4612 --a------ C:\msu32.exe
2007-12-27 19:57:40 0 dr-h----- C:\Documents and Settings\Kaidoo\Recent
2007-12-27 13:25:17 0 d-------- C:\ijji
2007-12-27 13:23:53 692224 --a------ C:\WINDOWS\System32\ijjiSetup.exe <Not Verified; NHN USA; ijjiSetup Application>
2007-12-27 13:23:53 0 d-------- C:\Program Files\NHN USA
2007-12-27 12:49:40 0 d-------- C:\Program Files\DriftCity
2007-12-27 08:36:05 32768 --a------ C:\WINDOWS\System32\udaprop.dll <Not Verified; C-Media Corporation; CMI8738/CMI9738/CMI9739 Audio Device>
2007-12-27 08:36:05 755392 --a------ C:\WINDOWS\System32\drivers\cmuda.sys <Not Verified; C-Media Inc; C-Media Audio Driver (WDM)>
2007-12-27 08:36:05 118784 --a------ C:\WINDOWS\System32\cmuda.dll <Not Verified; C-Media; C-Media cmuda.dll>
2007-12-27 08:36:05 233472 --a------ C:\WINDOWS\System32\cmirmdrv.exe <Not Verified; ; CmiRemoveDriver Application>
2007-12-27 08:36:05 28672 --a------ C:\WINDOWS\System32\cmirmdrv.dll
2007-12-27 08:36:05 712704 --a------ C:\WINDOWS\System32\Audio3D.dll <Not Verified; Sensaura Ltd; Sensaura>
2007-12-27 08:36:05 712704 --a------ C:\WINDOWS\System32\a3d.dll <Not Verified; Sensaura Ltd; Sensaura>
2007-12-27 08:36:05 1454080 --a------ C:\WINDOWS\system\SmWizard.exe <Not Verified; C-Media Electronics Inc.; SmartWizard Application>
2007-12-27 08:36:05 917504 --a------ C:\WINDOWS\system\cmids3d.dll <Not Verified; C-Media Electronics Inc.; C-Media Cmids3d>
2007-12-27 08:05:22 0 d-------- C:\Program Files\C-Media
2007-12-27 06:39:56 0 d-------- C:\NVIDIA Display Driver
2007-12-27 04:52:53 0 d-------- C:\Program Files\Rockstar Games
2007-12-26 02:58:57 0 d-------- C:\Documents and Settings\Kaidoo\DoctorWeb
2007-12-25 21:00:13 0 d-------- C:\VundoFix Backups
2007-12-25 20:37:35 0 d-------- C:\WINDOWS\CSC
2007-12-24 04:49:53 0 d-------- C:\Program Files\CCleaner
2007-12-24 02:46:35 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-24 02:46:28 0 d-------- C:\Program Files\SUPERAntiSpyware
2007-12-24 02:46:28 0 d-------- C:\Documents and Settings\Kaidoo\Application Data\SUPERAntiSpyware.com
2007-12-24 02:46:09 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-24 02:28:15 0 d-------- C:\Program Files\Trend Micro
2007-12-22 02:54:21 0 d-------- C:\WINDOWS\ERUNT
2007-12-20 15:50:00 0 d-------- C:\Documents and Settings\LocalService\Application Data\Macromedia
2007-12-11 21:44:28 196608 --a------ C:\WINDOWS\System32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2007-12-11 21:44:28 81920 --a------ C:\WINDOWS\System32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2007-12-11 21:44:18 802816 --a------ C:\WINDOWS\System32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2007-12-11 21:44:18 823296 --a------ C:\WINDOWS\System32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX>
2007-12-11 21:44:18 823296 --a------ C:\WINDOWS\System32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX>
2007-12-11 21:44:18 682496 --a------ C:\WINDOWS\System32\DivX.dll <Not Verified; DivX, Inc.; DivX>
2007-12-11 21:43:44 12288 --a------ C:\WINDOWS\System32\DivXWMPExtType.dll


-- Find3M Report ---------------------------------------------------------------

2007-12-28 06:20:50 0 d--h----- C:\Program Files\WindowsUpdate
2007-12-27 14:21:04 0 d--h----- C:\Documents and Settings\Kaidoo\Application Data\ijjigame
2007-12-27 13:23:53 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-12-27 13:04:06 0 d-------- C:\Program Files\Winamp
2007-12-26 02:59:46 0 d-------- C:\Program Files\PowerISO
2007-12-26 02:59:39 0 d-------- C:\Program Files\MSN Messenger
2007-12-26 02:43:32 0 d-------- C:\Program Files\DivX
2007-12-24 02:46:09 0 d-------- C:\Program Files\Common Files
2007-12-22 01:38:03 0 d-------- C:\Program Files\Opera
2007-12-22 01:36:50 0 d-------- C:\Program Files\Webteh
2007-12-22 01:36:49 0 d-------- C:\Documents and Settings\Kaidoo\Application Data\BSplayer
2007-12-21 03:13:24 0 d-------- C:\Program Files\Counter-Strike 1.6
2007-12-20 15:28:04 47849 --a------ C:\WINDOWS\System32\cjpeg.exe
2007-12-20 15:27:50 5825 --a------ C:\WINDOWS\System32\ielog.dll
2007-11-16 12:46:32 0 d-------- C:\Documents and Settings\Kaidoo\Application Data\VideoEgg
2007-11-11 13:01:40 0 d-------- C:\Program Files\Common Files\3DO Shared
2007-11-11 13:00:03 0 d-------- C:\Program Files\3DO
2007-11-09 01:32:11 942 --a------ C:\WINDOWS\eReg.dat
2007-11-09 01:32:04 0 d-------- C:\Program Files\EA Games
2007-11-07 14:46:22 0 d-------- C:\Documents and Settings\Kaidoo\Application Data\Opera
2007-10-28 23:39:49 0 d-------- C:\Documents and Settings\Kaidoo\Application Data\BitTorrent
2007-10-21 16:37:20 21840 --a-----t C:\WINDOWS\System32\SIntfNT.dll
2007-10-21 16:37:20 17212 --a-----t C:\WINDOWS\System32\SIntf32.dll
2007-10-21 16:37:20 12067 --a-----t C:\WINDOWS\System32\SIntf16.dll
2007-10-19 17:02:12 3392 --a------ C:\WINDOWS\mozver.dat
2007-10-18 22:06:02 0 --a------ C:\WINDOWS\nsreg.dat
2007-10-18 22:05:59 100475 --a------ C:\WINDOWS\UninstallFirefox.exe
2007-10-06 07:46:42 98304 --a------ C:\WINDOWS\System32\CmdLineExt.dll <Not Verified; Sony DADC Austria AG.; >


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cmaudio"="cmicnfg.cpl" []
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [22.10.2006 11:22]
"nwiz"="nwiz.exe" [22.10.2006 11:22 C:\WINDOWS\system32\nwiz.exe]
"Advanced DHTML Enable"="C:\WINDOWS\system\nadlocop.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [20.12.2006 13:55 77824]
"{A74F3FC3-CC9A-4D4C-AFB5-B56F0CAA445D}"= C:\WINDOWS\System32\ssqpnno.dll [28.12.2007 07:02 38400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 19.04.2007 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcaywt]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljiiij]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqpnno]
ssqpnno.dll 28.12.2007 07:02 38400 C:\WINDOWS\system32\ssqpnno.dll




-- End of Deckard's System Scanner: finished at 2007-12-28 07:05:51 ------------

#8 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:11:47 PM

Posted 28 December 2007 - 12:31 AM

Hi,

Open notepad and copy/paste the text in the code box below into it:

file::
C:\WINDOWS\system32\i
C:\WINDOWS\system32\svshost.exe
C:\WINDOWS\SYSTEM32\ssqpnno.dll
C:\WINDOWS\System32\xxyxyxv.dll
C:\tcp.exe
C:\WINDOWS\System32\awtqr.exe
C:\msu32.exe

registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Advanced DHTML Enable"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{A74F3FC3-CC9A-4D4C-AFB5-B56F0CAA445D}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcaywt] 
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljiiij] 
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqpnno] 

driver::
"Security Restore Services"

Save this as CFScript.txt
Drag CFScript.txt on top of ComboFix.exe

like this:

Posted Image

Post the new ComboFix.txt please.

Thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#9 kaido

kaido
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:05:47 AM

Posted 28 December 2007 - 12:39 AM

ComboFix 07-12-21.4 - Kaidoo 2007-12-28 7:34:19.11 - NTFSx86

Running from: C:\Documents and Settings\Kaidoo\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Kaidoo\Desktop\CFScript.txt

FILE
C:\msu32.exe
C:\tcp.exe
C:\WINDOWS\System32\awtqr.exe
C:\WINDOWS\system32\i
C:\WINDOWS\SYSTEM32\ssqpnno.dll
C:\WINDOWS\system32\svshost.exe
C:\WINDOWS\System32\xxyxyxv.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\msu32.exe
C:\tcp.exe
C:\WINDOWS\system32\awtqp.dll
C:\WINDOWS\System32\awtqr.exe
C:\WINDOWS\system32\i
C:\WINDOWS\system32\pqtwa.ini
C:\WINDOWS\system32\pqtwa.ini2
C:\WINDOWS\SYSTEM32\ssqpnno.dll
C:\WINDOWS\system32\svshost.exe
C:\WINDOWS\system32\xxyxyxv.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_SECURITY_RESTORE_SERVICES
-------\Security Restore Services


((((((((((((((((((((((((( Files Created from 2007-11-28 to 2007-12-28 )))))))))))))))))))))))))))))))
.

2007-12-28 07:17 . 2007-12-28 07:17 30,720 --a------ C:\WINDOWS\system32\setup_33200.exe
2007-12-28 07:13 . 2007-12-28 07:13 30,720 --a------ C:\WINDOWS\system32\setup_67473.exe
2007-12-28 07:08 . 2007-12-28 07:34 348,160 --a------ C:\WINDOWS\system32\awtqp.exe
2007-12-28 07:07 . 2007-12-28 07:07 30,720 --a------ C:\WINDOWS\system32\setup_37231.exe
2007-12-28 06:33 . 2007-12-28 06:33 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-28 06:33 . 2007-12-28 06:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-28 06:21 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-12-28 06:21 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2007-12-28 06:20 . 2007-07-30 19:19 549,720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-12-28 06:20 . 2007-07-30 19:19 325,976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-12-28 06:20 . 2007-07-30 19:19 216,408 --a------ C:\WINDOWS\system32\wuaucpl.cpl
2007-12-28 06:20 . 2007-07-30 19:19 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2007-12-28 06:20 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2007-12-28 06:20 . 2007-07-30 19:18 33,624 --a------ C:\WINDOWS\system32\wups.dll
2007-12-28 06:20 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2007-12-28 06:20 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2007-12-28 06:20 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2007-12-27 13:25 . 2007-12-27 13:25 <DIR> d-------- C:\ijji
2007-12-27 13:24 . 2007-06-21 18:59 58,776 --a------ C:\WINDOWS\system32\ijjiPlugin2.dll
2007-12-27 13:23 . 2007-12-27 13:23 <DIR> d-------- C:\Program Files\NHN USA
2007-12-27 13:23 . 2007-09-27 12:08 692,224 --a------ C:\WINDOWS\system32\ijjiSetup.exe
2007-12-27 12:49 . 2007-12-27 14:19 <DIR> d-------- C:\Program Files\DriftCity
2007-12-27 08:05 . 2007-12-27 08:05 <DIR> d-------- C:\Program Files\C-Media
2007-12-27 06:39 . 2007-12-27 06:39 <DIR> d-------- C:\NVIDIA Display Driver
2007-12-27 04:52 . 2007-12-27 04:52 <DIR> d-------- C:\Program Files\Rockstar Games
2007-12-26 02:58 . 2007-12-26 03:19 <DIR> d-------- C:\Documents and Settings\Kaidoo\DoctorWeb
2007-12-25 21:00 . 2007-12-25 21:00 <DIR> d-------- C:\VundoFix Backups
2007-12-24 04:49 . 2007-12-24 04:49 <DIR> d-------- C:\Program Files\CCleaner
2007-12-24 02:46 . 2007-12-26 02:59 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-12-24 02:46 . 2007-12-24 02:46 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-24 02:46 . 2007-12-24 02:46 <DIR> d-------- C:\Documents and Settings\Kaidoo\Application Data\SUPERAntiSpyware.com
2007-12-24 02:46 . 2007-12-24 02:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-24 02:28 . 2007-12-24 02:28 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-22 02:54 . 2007-12-22 02:54 <DIR> d-------- C:\WINDOWS\ERUNT
2007-12-21 02:28 . 2007-12-25 21:13 13,312 --a------ C:\WINDOWS\system32\ctfmon .exe
2007-12-11 21:46 . 2007-12-11 21:46 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-12-11 21:46 . 2007-12-11 21:46 4,816 --a------ C:\WINDOWS\system32\divxsm.tlb
2007-12-11 21:45 . 2007-12-11 21:45 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-12-11 21:45 . 2007-12-11 21:45 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-12-11 21:43 . 2007-12-11 21:43 12,288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-27 12:21 --------- d--h--w C:\Documents and Settings\Kaidoo\Application Data\ijjigame
2007-12-27 11:23 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-27 11:04 --------- d-----w C:\Program Files\Winamp
2007-12-26 00:59 --------- d-----w C:\Program Files\PowerISO
2007-12-26 00:59 --------- d-----w C:\Program Files\MSN Messenger
2007-12-26 00:43 --------- d-----w C:\Program Files\DivX
2007-12-22 16:20 12,464 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-12-21 23:38 --------- d-----w C:\Program Files\Opera
2007-12-21 23:36 --------- d-----w C:\Program Files\Webteh
2007-12-21 23:36 --------- d-----w C:\Documents and Settings\Kaidoo\Application Data\BSplayer
2007-12-21 01:13 --------- d-----w C:\Program Files\Counter-Strike 1.6
2007-11-20 15:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-16 10:46 --------- d-----w C:\Documents and Settings\Kaidoo\Application Data\VideoEgg
2007-11-11 11:01 --------- d-----w C:\Program Files\Common Files\3DO Shared
2007-11-11 11:00 --------- d-----w C:\Program Files\3DO
2007-11-08 23:32 --------- d-----w C:\Program Files\EA Games
2007-10-28 21:39 --------- d-----w C:\Documents and Settings\Kaidoo\Application Data\BitTorrent
2007-10-18 20:05 100,475 ----a-w C:\WINDOWS\UninstallFirefox.exe
.

((((((((((((((((((((((((((((( snapshot@2007-12-28_ 6.46.17.87 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-12-23 22:54:58 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2007-12-28 01:02:36 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
- 2007-12-26 00:54:46 4,202,496 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat
+ 2007-12-28 04:57:34 4,202,496 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat
- 2007-12-26 00:54:47 8,192 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2007-12-28 04:57:34 8,192 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
- 2007-12-28 04:45:43 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2007-12-28 05:36:16 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2007-12-28 04:45:43 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-12-28 05:36:16 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-12-28 04:45:43 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-12-28 05:36:45 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cmaudio"="RunDll32 cmicnfg.cpl" []
"NvCplDaemon"="RUNDLL32.exe" [2001-08-23 14:00 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2006-10-22 11:22 C:\WINDOWS\system32\nwiz.exe]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

S3 IlvMoneyDRIVER53;IlvMoneyDRIVER53;C:\Documents and Settings\Kaidoo\Desktop\moon\IlvMoney1055.sys [2007-07-27 20:31]

.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-28 07:36:43
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

#10 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:11:47 PM

Posted 28 December 2007 - 12:51 AM

Something we can't see id prolly re-spawning these things...

Download Gmer from here:

http://www.gmer.net/gmer.zip

Unzip it.
Disconnect from internet & shut down Antivirus to prevent conflicts.
Shut down also any other unneeded apps including any open browser windows.
The less stuff we got running the less chance of false positives in log.
Double click gmer.exe to run it.
Allow driver to install if asked (gmer.sys)
You may warning at program start that there is possible rootkit activity and do you want to run scan.

Say OK to run scan.
If no warning, just click "scan".
Let the scan finish.
Once done press "copy"
Open notepad> press "ctrl+v" to paste log.
Save log.

Re-enable your antivirus, re-connect to internet & post that log here

If the log is too big to post then zip it and attach it here.

Thanks
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#11 kaido

kaido
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:05:47 AM

Posted 28 December 2007 - 01:05 AM

GMER 1.0.13.12551 - http://www.gmer.net
Rootkit scan 2007-12-28 08:03:15
Windows 5.1.2600 Service Pack 1


---- System - GMER 1.0.13 ----

SSDT sptd.sys ZwCreateKey
SSDT sptd.sys ZwEnumerateKey
SSDT sptd.sys ZwEnumerateValueKey
SSDT sptd.sys ZwOpenKey
SSDT sptd.sys ZwQueryKey
SSDT sptd.sys ZwQueryValueKey
SSDT sptd.sys ZwSetValueKey

---- Kernel code sections - GMER 1.0.13 ----

.text ntoskrnl.exe!KeInitializeInterrupt + B67 804DA23C 1 Byte [ 06 ]
.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 1B0 8050262C 4 Bytes [ D0, 10, 5A, F7 ]
.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 228 805026A4 4 Bytes [ 2C, 6E, 5A, F7 ]
.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 230 805026AC 4 Bytes [ BA, 71, 5A, F7 ]
.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 2E8 80502764 4 Bytes [ B0, 10, 5A, F7 ]
.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 38C 80502808 4 Bytes [ 92, 72, 5A, F7 ]
.text ...
? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.
? ComboFix.sys The system cannot find the file specified.
.text USBPORT.SYS!DllUnload F6EBAF88 5 Bytes JMP 826AA1C8
? C:\DOCUME~1\Kaidoo\LOCALS~1\Temp\catchme.sys The system cannot find the file specified.
.text ntdll.dll!NtCreateSection 77F75A21 1 Byte [ E9 ]
.text ntdll.dll!NtCreateSection + 2 77F75A23 3 Bytes [ 12, 0C, FA ]

---- User code sections - GMER 1.0.13 ----

.text C:\DOCUME~1\Kaidoo\LOCALS~1\Temp\Rar$EX00.609\gmer.exe[3384] ntdll.dll!NtCreateSection 77F75A21 1 Byte [ E9 ]
.text C:\DOCUME~1\Kaidoo\LOCALS~1\Temp\Rar$EX00.609\gmer.exe[3384] ntdll.dll!NtCreateSection + 2 77F75A23 3 Bytes [ 12, 0C, FA ]

---- Kernel IAT/EAT - GMER 1.0.13 ----

IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!IoConnectInterrupt] [F75B7886] sptd.sys
IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F75B7832] sptd.sys
IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F75D9892] sptd.sys
IAT atapi.sys[ntoskrnl.exe!IoConnectInterrupt] [F75B7886] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F75A1AD4] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F75A1C1A] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F75A1B9C] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F75A2748] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F75A261E] sptd.sys
IAT \SystemRoot\System32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F75B6ACA] sptd.sys

Device \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE 827DF1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE 827DF1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_READ 827DF1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE 827DF1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION 827DF1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION 827DF1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA 827DF1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA 827DF1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS 827DF1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION 827DF1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION 827DF1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL 827DF1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL 827DF1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL 827DF1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN 827DF1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL 827DF1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP 827DF1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY 827DF1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY 827DF1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA 827DF1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA 827DF1E8
Device \FileSystem\Ntfs \Ntfs IRP_MJ_PNP 827DF1E8
Device \Driver\usbohci \Device\USBPDO-0 IRP_MJ_CREATE 826A91E8
Device \Driver\usbohci \Device\USBPDO-0 IRP_MJ_CLOSE 826A91E8
Device \Driver\usbohci \Device\USBPDO-0 IRP_MJ_DEVICE_CONTROL 826A91E8
Device \Driver\usbohci \Device\USBPDO-0 IRP_MJ_INTERNAL_DEVICE_CONTROL 826A91E8
Device \Driver\usbohci \Device\USBPDO-0 IRP_MJ_POWER 826A91E8
Device \Driver\usbohci \Device\USBPDO-0 IRP_MJ_SYSTEM_CONTROL 826A91E8
Device \Driver\usbohci \Device\USBPDO-0 IRP_MJ_PNP 826A91E8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_CREATE 827711E8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_CLOSE 827711E8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_READ 827711E8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_WRITE 827711E8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_FLUSH_BUFFERS 827711E8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_DEVICE_CONTROL 827711E8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_INTERNAL_DEVICE_CONTROL 827711E8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_SHUTDOWN 827711E8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_POWER 827711E8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_SYSTEM_CONTROL 827711E8
Device \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_PNP 827711E8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_CREATE 827711E8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_CLOSE 827711E8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_READ 827711E8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_WRITE 827711E8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_FLUSH_BUFFERS 827711E8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_DEVICE_CONTROL 827711E8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_INTERNAL_DEVICE_CONTROL 827711E8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_SHUTDOWN 827711E8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_POWER 827711E8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_SYSTEM_CONTROL 827711E8
Device \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_PNP 827711E8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_CREATE 827711E8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_CLOSE 827711E8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_READ 827711E8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_WRITE 827711E8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_FLUSH_BUFFERS 827711E8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_DEVICE_CONTROL 827711E8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_INTERNAL_DEVICE_CONTROL 827711E8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_SHUTDOWN 827711E8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_POWER 827711E8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_SYSTEM_CONTROL 827711E8
Device \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_PNP 827711E8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_CREATE 827711E8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_CLOSE 827711E8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_READ 827711E8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_WRITE 827711E8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_FLUSH_BUFFERS 827711E8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_DEVICE_CONTROL 827711E8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_INTERNAL_DEVICE_CONTROL 827711E8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_SHUTDOWN 827711E8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_POWER 827711E8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_SYSTEM_CONTROL 827711E8
Device \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_PNP 827711E8
Device \Driver\usbohci \Device\USBPDO-1 IRP_MJ_CREATE 826A91E8
Device \Driver\usbohci \Device\USBPDO-1 IRP_MJ_CLOSE 826A91E8
Device \Driver\usbohci \Device\USBPDO-1 IRP_MJ_DEVICE_CONTROL 826A91E8
Device \Driver\usbohci \Device\USBPDO-1 IRP_MJ_INTERNAL_DEVICE_CONTROL 826A91E8
Device \Driver\usbohci \Device\USBPDO-1 IRP_MJ_POWER 826A91E8
Device \Driver\usbohci \Device\USBPDO-1 IRP_MJ_SYSTEM_CONTROL 826A91E8
Device \Driver\usbohci \Device\USBPDO-1 IRP_MJ_PNP 826A91E8
Device \Driver\usbehci \Device\USBPDO-2 IRP_MJ_CREATE 826921E8
Device \Driver\usbehci \Device\USBPDO-2 IRP_MJ_CLOSE 826921E8
Device \Driver\usbehci \Device\USBPDO-2 IRP_MJ_DEVICE_CONTROL 826921E8
Device \Driver\usbehci \Device\USBPDO-2 IRP_MJ_INTERNAL_DEVICE_CONTROL 826921E8
Device \Driver\usbehci \Device\USBPDO-2 IRP_MJ_POWER 826921E8
Device \Driver\usbehci \Device\USBPDO-2 IRP_MJ_SYSTEM_CONTROL 826921E8
Device \Driver\usbehci \Device\USBPDO-2 IRP_MJ_PNP 826921E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CREATE 827E11E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_READ 827E11E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_WRITE 827E11E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_FLUSH_BUFFERS 827E11E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_DEVICE_CONTROL 827E11E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_INTERNAL_DEVICE_CONTROL 827E11E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SHUTDOWN 827E11E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CLEANUP 827E11E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_POWER 827E11E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SYSTEM_CONTROL 827E11E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_PNP 827E11E8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE 826B51E8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CLOSE 826B51E8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_READ 826B51E8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_WRITE 826B51E8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_FLUSH_BUFFERS 826B51E8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DEVICE_CONTROL 826B51E8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_INTERNAL_DEVICE_CONTROL 826B51E8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SHUTDOWN 826B51E8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_POWER 826B51E8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SYSTEM_CONTROL 826B51E8
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_PNP 826B51E8
Device \Driver\NetBT \Device\NetBT_Tcpip_{D0293C35-6A3A-423B-9411-E14FEF5C4837} IRP_MJ_CREATE 824E61E8
Device \Driver\NetBT \Device\NetBT_Tcpip_{D0293C35-6A3A-423B-9411-E14FEF5C4837} IRP_MJ_CLOSE 824E61E8
Device \Driver\NetBT \Device\NetBT_Tcpip_{D0293C35-6A3A-423B-9411-E14FEF5C4837} IRP_MJ_DEVICE_CONTROL 824E61E8
Device \Driver\NetBT \Device\NetBT_Tcpip_{D0293C35-6A3A-423B-9411-E14FEF5C4837} IRP_MJ_INTERNAL_DEVICE_CONTROL 824E61E8
Device \Driver\NetBT \Device\NetBT_Tcpip_{D0293C35-6A3A-423B-9411-E14FEF5C4837} IRP_MJ_CLEANUP 824E61E8
Device \Driver\NetBT \Device\NetBT_Tcpip_{D0293C35-6A3A-423B-9411-E14FEF5C4837} IRP_MJ_PNP 824E61E8
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_CREATE 824E61E8
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_CLOSE 824E61E8
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_DEVICE_CONTROL 824E61E8
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_INTERNAL_DEVICE_CONTROL 824E61E8
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_CLEANUP 824E61E8
Device \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_PNP 824E61E8
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_CREATE 824E61E8
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_CLOSE 824E61E8
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_DEVICE_CONTROL 824E61E8
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_INTERNAL_DEVICE_CONTROL 824E61E8
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_CLEANUP 824E61E8
Device \Driver\NetBT \Device\NetbiosSmb IRP_MJ_PNP 824E61E8
Device \Driver\usbohci \Device\USBFDO-0 IRP_MJ_CREATE 826A91E8
Device \Driver\usbohci \Device\USBFDO-0 IRP_MJ_CLOSE 826A91E8
Device \Driver\usbohci \Device\USBFDO-0 IRP_MJ_DEVICE_CONTROL 826A91E8
Device \Driver\usbohci \Device\USBFDO-0 IRP_MJ_INTERNAL_DEVICE_CONTROL 826A91E8
Device \Driver\usbohci \Device\USBFDO-0 IRP_MJ_POWER 826A91E8
Device \Driver\usbohci \Device\USBFDO-0 IRP_MJ_SYSTEM_CONTROL 826A91E8
Device \Driver\usbohci \Device\USBFDO-0 IRP_MJ_PNP 826A91E8
Device \Driver\usbohci \Device\USBFDO-1 IRP_MJ_CREATE 826A91E8
Device \Driver\usbohci \Device\USBFDO-1 IRP_MJ_CLOSE 826A91E8
Device \Driver\usbohci \Device\USBFDO-1 IRP_MJ_DEVICE_CONTROL 826A91E8
Device \Driver\usbohci \Device\USBFDO-1 IRP_MJ_INTERNAL_DEVICE_CONTROL 826A91E8
Device \Driver\usbohci \Device\USBFDO-1 IRP_MJ_POWER 826A91E8
Device \Driver\usbohci \Device\USBFDO-1 IRP_MJ_SYSTEM_CONTROL 826A91E8
Device \Driver\usbohci \Device\USBFDO-1 IRP_MJ_PNP 826A91E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE 824D64C8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE_NAMED_PIPE 824D64C8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CLOSE 824D64C8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_READ 824D64C8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_WRITE 824D64C8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_INFORMATION 824D64C8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_INFORMATION 824D64C8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_EA 824D64C8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_EA 824D64C8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_FLUSH_BUFFERS 824D64C8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_VOLUME_INFORMATION 824D64C8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_VOLUME_INFORMATION 824D64C8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DIRECTORY_CONTROL 824D64C8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_FILE_SYSTEM_CONTROL 824D64C8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DEVICE_CONTROL 824D64C8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_INTERNAL_DEVICE_CONTROL 824D64C8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SHUTDOWN 824D64C8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_LOCK_CONTROL 824D64C8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CLEANUP 824D64C8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE_MAILSLOT 824D64C8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_SECURITY 824D64C8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_SECURITY 824D64C8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_POWER 824D64C8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SYSTEM_CONTROL 824D64C8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DEVICE_CHANGE 824D64C8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_QUOTA 824D64C8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_QUOTA 824D64C8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_PNP 824D64C8
Device \Driver\usbehci \Device\USBFDO-2 IRP_MJ_CREATE 826921E8
Device \Driver\usbehci \Device\USBFDO-2 IRP_MJ_CLOSE 826921E8
Device \Driver\usbehci \Device\USBFDO-2 IRP_MJ_DEVICE_CONTROL 826921E8
Device \Driver\usbehci \Device\USBFDO-2 IRP_MJ_INTERNAL_DEVICE_CONTROL 826921E8
Device \Driver\usbehci \Device\USBFDO-2 IRP_MJ_POWER 826921E8
Device \Driver\usbehci \Device\USBFDO-2 IRP_MJ_SYSTEM_CONTROL 826921E8
Device \Driver\usbehci \Device\USBFDO-2 IRP_MJ_PNP 826921E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE 824D64C8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE_NAMED_PIPE 824D64C8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CLOSE 824D64C8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_READ 824D64C8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_WRITE 824D64C8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_INFORMATION 824D64C8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_INFORMATION 824D64C8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_EA 824D64C8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_EA 824D64C8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_FLUSH_BUFFERS 824D64C8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_VOLUME_INFORMATION 824D64C8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_VOLUME_INFORMATION 824D64C8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DIRECTORY_CONTROL 824D64C8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_FILE_SYSTEM_CONTROL 824D64C8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DEVICE_CONTROL 824D64C8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_INTERNAL_DEVICE_CONTROL 824D64C8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SHUTDOWN 824D64C8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_LOCK_CONTROL 824D64C8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CLEANUP 824D64C8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE_MAILSLOT 824D64C8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_SECURITY 824D64C8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_SECURITY 824D64C8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_POWER 824D64C8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SYSTEM_CONTROL 824D64C8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DEVICE_CHANGE 824D64C8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_QUOTA 824D64C8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_QUOTA 824D64C8
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_PNP 824D64C8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_CREATE 827E11E8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_READ 827E11E8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_WRITE 827E11E8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_FLUSH_BUFFERS 827E11E8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_DEVICE_CONTROL 827E11E8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_INTERNAL_DEVICE_CONTROL 827E11E8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_SHUTDOWN 827E11E8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_CLEANUP 827E11E8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_POWER 827E11E8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_SYSTEM_CONTROL 827E11E8
Device \Driver\Ftdisk \Device\FtControl IRP_MJ_PNP 827E11E8
Device \FileSystem\Cdfs \Cdfs IRP_MJ_CREATE 824C21E8
Device \FileSystem\Cdfs \Cdfs IRP_MJ_CLOSE 824C21E8
Device \FileSystem\Cdfs \Cdfs IRP_MJ_READ 824C21E8
Device \FileSystem\Cdfs \Cdfs IRP_MJ_QUERY_INFORMATION 824C21E8
Device \FileSystem\Cdfs \Cdfs IRP_MJ_SET_INFORMATION 824C21E8
Device \FileSystem\Cdfs \Cdfs IRP_MJ_QUERY_VOLUME_INFORMATION 824C21E8
Device \FileSystem\Cdfs \Cdfs IRP_MJ_DIRECTORY_CONTROL 824C21E8
Device \FileSystem\Cdfs \Cdfs IRP_MJ_FILE_SYSTEM_CONTROL 824C21E8
Device \FileSystem\Cdfs \Cdfs IRP_MJ_DEVICE_CONTROL 824C21E8
Device \FileSystem\Cdfs \Cdfs IRP_MJ_SHUTDOWN 824C21E8
Device \FileSystem\Cdfs \Cdfs IRP_MJ_LOCK_CONTROL 824C21E8
Device \FileSystem\Cdfs \Cdfs IRP_MJ_CLEANUP 824C21E8
Device \FileSystem\Cdfs \Cdfs IRP_MJ_PNP 824C21E8

---- Files - GMER 1.0.13 ----

ADS C:\Documents and Settings\Kaidoo\Local Settings\Application Data\Microsoft\Messenger\m2nguhull@hotmail.com\SharingMetadata\mailys79@hotmail.com\DFSR\Staging\CS{63972957-5E7C-6091-AB99-9DB91249A11E}\01\11-{63972957-5E7C-6091-AB99-9DB91249A11E}-v1-{DC933A14-B7AC-415C-8C2D-9B255788F3FD}-v11-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
ADS C:\Documents and Settings\Kaidoo\Local Settings\Application Data\Microsoft\Messenger\m2nguhull@hotmail.com\SharingMetadata\mkaabakas@hotmail.com\DFSR\Staging\CS{EC93CBF1-28DA-3B1E-8EA7-38E70B400A78}\01\10-{EC93CBF1-28DA-3B1E-8EA7-38E70B400A78}-v1-{DC933A14-B7AC-415C-8C2D-9B255788F3FD}-v10-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS

---- EOF - GMER 1.0.13 ----

#12 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:11:47 PM

Posted 28 December 2007 - 01:18 AM

Download:

http://www.kztechs.com/sreng/sreng2.zip

Unzip the file to its own folder.
Open sreng2 folder and double click SREngPS.exe and allow it to run.
Checkmark to verify file signatures
Leave other settings as is and click "smart scan"
Wait till scan is done.
Once finished click "save reports"
Save the report someplace handy.

Copy/paste the contents of SREng.log back here.

Thanks
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#13 kaido

kaido
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:05:47 AM

Posted 28 December 2007 - 01:32 AM

2007-12-28,08:30:49



System Repair Engineer 2.5.16.900

Smallfrogs (http://www.KZTechs.com)



Windows XP Professional Service Pack 1 (Build 2600) - Administrative User - Completed Functions Allowed



Follow item(s) have been choosed:

	All Boot Items (Including Registry, Startup Folders, Services and so on)

	Browser Add-ons

	Runing Processes (Including process model information)

	File Associations

	Winsock Provider

	Autorun.Inf

	HOSTS File

	Process Privileges Scan





Boot Items

Registry

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]

	<Cmaudio><RunDll32 cmicnfg.cpl,CMICtrlWnd>  [N/A]

	<NvCplDaemon><RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup>  [(Verified)Microsoft Windows Hardware Compatibility Publisher]

	<nwiz><nwiz.exe /install>  []

	<Advanced DHTML Enable><C:\WINDOWS\system\nadlocop.exe>  []

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]

	<shell><Explorer.exe>  [(Verified)Microsoft Windows XP Publisher]

	<Userinit><C:\WINDOWS\system32\userinit.exe,>  [(Verified)Microsoft Windows XP Publisher]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]

	<AppInit_DLLs><>  [N/A]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]

	<UIHost><logonui.exe>  [(Verified)Microsoft Windows XP Publisher]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]

	<{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}><C:\Program Files\SUPERAntiSpyware\SASSEH.DLL>  [SuperAdBlocker.com]

	<{A74F3FC3-CC9A-4D4C-AFB5-B56F0CAA445D}><C:\WINDOWS\System32\jkkljii.dll>  []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]

	<WinlogonNotify: !SASWinLogon><C:\Program Files\SUPERAntiSpyware\SASWINLO.dll>  [SUPERAntiSpyware.com]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\jkkljii]

	<WinlogonNotify: jkkljii><jkkljii.dll>  []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}]

	<Internet Explorer><%systemroot%\system32\shmgrate.exe OCInstallUserConfigIE>  [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]

	<Outlook Express><%systemroot%\system32\shmgrate.exe OCInstallUserConfigOE>  [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]

	<Microsoft Windows Media Player 6.4><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\mplayer2.inf,PerUserStub.NT>  [(Verified)Microsoft Windows XP Publisher]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}]

	<Themes Setup><%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll>  [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{306D6C21-C1B6-4629-986C-E59E1875B8AF}]

	<N/A><"C:\WINDOWS\System32\rundll32.exe" "C:\Program Files\Messenger\msgsc.dll",ShowIconsUser>  [(Verified)Microsoft Windows XP Publisher]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]

	<Microsoft Outlook Express 6><"%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install>  [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}]

	<NetMeeting 3.01><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT>  [(Verified)Microsoft Windows XP Publisher]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}]

	<Windows Messenger><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.Install.PerUser>  [(Verified)Microsoft Windows XP Publisher]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]

	<Microsoft Windows Media Player 8><rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub>  [(Verified)Microsoft Windows XP Publisher]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}]

	<Address Book 6><"%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install>  [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}]

	<N/A><C:\WINDOWS\System32\Rundll32.exe C:\WINDOWS\System32\mscories.dll,Install>  [Microsoft Corporation]



==================================

Startup Folders

[E-Color]

  <C:\Documents and Settings\All Users\Start Menu\Programs\Startup\E-Color.lnk --> C:\Program Files\E-Color\Common\IconMgr.exe [N/A]><N>



==================================

Services

[Human Interface Device Access / HidServ][Stopped/Disabled]

  <C:\WINDOWS\System32\svchost.exe -k netsvcs-->%SystemRoot%\System32\hidserv.dll><N/A>

[NVIDIA Display Driver Service / NVSvc][Running/Auto Start]

  <C:\WINDOWS\System32\nvsvc32.exe><NVIDIA Corporation>

[Security Restore Services / Security Restore Services][Running/Auto Start]

  <"C:\WINDOWS\system32\svshost.exe"><N/A>



==================================

Drivers

[catchme / catchme][Running/Manual Start]

  <\??\C:\DOCUME~1\Kaidoo\LOCALS~1\Temp\catchme.sys><N/A>

[C-Media WDM Audio Interface / cmuda][Running/Manual Start]

  <system32\drivers\cmuda.sys><C-Media Inc>

[IlvMoneyDRIVER53 / IlvMoneyDRIVER53][Stopped/Manual Start]

  <\??\C:\Documents and Settings\Kaidoo\Desktop\moon\IlvMoney1055.sys><N/A>

[NPPTNT2 / NPPTNT2][Stopped/Manual Start]

  <\??\C:\WINDOWS\System32\npptNT2.sys><INCA Internet Co., Ltd.>

[nv / nv][Running/Manual Start]

  <System32\DRIVERS\nv4_mini.sys><NVIDIA Corporation>

[Direct Parallel Link Driver / Ptilink][Running/Manual Start]

  <System32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>

[PxHelp20 / PxHelp20][Running/Boot Start]

  <\SystemRoot\System32\Drivers\PxHelp20.sys><Sonic Solutions>

[SASDIFSV / SASDIFSV][Running/System Start]

  <\??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS><>

[SASENUM / SASENUM][Stopped/Manual Start]

  <\??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS><SuperAdBlocker, Inc.>

[SASKUTIL / SASKUTIL][Running/System Start]

  <\??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys><>

[Secdrv / Secdrv][Running/Auto Start]

  <System32\DRIVERS\secdrv.sys><Macrovision Europe Ltd>

[SiS PCI Fast Ethernet Adapter Driver / SISNIC][Running/Manual Start]

  <System32\DRIVERS\sisnic.sys><SiS Corporation>

[sptd / sptd][Running/Boot Start]

  <\SystemRoot\System32\Drivers\sptd.sys><N/A>



==================================

Browser Add-ons

[AcroIEHlprObj Class]

  {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} <C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx, >

[Windows Live Sign-in Helper]

  {9030D464-4C02-4ABF-8ECC-5164760863C6} <C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll, Microsoft Corporation>

[&Radio]

  {8E718888-423F-11D2-876E-00A0C9082467} <C:\WINDOWS\System32\msdxm.ocx, >

[CKAVWebScan Object]

  {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} <C:\WINDOWS\System32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll, Kaspersky Lab>

[Shockwave ActiveX Control]

  {166B1BCA-3F9C-11CF-8075-444553540000} <C:\WINDOWS\System32\macromed\Director\SwDir.dll, Adobe Systems, Inc.>

[WUWebControl Class]

  {6414512B-B978-451D-A0D8-FCFDF33E833C} <C:\WINDOWS\System32\wuweb.dll, Microsoft Corporation>

[MUWebControl Class]

  {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} <C:\WINDOWS\System32\muweb.dll, Microsoft Corporation>

[VideoEgg ActiveX Loader]

  {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} <C:\Documents and Settings\Kaidoo\Application Data\VideoEgg\Loader\4665\npvideoegg-loader.dll,  >

[Shockwave Flash Object]

  {D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINDOWS\System32\Macromed\Flash\Flash9d.ocx, Adobe Systems, Inc.>



==================================

Running Processes

[PID: 552 / SYSTEM][\SystemRoot\System32\smss.exe]  [Microsoft Corporation, 5.1.2600.1106 (xpsp1.020828-1920)]

[PID: 600 / SYSTEM][\??\C:\WINDOWS\system32\csrss.exe]  [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]

[PID: 624 / SYSTEM][\??\C:\WINDOWS\system32\winlogon.exe]  [Microsoft Corporation, 5.1.2600.1106 (xpsp1.020828-1920)]

	[C:\Program Files\SUPERAntiSpyware\SASWINLO.dll]  [SUPERAntiSpyware.com, 1, 0, 0, 1046]

	[C:\WINDOWS\System32\jkkljii.dll]  [N/A, ]

	[C:\WINDOWS\System32\hgghefe.dll]  [N/A, ]

	[C:\WINDOWS\System32\awtrrsq.dll]  [N/A, ]

	[C:\WINDOWS\System32\yayayyw.dll]  [N/A, ]

[PID: 688 / SYSTEM][C:\WINDOWS\system32\services.exe]  [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]

[PID: 700 / SYSTEM][C:\WINDOWS\system32\lsass.exe]  [Microsoft Corporation, 5.1.2600.1106 (xpsp1.020828-1920)]

[PID: 864 / SYSTEM][C:\WINDOWS\system32\svchost.exe]  [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]

[PID: 924 / SYSTEM][C:\WINDOWS\System32\svchost.exe]  [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]

[PID: 1004 / NETWORK SERVICE][C:\WINDOWS\System32\svchost.exe]  [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]

[PID: 1040 / LOCAL SERVICE][C:\WINDOWS\System32\svchost.exe]  [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]

[PID: 1244 / SYSTEM][C:\WINDOWS\system32\spoolsv.exe]  [Microsoft Corporation, 5.1.2600.0 (XPClient.010817-1148)]

[PID: 1452 / Kaidoo][C:\WINDOWS\Explorer.EXE]  [Microsoft Corporation, 6.00.2800.1106 (xpsp1.020828-1920)]

	[C:\WINDOWS\System32\jkkljii.dll]  [N/A, ]

	[C:\Program Files\SUPERAntiSpyware\SASCTXMN.DLL]  [SUPERAntiSpyware.com, 1, 0, 0, 1004]

	[C:\Program Files\WinRAR\rarext.dll]  [N/A, ]

	[C:\Program Files\PowerISO\PWRISOSH.DLL]  [PowerISO Computing, Inc., 3, 8, 0, 0]

	[C:\Program Files\SUPERAntiSpyware\SASSEH.DLL]  [SuperAdBlocker.com, 1, 0, 0, 1008]

	[C:\WINDOWS\System32\nvcpl.dll]  [NVIDIA Corporation, 6.14.10.9371]

	[C:\WINDOWS\System32\nvapi.dll]  [N/A, ]

	[C:\WINDOWS\System32\nvshell.dll]  [, ]

[PID: 1580 / SYSTEM][C:\WINDOWS\System32\nvsvc32.exe]  [NVIDIA Corporation, 6.14.10.9371]

	[C:\WINDOWS\System32\nvapi.dll]  [N/A, ]

[PID: 1640 / LOCAL SERVICE][C:\WINDOWS\System32\wdfmgr.exe]  [Microsoft Corporation, 5.2.3790.1230 built by: dnsrv(bld4act)]

[PID: 908 / Kaidoo][C:\WINDOWS\System32\RunDll32.exe]  [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]

	[C:\WINDOWS\system\cmicnfg.cpl]  [C-Media Corporation, 1, 0, 41, 2]

	[C:\WINDOWS\System32\udaprop.dll]  [C-Media Corporation, 1.0.2.2]

	[C:\Program Files\SUPERAntiSpyware\SASSEH.DLL]  [SuperAdBlocker.com, 1, 0, 0, 1008]

	[C:\WINDOWS\System32\jkkljii.dll]  [N/A, ]

[PID: 392 / SYSTEM][C:\WINDOWS\system32\svshost.exe]  [N/A, ]

[PID: 3300 / Kaidoo][C:\Program Files\Internet Explorer\IEXPLORE.EXE]  [Microsoft Corporation, 6.00.2800.1106 (xpsp1.020828-1920)]

	[C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx]  [, 1, 0, 0, 1]

[PID: 3360 / Kaidoo][C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe]  [Microsoft Corporation, 4.100.313.1]

[PID: 420 / SYSTEM][C:\WINDOWS\system32\cmd.exe]  [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]

[PID: 1192 / Kaidoo][C:\Program Files\Internet Explorer\IEXPLORE.EXE]  [Microsoft Corporation, 6.00.2800.1106 (xpsp1.020828-1920)]

	[C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx]  [, 1, 0, 0, 1]

	[C:\WINDOWS\System32\Macromed\Flash\Flash9d.ocx]  [Adobe Systems, Inc., 9,0,47,0]

	[C:\WINDOWS\System32\jkkljii.dll]  [N/A, ]

[PID: 304 / Kaidoo][C:\Program Files\Winamp\winamp.exe]  [Nullsoft, 5,5,1,1763]

	[C:\Program Files\Winamp\tataki.dll]  [N/A, ]

	[C:\Program Files\Winamp\NSCRT.dll]  [Nullsoft, Inc., 7.10.0000]

	[C:\Program Files\Winamp\System\aacPlusDecoder.w5s]  [N/A, ]

	[C:\Program Files\Winamp\System\bmp.w5s]  [N/A, ]

	[C:\Program Files\Winamp\System\dlmgr.w5s]  [N/A, ]

	[C:\Program Files\Winamp\System\filereader.w5s]  [N/A, ]

	[C:\Program Files\Winamp\System\gif.w5s]  [N/A, ]

	[C:\Program Files\Winamp\System\gracenote.w5s]  [N/A, ]

	[C:\Program Files\Winamp\System\jnetlib.w5s]  [N/A, ]

	[C:\Program Files\Winamp\System\jpeg.w5s]  [N/A, ]

	[C:\Program Files\Winamp\System\playlist.w5s]  [N/A, ]

	[C:\Program Files\Winamp\System\png.w5s]  [N/A, ]

	[C:\Program Files\Winamp\System\tagz.w5s]  [N/A, ]

	[C:\Program Files\Winamp\System\xml.w5s]  [N/A, ]

	[C:\Program Files\Winamp\Plugins\in_cdda.dll]  [N/A, ]

	[C:\Program Files\Winamp\Plugins\in_dshow.dll]  [N/A, ]

	[C:\Program Files\Winamp\Plugins\in_flac.dll]  [N/A, ]

	[C:\Program Files\Winamp\Plugins\in_flv.dll]  [N/A, ]

	[C:\Program Files\Winamp\Plugins\in_linein.dll]  [N/A, ]

	[C:\Program Files\Winamp\Plugins\in_midi.dll]  [N/A, ]

	[C:\Program Files\Winamp\Plugins\in_mod.dll]  [N/A, ]

	[C:\Program Files\Winamp\Plugins\in_mp3.dll]  [N/A, ]

	[C:\Program Files\Winamp\Plugins\in_mp4.dll]  [N/A, ]

	[C:\Program Files\Winamp\Plugins\in_nsv.dll]  [N/A, ]

	[C:\Program Files\Winamp\Plugins\in_vorbis.dll]  [N/A, ]

	[C:\Program Files\Winamp\Plugins\in_wave.dll]  [N/A, ]

	[C:\Program Files\Winamp\libsndfile.dll]  [N/A, ]

	[C:\Program Files\Winamp\Plugins\in_wm.dll]  [N/A, ]

	[C:\Program Files\Winamp\Plugins\out_disk.dll]  [N/A, ]

	[C:\Program Files\Winamp\Plugins\out_ds.dll]  [N/A, ]

	[C:\Program Files\Winamp\Plugins\out_wave.dll]  [N/A, ]

	[C:\Program Files\Winamp\Plugins\gen_ff.dll]  [N/A, ]

	[C:\Program Files\Winamp\Plugins\freeform\wacs\freetype\freetype.wac]  [N/A, ]

	[C:\Program Files\Winamp\Plugins\gen_hotkeys.dll]  [N/A, ]

	[C:\Program Files\Winamp\Plugins\gen_jumpex.dll]  [N/A, ]

	[C:\Program Files\Winamp\Plugins\gen_ml.dll]  [N/A, ]

	[C:\Program Files\Winamp\Plugins\ml_dash.dll]  [N/A, ]

	[C:\Program Files\Winamp\Plugins\ml_nowplaying.dll]  [N/A, ]

	[C:\Program Files\Winamp\Plugins\ml_local.dll]  [N/A, ]

	[C:\Program Files\Winamp\nde.dll]  [N/A, ]

	[C:\Program Files\Winamp\Plugins\ml_orb.dll]  [N/A, ]

	[C:\Program Files\Winamp\Plugins\ml_playlists.dll]  [N/A, ]

	[C:\Program Files\Winamp\Plugins\ml_online.dll]  [N/A, ]

	[C:\Program Files\Winamp\Plugins\ml_wire.dll]  [N/A, ]

	[C:\Program Files\Winamp\Plugins\ml_disc.dll]  [N/A, ]

	[C:\Program Files\Winamp\Plugins\ml_pmp.dll]  [N/A, ]

	[C:\Program Files\Winamp\Plugins\pmp_ipod.dll]  [N/A, ]

	[C:\Program Files\Winamp\Plugins\pmp_njb.dll]  [N/A, ]

	[C:\Program Files\Winamp\Plugins\pmp_p4s.dll]  [N/A, ]

	[C:\Program Files\Winamp\Plugins\pmp_usb.dll]  [N/A, ]

	[C:\Program Files\Winamp\Plugins\ml_bookmarks.dll]  [N/A, ]

	[C:\Program Files\Winamp\Plugins\ml_history.dll]  [N/A, ]

	[C:\Program Files\Winamp\Plugins\ml_autotag.dll]  [N/A, ]

	[C:\Program Files\Winamp\Plugins\ml_plg.dll]  [N/A, ]

	[C:\Program Files\Winamp\Plugins\ml_rg.dll]  [N/A, ]

	[C:\Program Files\Winamp\Plugins\ml_transcode.dll]  [N/A, ]

	[C:\Program Files\Winamp\Plugins\gen_tray.dll]  [N/A, ]

[PID: 2608 / Kaidoo][C:\Documents and Settings\Kaidoo\Desktop\New Folder\SREngPS.EXE]  [Smallfrogs Studio, 2.5.16.900]

	[C:\Documents and Settings\Kaidoo\Desktop\New Folder\Upload\3rdUpd.DLL]  [Smallfrogs Studio, 2, 1, 0, 15]



==================================

File Associations

.TXT  OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]

.EXE  OK. ["%1" %*]

.COM  OK. ["%1" %*]

.PIF  OK. ["%1" %*]

.REG  OK. [regedit.exe "%1"]

.BAT  OK. ["%1" %*]

.SCR  OK. ["%1" /S]

.CHM  OK. ["C:\WINDOWS\hh.exe" %1]

.HLP  OK. [%SystemRoot%\System32\winhlp32.exe %1]

.INI  OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]

.INF  OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]

.VBS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]

.JS   OK. [%SystemRoot%\System32\WScript.exe "%1" %*]

.LNK  OK. [{00021401-0000-0000-C000-000000000046}]



==================================

Winsock Provider

N/A



==================================

Autorun.Inf

N/A



==================================

HOSTS File

127.0.0.1	localhost

127.0.0.1	www.symantec.com

127.0.0.1	securityresponse.symantec.com

127.0.0.1	downloads1.kaspersky-labs.com

127.0.0.1	downloads2.kaspersky-labs.com

127.0.0.1	downloads3.kaspersky-labs.com

127.0.0.1	downloads4.kaspersky-labs.com

127.0.0.1	downloads5.kaspersky-labs.com

127.0.0.1	www.kaspersky-labs.com

127.0.0.1	symantec.com

127.0.0.1	www.sophos.com

127.0.0.1	sophos.com

127.0.0.1	www.mcafee.com

127.0.0.1	mcafee.com

127.0.0.1	liveupdate.symantecliveupdate.com

127.0.0.1	www.viruslist.com

127.0.0.1	viruslist.com

127.0.0.1	viruslist.com

127.0.0.1	f-secure.com

127.0.0.1	www.f-secure.com

127.0.0.1	kaspersky.com

127.0.0.1	www.avp.com

127.0.0.1	www.kaspersky-labs.com

127.0.0.1	avp.com

127.0.0.1	www.networkassociates.com

127.0.0.1	networkassociates.com

127.0.0.1	www.ca.com

127.0.0.1	ca.com

127.0.0.1	mast.mcafee.com

127.0.0.1	my-etrust.com

127.0.0.1	www.my-etrust.com

127.0.0.1	download.mcafee.com

127.0.0.1	dispatch.mcafee.com

127.0.0.1	secure.nai.com

127.0.0.1	nai.com

127.0.0.1	www.nai.com

127.0.0.1	update.symantec.com

127.0.0.1	updates.symantec.com

127.0.0.1	us.mcafee.com

127.0.0.1	liveupdate.symantec.com

127.0.0.1	customer.symantec.com

127.0.0.1	rads.mcafee.com

127.0.0.1	trendmicro.com

127.0.0.1	www.trendmicro.com

127.0.0.1	vncsvr.com

127.0.0.1	secdreg.org

127.0.0.1	virusscan.jotti.org

127.0.0.1	virustotal.com

127.0.0.1	www.virustotal.com

127.0.0.1	www.jotti.org

127.0.0.1	cdn.atwola.com

127.0.0.1	www.atwola.com

127.0.0.1	support.microsoft.com

127.0.0.1	symantec.com

127.0.0.1	update.symantec.com

127.0.0.1	updates.symantec.com

127.0.0.1	us.mcafee.com

127.0.0.1	vil.nai.com

127.0.0.1	viruslist.ru

127.0.0.1	windowsupdate.microsoft.com

127.0.0.1	www.avp.ch

127.0.0.1	www.avp.com

127.0.0.1	www.avp.ru

127.0.0.1	www.awaps.net

127.0.0.1	www.ca.com

127.0.0.1	www.fastclick.net

127.0.0.1	www.f-secure.com

127.0.0.1	www.kaspersky.ru

127.0.0.1	www.mcafee.com

127.0.0.1	www.my-etrust.com

127.0.0.1	www.nai.com

127.0.0.1	www.networkassociates.com

127.0.0.1	www.sophos.com

127.0.0.1	www.symantec.com

127.0.0.1	www.trendmicro.com

127.0.0.1	www.viruslist.ru

127.0.0.1	www3.ca.com

127.0.0.1	www.advancedcleaner.com

127.0.0.1	advancedcleaner.com

127.0.0.1	secure.advancedcleaner.com

127.0.0.1	protect.advancedcleaner.com

127.0.0.1	jsp.advancedcleaner.com

127.0.0.1	liveupdatesnet.com

127.0.0.1	www.liveupdatesnet.com

127.0.0.1	theinstalls.com

127.0.0.1	www.theinstalls.com

127.0.0.1	allofyouwant.com

127.0.0.1	www.here4search.biz

127.0.0.1	here4search.biz

127.0.0.1	www.smart-security.biz

127.0.0.1	smart-security.biz

127.0.0.1	www.searchmeup.biz

127.0.0.1	searchmeup.biz

127.0.0.1	www.iwantsearch.net

127.0.0.1	iwantsearch.net

127.0.0.1	www.wideportal.net

127.0.0.1	wideportal.net

127.0.0.1	calc.avsystemcare.com

127.0.0.1	avsystemcare.com

127.0.0.1	content.onerateld.com

127.0.0.1	www.onerateld.com

127.0.0.1	protect.trustedantivirus.com

127.0.0.1	www.trustedantivirus.com

127.0.0.1	iwantsearch.net

127.0.0.1	www.iwantsearch.net

127.0.0.1	mediacount.net

127.0.0.1	www.mediacount.net

127.0.0.1	bin.errorprotector.com

127.0.0.1	www.errorprotector.com

127.0.0.1	br.errorsafe.com

127.0.0.1	www.errorsafe.com

127.0.0.1	br.winantivirus.com

127.0.0.1	www.winantivirus.com

127.0.0.1	br.winfixer.com

127.0.0.1	www.winfixer.com

127.0.0.1	cdn.drivecleaner.com

127.0.0.1	www.drivecleaner.com

127.0.0.1	cdn.errorsafe.com

127.0.0.1	www.errorsafe.com

127.0.0.1	cdn.winsoftware.com

127.0.0.1	www.winsoftware.com

127.0.0.1	de.errorsafe.com

127.0.0.1	www.errorsafe.com

127.0.0.1	de.winantivirus.com

127.0.0.1	www.winantivirus.com

127.0.0.1	download.cdn.drivecleaner.com

127.0.0.1	download.cdn.errorsafe.com

127.0.0.1	download.cdn.winsoftware.com

127.0.0.1	download.errorsafe.com

127.0.0.1	download.systemdoctor.com

127.0.0.1	download.winantispyware.com

127.0.0.1	download.windrivecleaner.com

127.0.0.1	download.winfixer.com

127.0.0.1	drivecleaner.com

127.0.0.1	dynamique.drivecleaner.com

127.0.0.1	errorprotector.com

127.0.0.1	errorsafe.com

127.0.0.1	es.winantivirus.com

127.0.0.1	fr.winantivirus.com

127.0.0.1	fr.winfixer.com

127.0.0.1	go.drivecleaner.com

127.0.0.1	go.errorsafe.com

127.0.0.1	go.winantispyware.com

127.0.0.1	go.winantivirus.com

127.0.0.1	hk.winantivirus.com

127.0.0.1	instlog.errorsafe.com

127.0.0.1	instlog.winantivirus.com

127.0.0.1	instlog.winfixer.com

127.0.0.1	jsp.drivecleaner.com

127.0.0.1	kb.errorsafe.com

127.0.0.1	kb.winantivirus.com

127.0.0.1	nl.errorsafe.com

127.0.0.1	se.errorsafe.com

127.0.0.1	secure.drivecleaner.com

127.0.0.1	secure.errorsafe.com

127.0.0.1	secure.winantispam.com

127.0.0.1	secure.winantispy.com

127.0.0.1	secure.winantivirus.com

127.0.0.1	support.winantivirus.com

127.0.0.1	trial.updates.winsoftware.com

127.0.0.1	ulog.winantivirus.com

127.0.0.1	utils.errorsafe.com

127.0.0.1	utils.winantivirus.com

127.0.0.1	utils.winfixer.com

127.0.0.1	winantispyware.com

127.0.0.1	winantivirus.com

127.0.0.1	winfixer.com

127.0.0.1	winfixer2006.com

127.0.0.1	winsoftware.com

127.0.0.1	www.drivecleaner.com

127.0.0.1	www.errorprotector.com

127.0.0.1	www.errorsafe.com

127.0.0.1	www.systemdoctor.com

127.0.0.1	www.utils.winfixer.com

127.0.0.1	www.win-anti-virus-pro.com

127.0.0.1	www.win-virus-pro.com

127.0.0.1	www.winantispam.com

127.0.0.1	www.winantispy.com

127.0.0.1	www.winantispyware.com

127.0.0.1	www.winantivirus.com

127.0.0.1	www.winantiviruspro.com

127.0.0.1	www.windrivecleaner.com

127.0.0.1	www.windrivesafe.com

127.0.0.1	www.winfixer.com

127.0.0.1	www.winfixer2006.com

127.0.0.1	www.winsoftware.com

127.0.0.1	www.usagc.org

127.0.0.1	www.prospywareremover.com

127.0.0.1	prospywareremover.com

127.0.0.1	www.noadware.com--e.com

127.0.0.1	noadware.com--e.com

127.0.0.1	www.wwwadawear.com

127.0.0.1	wwwadawear.com

127.0.0.1	www.free-spyware-scan.org

127.0.0.1	free-spyware-scan.org

127.0.0.1	www.spybotfinder.com

127.0.0.1	spybotfinder.com

127.0.0.1	www.the-spyware-zone.com

127.0.0.1	the-spyware-zone.com

127.0.0.1	www.digitalreservoir.com

127.0.0.1	digitalreservoir.com

127.0.0.1	www.free-spyware.net

127.0.0.1	free-spyware.net

127.0.0.1	www.spyware-control.com

127.0.0.1	spyware-control.com

127.0.0.1	www.computerspywarecheck.com

127.0.0.1	computerspywarecheck.com

127.0.0.1	www.compare-spyware.com

127.0.0.1	compare-spyware.com

127.0.0.1	www.spywareremoval.ws

127.0.0.1	spywareremoval.ws

127.0.0.1	www.ridadware.org

127.0.0.1	ridadware.org

127.0.0.1	www.elimiware.com

127.0.0.1	elimiware.com

127.0.0.1	www.nomorespyware.net

127.0.0.1	nomorespyware.net

127.0.0.1	www.123-spyware-remover.com

127.0.0.1	123-spyware-remover.com

127.0.0.1	www.spyware-adware-removal.net

127.0.0.1	spyware-adware-removal.net

127.0.0.1	www.spytoaster.com

127.0.0.1	spytoaster.com

127.0.0.1	www.spywareno.com

127.0.0.1	spywareno.com

127.0.0.1	www.3bsoftware.com

127.0.0.1	3bsoftware.com

127.0.0.1	www.softwaredoctor.com

127.0.0.1	softwaredoctor.com

127.0.0.1	doubleclick.net

127.0.0.1	doubleclick.com

127.0.0.1	adhostcenter.com

127.0.0.1	adtrade.net

127.0.0.1	www.adcycle.com

127.0.0.1	advertising.com

127.0.0.1	servedby.advertising.com

127.0.0.1	commission-junction.com

127.0.0.1	dayrates.com

127.0.0.1	ad-flow.com

127.0.0.1	ads.ad-flow.com

127.0.0.1	popuptraffic.com

127.0.0.1	fastclick.com

127.0.0.1	fastclick.net

127.0.0.1	adserving.cpxinteractive.com

127.0.0.1	www.usafis.org

127.0.0.1	brazauskas.info

127.0.0.1	centralgate.biz

127.0.0.1	clickfast.biz

127.0.0.1	code.jcash.biz

127.0.0.1	code.trasferimento.biz

127.0.0.1	cyber-search.biz

127.0.0.1	download.accessmedia.tv

127.0.0.1	download.jupitersatellites.biz

127.0.0.1	exeloads.info

127.0.0.1	forlink.biz

127.0.0.1	game4all.biz

127.0.0.1	get-access.host.sk

127.0.0.1	musah.info

127.0.0.1	picshunter.us

127.0.0.1	prevedtraf.biz

127.0.0.1	search-biz.biz

127.0.0.1	searchx.cc

127.0.0.1	s-pics.biz

127.0.0.1	snow410.info

127.0.0.1	sp2admin.biz

127.0.0.1	traff5all.biz

127.0.0.1	traffbest.biz

127.0.0.1	traffbucks.biz

127.0.0.1	traffmoney.biz

127.0.0.1	ultra-search.biz

127.0.0.1	www.lattefresco.biz

127.0.0.1	www.picshunter.us

127.0.0.1	www.procounter.biz

127.0.0.1	www.searchx.cc

127.0.0.1	www.s-pics.biz

127.0.0.1	www.sp2admin.biz

127.0.0.1	www.spamcatchero.biz

127.0.0.1	www.traff4ppc.biz

127.0.0.1	www.zgallery.us

127.0.0.1	ybbwxlxytz.biz

127.0.0.1	yepjnddqpq.biz

127.0.0.1	yhvoo.eseconsult.info

127.0.0.1	zchxsikpgz.biz

127.0.0.1	zgallery.us

127.0.0.1	mmsk.cn

127.0.0.1	ikaka.com

127.0.0.1	safe.qq.com

127.0.0.1	360safe.com

127.0.0.1	www.mmsk.cn

127.0.0.1	www.ikaka.com

127.0.0.1	tool.ikaka.com

127.0.0.1	www.360safe.com

127.0.0.1	zs.kingsoft.com

127.0.0.1	forum.ikaka.com

127.0.0.1	up.rising.com.cn

127.0.0.1	scan.kingsoft.com

127.0.0.1	kvup.jiangmin.com

127.0.0.1	reg.rising.com.cn

127.0.0.1	update.rising.com.cn

127.0.0.1	update7.jiangmin.com

127.0.0.1	download.rising.com.cn

127.0.0.1	dnl-us1.kaspersky-labs.com

127.0.0.1	dnl-us2.kaspersky-labs.com

127.0.0.1	dnl-us3.kaspersky-labs.com

127.0.0.1	dnl-us4.kaspersky-labs.com

127.0.0.1	dnl-us5.kaspersky-labs.com

127.0.0.1	dnl-us6.kaspersky-labs.com

127.0.0.1	dnl-us7.kaspersky-labs.com

127.0.0.1	dnl-us8.kaspersky-labs.com

127.0.0.1	dnl-us9.kaspersky-labs.com

127.0.0.1	dnl-us10.kaspersky-labs.com

127.0.0.1	dnl-eu1.kaspersky-labs.com

127.0.0.1	dnl-eu2.kaspersky-labs.com

127.0.0.1	dnl-eu3.kaspersky-labs.com

127.0.0.1	dnl-eu4.kaspersky-labs.com

127.0.0.1	dnl-eu5.kaspersky-labs.com

127.0.0.1	dnl-eu6.kaspersky-labs.com

127.0.0.1	dnl-eu7.kaspersky-labs.com

127.0.0.1	dnl-eu8.kaspersky-labs.com

127.0.0.1	dnl-eu9.kaspersky-labs.com

127.0.0.1	dnl-eu10.kaspersky-labs.com

127.0.0.1	inetpc.net

127.0.0.1	mp0.inetpc.net

127.0.0.1	m.proxyisp.info

127.0.0.1	proxyisp.info

127.0.0.1	vncsvr.com

127.0.0.1	ns2.darksheekz.info

127.0.0.1	darksheekz.info

127.0.0.1	server1.oihduhdd.net

127.0.0.1	server2.oihduhdd.net

127.0.0.1	server3.oihduhdd.net

127.0.0.1	server4.oihduhdd.net

127.0.0.1	server5.oihduhdd.net

127.0.0.1	oihduhdd.net

127.0.0.1	hbl.nad123nad.com

127.0.0.1	nad123nad.com

127.0.0.1	s2.gayyree.info

127.0.0.1	gayyree.info

127.0.0.1	ircstyle.net

127.0.0.1	sqlteam.info

127.0.0.1	nadnadzz.info

127.0.0.1	nadsam0.info

127.0.0.1	serv1.alwaysproxy2.info

127.0.0.1	alwaysproxy2.info

127.0.0.1	pcsecuritylab.com

127.0.0.1	liveupdatesnet.com

127.0.0.1	eircd.zief.pl

127.0.0.1	zief.pl

127.0.0.1	proxim.ircgalaxy.pl

127.0.0.1	proxima.ircgalaxy.pl

127.0.0.1	ircgalaxy.pl

127.0.0.1	proxim.ntkrnlpa.info

127.0.0.1	ntkrnlpa.info

127.0.0.1	dep.mvl0an7.com

127.0.0.1	mvl0an7.com

127.0.0.1	russia.blacktiehsbdcs.com

127.0.0.1	jiets.soidudrf.com

127.0.0.1	bti.jeiahsdod.net

127.0.0.1	dirty.eiheihre3.com

127.0.0.1	munirah.nagitiriheiwu.net

127.0.0.1	xabmiphabh.cn

127.0.0.1	xhtrzjwsel.cn

127.0.0.1	digitalwaves.co.nz

127.0.0.1	in1.smtp.messagingengine.com

127.0.0.1	k.gtld-servers.net

127.0.0.1	pool.hybridtx.com

127.0.0.1	studiesgroepmetselen.nl

127.0.0.1	netau.dk

127.0.0.1	dhcp.vncsvr.com



==================================

Process Privileges Scan

Special Privilege Enabled: SeLoadDriverPrivilege [PID = 304, C:\PROGRAM FILES\WINAMP\WINAMP.EXE]



==================================

API HOOK

N/A



==================================

Hidden Process

N/A



==================================


#14 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:11:47 PM

Posted 28 December 2007 - 02:12 AM

Sorry I dropped off in chat -- my internet took a little spaz. :thumbsup:

Open notepad and copy/paste the text in the code box below into it:

killall::
file::
C:\WINDOWS\System32\jkkljii.dll
C:\WINDOWS\system32\svshost.exe
C:\WINDOWS\System32\hgghefe.dll
C:\WINDOWS\System32\awtrrsq.dll
C:\WINDOWS\System32\yayayyw.dll
C:\windows\system32\drivers\etc\hosts
c:\msu32.exe
c:\windows\system\zm.exe
c:\windows\system\run.exe
c:\windows\system\nadlocop.exe
c:\windows\system\locop.exe
c:\windows\system\lc.exe
c:\windows\system\helper.exe
c:\windows\system\delnew.exe
c:\windows\system\del.exe
c:\windows\system\dc4all.exe
c:\windows\system32\cjpeg.exe
c:\windows\system32\ielog.dll

driver::
"Security Restore Services"

registry::
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\jkkljii]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Advanced DHTML Enable"=-

Save this as CFScript.txt

Disconnect from internet and shut down antispyware.
Drag CFScript.txt on top of ComboFix.exe

like this:

Posted Image

Post the new ComboFix.txt please along with a new dss log. (main.txt)

Let me know how system is running.

Thanks
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#15 kaido

kaido
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:05:47 AM

Posted 28 December 2007 - 02:18 AM

ComboFix 07-12-21.4 - Kaidoo 2007-12-28 9:06:06.12 - NTFSx86

Running from: C:\Documents and Settings\Kaidoo\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Kaidoo\Desktop\CFScript.txt

FILE
C:\msu32.exe
C:\tcp.exe
C:\WINDOWS\system\dc4all.exe
C:\WINDOWS\system\del.exe
C:\WINDOWS\system\delnew.exe
C:\WINDOWS\system\helper.exe
C:\WINDOWS\system\lc.exe
C:\WINDOWS\system\locop.exe
C:\WINDOWS\system\nadlocop.exe
C:\WINDOWS\system\run.exe
C:\WINDOWS\system\zm.exe
C:\WINDOWS\system32\svshost.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\msu32.exe
C:\tcp.exe
C:\WINDOWS\system\dc4all.exe
C:\WINDOWS\system\del.exe
C:\WINDOWS\system\delnew.exe
C:\WINDOWS\system\helper.exe
C:\WINDOWS\system\lc.exe
C:\WINDOWS\system\locop.exe
C:\WINDOWS\system\nadlocop.exe
C:\WINDOWS\system\run.exe
C:\WINDOWS\system\zm.exe
C:\WINDOWS\system32\awtrrsq.dll
C:\WINDOWS\system32\hgghefe.dll
C:\WINDOWS\system32\jkkljii.dll
C:\WINDOWS\system32\lnnmp.ini
C:\WINDOWS\system32\lnnmp.ini2
C:\WINDOWS\system32\pmnnl.dll
C:\WINDOWS\system32\svshost.exe
C:\WINDOWS\system32\yayayyw.dll

.
((((((((((((((((((((((((( Files Created from 2007-11-28 to 2007-12-28 )))))))))))))))))))))))))))))))
.

2007-12-28 08:52 . 2007-12-28 09:06 348,160 --a------ C:\WINDOWS\system32\pmnnl.exe
2007-12-28 08:26 . 2007-12-28 08:26 30,720 --a------ C:\WINDOWS\system32\setup_77664.exe
2007-12-28 08:07 . 2007-12-28 08:07 30,720 --a------ C:\WINDOWS\system32\setup_48435.exe
2007-12-28 08:07 . 2007-12-28 08:07 30,720 --a------ C:\WINDOWS\system32\eraseme_66417.exe
2007-12-28 07:56 . 2007-12-28 07:56 250 --a------ C:\WINDOWS\gmer.ini
2007-12-28 07:46 . 2007-12-28 08:26 69 --a------ C:\WINDOWS\system32\i
2007-12-28 07:17 . 2007-12-28 07:17 30,720 --a------ C:\WINDOWS\system32\setup_33200.exe
2007-12-28 07:13 . 2007-12-28 07:13 30,720 --a------ C:\WINDOWS\system32\setup_67473.exe
2007-12-28 07:08 . 2007-12-28 07:34 348,160 --a------ C:\WINDOWS\system32\awtqp.exe
2007-12-28 07:07 . 2007-12-28 07:07 30,720 --a------ C:\WINDOWS\system32\setup_37231.exe
2007-12-28 06:33 . 2007-12-28 06:33 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-28 06:33 . 2007-12-28 06:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-28 06:21 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-12-28 06:21 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2007-12-28 06:20 . 2007-07-30 19:19 549,720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-12-28 06:20 . 2007-07-30 19:19 325,976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-12-28 06:20 . 2007-07-30 19:19 216,408 --a------ C:\WINDOWS\system32\wuaucpl.cpl
2007-12-28 06:20 . 2007-07-30 19:19 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2007-12-28 06:20 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2007-12-28 06:20 . 2007-07-30 19:18 33,624 --a------ C:\WINDOWS\system32\wups.dll
2007-12-28 06:20 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2007-12-28 06:20 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2007-12-28 06:20 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2007-12-27 13:25 . 2007-12-27 13:25 <DIR> d-------- C:\ijji
2007-12-27 13:24 . 2007-06-21 18:59 58,776 --a------ C:\WINDOWS\system32\ijjiPlugin2.dll
2007-12-27 13:23 . 2007-12-27 13:23 <DIR> d-------- C:\Program Files\NHN USA
2007-12-27 13:23 . 2007-09-27 12:08 692,224 --a------ C:\WINDOWS\system32\ijjiSetup.exe
2007-12-27 12:49 . 2007-12-27 14:19 <DIR> d-------- C:\Program Files\DriftCity
2007-12-27 08:05 . 2007-12-27 08:05 <DIR> d-------- C:\Program Files\C-Media
2007-12-27 06:39 . 2007-12-27 06:39 <DIR> d-------- C:\NVIDIA Display Driver
2007-12-27 04:52 . 2007-12-27 04:52 <DIR> d-------- C:\Program Files\Rockstar Games
2007-12-26 02:58 . 2007-12-26 03:19 <DIR> d-------- C:\Documents and Settings\Kaidoo\DoctorWeb
2007-12-25 21:00 . 2007-12-25 21:00 <DIR> d-------- C:\VundoFix Backups
2007-12-24 04:49 . 2007-12-24 04:49 <DIR> d-------- C:\Program Files\CCleaner
2007-12-24 02:46 . 2007-12-26 02:59 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-12-24 02:46 . 2007-12-24 02:46 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-24 02:46 . 2007-12-24 02:46 <DIR> d-------- C:\Documents and Settings\Kaidoo\Application Data\SUPERAntiSpyware.com
2007-12-24 02:46 . 2007-12-24 02:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-24 02:28 . 2007-12-24 02:28 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-22 02:54 . 2007-12-22 02:54 <DIR> d-------- C:\WINDOWS\ERUNT
2007-12-21 02:28 . 2007-12-25 21:13 13,312 --a------ C:\WINDOWS\system32\ctfmon .exe
2007-12-11 21:46 . 2007-12-11 21:46 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-12-11 21:46 . 2007-12-11 21:46 4,816 --a------ C:\WINDOWS\system32\divxsm.tlb
2007-12-11 21:45 . 2007-12-11 21:45 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-12-11 21:45 . 2007-12-11 21:45 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-12-11 21:43 . 2007-12-11 21:43 12,288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-27 12:21 --------- d--h--w C:\Documents and Settings\Kaidoo\Application Data\ijjigame
2007-12-27 11:23 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-27 11:04 --------- d-----w C:\Program Files\Winamp
2007-12-26 00:59 --------- d-----w C:\Program Files\PowerISO
2007-12-26 00:59 --------- d-----w C:\Program Files\MSN Messenger
2007-12-26 00:43 --------- d-----w C:\Program Files\DivX
2007-12-22 16:20 12,464 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-12-21 23:38 --------- d-----w C:\Program Files\Opera
2007-12-21 23:36 --------- d-----w C:\Program Files\Webteh
2007-12-21 23:36 --------- d-----w C:\Documents and Settings\Kaidoo\Application Data\BSplayer
2007-12-21 01:13 --------- d-----w C:\Program Files\Counter-Strike 1.6
2007-11-20 15:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-16 10:46 --------- d-----w C:\Documents and Settings\Kaidoo\Application Data\VideoEgg
2007-11-11 11:01 --------- d-----w C:\Program Files\Common Files\3DO Shared
2007-11-11 11:00 --------- d-----w C:\Program Files\3DO
2007-11-08 23:32 --------- d-----w C:\Program Files\EA Games
2007-10-28 21:39 --------- d-----w C:\Documents and Settings\Kaidoo\Application Data\BitTorrent
2007-10-18 20:05 100,475 ----a-w C:\WINDOWS\UninstallFirefox.exe
.

((((((((((((((((((((((((((((( snapshot@2007-12-28_ 6.46.17.87 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-12-23 22:54:58 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2007-12-28 01:02:36 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
- 2007-12-26 00:54:46 4,202,496 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat
+ 2007-12-28 04:57:34 4,202,496 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat
- 2007-12-26 00:54:47 8,192 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2007-12-28 04:57:34 8,192 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2007-12-28 05:56:36 585,791 ----a-w C:\WINDOWS\gmer.dll
+ 2007-06-29 07:38:18 581,632 ----a-w C:\WINDOWS\gmer.exe
- 2007-12-28 04:45:43 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2007-12-28 07:08:29 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2007-12-28 04:45:43 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-12-28 07:08:29 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-12-28 04:45:43 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-12-28 07:08:29 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-12-28 05:56:36 70,001 ----a-w C:\WINDOWS\system32\drivers\gmer.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cmaudio"="RunDll32 cmicnfg.cpl" []
"NvCplDaemon"="RUNDLL32.exe" [2001-08-23 14:00 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2006-10-22 11:22 C:\WINDOWS\system32\nwiz.exe]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

S3 IlvMoneyDRIVER53;IlvMoneyDRIVER53;C:\Documents and Settings\Kaidoo\Desktop\moon\IlvMoney1055.sys []

.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-28 09:08:55
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users