Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I Cant Open My Hardisk Drive/ Infected By Brontok And More


  • Please log in to reply
11 replies to this topic

#1 ducut

ducut

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:54 AM

Posted 05 January 2008 - 02:36 AM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:28:21 PM, on 1/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O1 - Hosts: 89.212.75.165 l2authd.lineage2.com
O1 - Hosts: 89.212.75.165 l2patcher.lineage2.com
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Ask Search Assistant BHO - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [hndclient] "C:\Program Files\HandyCafe\Client\_hndguard.exe" -rungrd
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MySpaceIM] "C:\Program Files\MySpace\IM\MySpaceIM.exe"
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1187291448796
O17 - HKLM\System\CCS\Services\Tcpip\..\{99485B82-B12F-4A49-BC7D-2420DBA60F3F}: NameServer = 192.168.1.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 9607 bytes

BC AdBot (Login to Remove)

 


m

#2 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:05:54 PM

Posted 20 January 2008 - 06:53 PM

Hi and welcome,

Sorry for delay.
If you still need help please do the following:

Download Deckard's System Scanner to your Desktop from one of these links:

http://www.techsupportforum.com/sectools/Deckard/dss.exe
http://deckard.geekstogo.com/dss.exe

Close all applications and windows.
Double-click on dss.exe to run it, and follow the prompts.
When the scan is complete, a text file will open - Main.txt
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of Main.txt here.
A folder, C:\Deckard\System Scanner, will also open. In it will be another text file, Extra.txt.
Please attach Extra.txt to your post.

Note: some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so.

To attach a file to a new post, simply
Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and
copy and paste the following into the "Upload File from your Computer" box:

C:\Deckard\System Scanner\Extra.txt

Click Upload.

What DSS will do:
--create a new System Restore point in Windows XP and Vista.
--clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
--check some important areas of your system and produce a report for your analyst to review.
--System Scanner automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.

Thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#3 ducut

ducut
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:54 AM

Posted 24 January 2008 - 01:08 AM

yes sir still need some help tnx for the reply btw this is my deckards log.... tnxx again waiting 4 reply!




Deckard's System Scanner v20071014.68
Run by user on 2008-01-24 13:57:14
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
77: 2008-01-24 21:57:20 UTC - RP160 - Deckard's System Scanner Restore Point
76: 2008-01-24 19:53:37 UTC - RP159 - System Checkpoint
75: 2008-01-23 19:03:37 UTC - RP158 - Software Distribution Service 3.0
74: 2008-01-23 00:02:06 UTC - RP157 - System Checkpoint
73: 2008-01-21 23:57:52 UTC - RP156 - System Checkpoint


-- First Restore Point --
1: 2007-10-28 08:30:25 UTC - RP84 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as user.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:58:46 PM, on 1/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\HandyCafe\Client\_hndguard.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HandyCafe\Client\hndclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\HANDYC~1\Client\hndfw.exe
C:\PROGRA~1\HANDYC~1\Client\hndfw.exe
C:\Documents and Settings\user\My Documents\dss.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\user.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O1 - Hosts: 89.212.75.165 l2authd.lineage2.com
O1 - Hosts: 89.212.75.165 l2patcher.lineage2.com
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Ask Search Assistant BHO - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [hndclient] C:\Program Files\HandyCafe\Client\_hndguard.exe -rungrd
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1187291448796
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{99485B82-B12F-4A49-BC7D-2420DBA60F3F}: NameServer = 192.168.1.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 9758 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 TBPanel - c:\windows\system32\drivers\tbpanel.sys <Not Verified; Windows ® 2000 DDK provider; Windows ® 2000 DDK driver>

S3 Cardex - c:\windows\system32\drivers\tbpanel.sys <Not Verified; Windows ® 2000 DDK provider; Windows ® 2000 DDK driver>
S3 npkcrypt - c:\program files\lineageii\system\npkcrypt.sys <Not Verified; INCA Internet Co., Ltd.; nProtect KeyCrypt Driver>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-01-24 13:15:04 256 --a------ C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job
2008-01-24 11:29:14 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job
2008-01-22 14:37:13 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2008-01-18 17:15:00 388 --a------ C:\WINDOWS\Tasks\1-Click Maintenance.job


-- Files created between 2007-12-24 and 2008-01-24 -----------------------------

2008-01-06 21:08:18 0 d-------- C:\Program Files\Kyocera
2008-01-06 13:22:17 2738208 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-01-06 04:49:05 0 d-------- C:\Program Files\ZoneAlarmSB
2008-01-06 04:40:53 0 d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-01-06 04:39:37 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-01-06 04:32:29 0 d-------- C:\WINDOWS\system32\ZoneLabs
2008-01-06 04:25:27 0 d-------- C:\WINDOWS\Internet Logs
2008-01-06 02:43:09 0 d-------- C:\WINDOWS\system32\ActiveScan
2008-01-05 19:36:45 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-05 16:25:22 0 d-------- C:\Program Files\Lavasoft
2008-01-05 16:25:17 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-05 15:26:28 0 d-------- C:\Program Files\Trend Micro
2008-01-04 22:00:36 0 d-------- C:\Program Files\AskSBar
2008-01-04 21:59:28 164 --a------ C:\install.dat
2008-01-04 20:45:35 0 dr-h----- C:\$VAULT$.AVG
2008-01-04 19:33:02 0 d-------- C:\Documents and Settings\user\Application Data\AVG7
2008-01-04 19:32:00 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-01-04 19:31:30 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-04 19:31:30 0 d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-01-04 13:19:12 0 d-------- C:\Documents and Settings\user\Application Data\PC Tools


-- Find3M Report ---------------------------------------------------------------

2008-01-24 11:50:26 0 d-------- C:\Program Files\Spyware Doctor
2008-01-22 12:05:50 0 d-------- C:\Program Files\TuneUp Utilities 2006
2008-01-21 23:19:08 0 d-------- C:\Program Files\dota
2008-01-13 16:01:53 0 d-------- C:\Program Files\e-Games
2008-01-06 21:10:51 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-01-05 16:23:59 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-02 17:30:08 0 d-------- C:\Program Files\RF Online
2007-12-28 15:20:23 0 d-------- C:\Documents and Settings\user\Application Data\Adobe
2007-12-26 21:30:08 0 d-------- C:\Program Files\LineageII
2007-12-24 14:08:08 0 d-------- C:\Program Files\Tantra
2007-12-14 23:32:38 0 d-------- C:\Documents and Settings\user\Application Data\Skype
2007-12-09 14:34:21 0 d-------- C:\Program Files\MSN Games
2007-12-02 20:46:30 20320 --a------ C:\Documents and Settings\user\Application Data\GDIPFONTCACHEV1.DAT
2007-12-02 13:44:22 0 d-------- C:\Program Files\Windows Live Toolbar
2007-11-26 14:20:38 4096 --a------ C:\WINDOWS\d3dx.dat
2007-11-26 14:19:31 0 d-------- C:\Program Files\Yahoo! Games


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}]
01/04/2008 10:00 PM 66912 --a------ C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
01/04/2008 10:00 PM 267592 --a------ C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL [01/04/2008 10:00 PM 267592]

[-HKEY_CLASSES_ROOT\CLSID\{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.exe" [02/28/2006 04:00 AM C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [08/11/2006 05:43 AM C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="RUNDLL32.exe" [02/28/2006 04:00 AM C:\WINDOWS\system32\rundll32.exe]
"hndclient"="C:\Program Files\HandyCafe\Client\_hndguard.exe" [01/06/2004 02:35 PM]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [11/03/2006 05:20 PM]
"SoundMan"="SOUNDMAN.EXE" [03/01/2006 12:22 AM C:\WINDOWS\soundman.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [07/12/2007 03:00 AM]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [11/14/2007 04:05 PM]
"SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe" [11/02/2007 05:24 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [02/28/2006 04:00 AM]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [08/31/2007 04:46 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 12:01:04 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
@=0x1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe
"MsnMsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" /background
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" -atboottime
"Gainward"=C:\Program Files\VDOTool\TBPanel.exe /A
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{362923ee-c07c-11dc-9877-0019214977bf}]
Autoplay\Command- xmss.exe
AutoRun\command- xmss.exe
Explore\Command- xmss.exe
Open\Command- xmss.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{61a5effe-c5fb-11dc-934d-0019214977bf}]
AutoRun\command- D:\password_viewer.exe %1
Explore\command- D:\password_viewer.exe %1
Open\command- D:\password_viewer.exe %1




-- Hosts -----------------------------------------------------------------------

89.212.75.165 l2authd.lineage2.com
89.212.75.165 l2patcher.lineage2.com
127.0.0.1 007guard.com
127.0.0.1 www.007guard.com
127.0.0.1 008i.com
127.0.0.1 008k.com
127.0.0.1 www.008k.com
127.0.0.1 00hq.com
127.0.0.1 www.00hq.com
127.0.0.1 010402.com

7824 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-01-24 13:59:51 ------------

Edited by ducut, 24 January 2008 - 01:09 AM.


#4 ducut

ducut
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:54 AM

Posted 24 January 2008 - 01:11 AM

now this is my extra.txt log tnxx again waiting for you reply on this plzzz tell me again what to do! tnxx





Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® D CPU 2.80GHz
CPU 1: Intel® Pentium® D CPU 2.80GHz
Percentage of Memory in Use: 60%
Physical Memory (total/avail): 511.29 MiB / 203.83 MiB
Pagefile Memory (total/avail): 1249.96 MiB / 848.45 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1922.16 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 74.52 GiB total, 38.51 GiB free.

\\.\PHYSICALDRIVE0 - WDC WD800BB-00JHC0 - 74.53 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 74.52 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.

FW: ZoneAlarm Firewall v7.0.462.000 (Check Point, LTD.) Disabled
AV: Spyware Doctor with AntiVirus v4.3.11 (PC Tools)
AV: AVG 7.5.516 v7.5.516 (Grisoft) Outdated

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\PROGRA~1\\HANDYC~1\\Client\\HNDCLI~1.EXE"="C:\\PROGRA~1\\HANDYC~1\\Client\\HNDCLI~1.EXE:*:Enabled:handyCafe Client"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\PROGRA~1\\HANDYC~1\\Client\\hndclient.exe"="C:\\PROGRA~1\\HANDYC~1\\Client\\hndclient.exe:*:Enabled:handyCafe Client"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\HandyCafe\\Client\\hndclient.exe"="C:\\Program Files\\HandyCafe\\Client\\hndclient.exe:*:Enabled:handyCafe Client"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype. Take a deep breath "
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe:*:Enabled:avgemc.exe"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\user\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_02\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=PC11
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\user
LOGONSERVER=\\PC11
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Common Files\Adobe\AGL;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 7, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0407
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_02\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\user\LOCALS~1\Temp
TMP=C:\DOCUME~1\user\LOCALS~1\Temp
tvdumpflags=8
USERDOMAIN=PC11
USERNAME=user
USERPROFILE=C:\Documents and Settings\user
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

user (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
A4 TECH USB PC Camera H --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0700\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CE3B8E96-B0AF-4871-9178-1519B58E3A93}\setup.exe" -l0x9
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Bridge 1.0 --> MsiExec.exe /I{B74D4E10-1033-0000-0000-000000000001}
Adobe Common File Installer --> MsiExec.exe /I{8EDBA74D-0686-4C99-BFDD-F894678E5B39}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Help Center 1.0 --> MsiExec.exe /I{E9787678-1033-0000-8E67-000000000001}
Adobe Photoshop CS2 --> msiexec /I {236BB7C4-4419-42FD-0409-1E257A25E34D}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Adobe Stock Photos 1.0 --> MsiExec.exe /I{786C5747-1033-0000-B58E-000000000001}
Apple Software Update --> MsiExec.exe /I{74EC78BC-B379-4E29-9006-8F161DCAABA6}
Ask Toolbar --> rundll32 C:\PROGRA~1\AskSBar\bar\1.bin\AskSBar.dll,O
Audition 0.1.3.1 --> "C:\Program Files\e-Games\Audition\uninstall.exe"
AVG 7.5 --> C:\Program Files\Grisoft\AVG7\setup.exe /UNINSTALL
Chikka Messenger V4 --> C:\PROGRA~1\CHIKKA~1\CHIKKA~1.4\UNWISE.EXE C:\PROGRA~1\CHIKKA~1\CHIKKA~1.4\INSTALL.LOG
Command & Conquer Generals --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{06F80017-8F98-4C94-B868-52358569FC32}
Form Fill (Windows Live Toolbar) --> MsiExec.exe /X{548B3DC6-2300-47E1-BA7B-74AD25F8DEBF}
GG E-Sports Platform --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{89C89156-A70F-4C6D-9CAE-2EA71F1396FE}\Setup.exe"
Google Toolbar for Internet Explorer --> MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar1.dll"
HijackThis 2.0.2 --> "C:\Documents and Settings\user\My Documents\HijackThis.exe" /uninstall
Java™ 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Kyocera Product Library --> C:\Program Files\Kyocera\KPL\SoftUninstall.exe
Kyocera TWAIN Driver --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\10\INTEL3~1\IDriver.exe /M{FF21E219-85A1-474F-B4D3-7D0505E21731} /l1033
LineageII --> "C:\Program Files\InstallShield Installation Information\{229C319E-7261-470A-B91A-E5B90ECFAC56}\setup.exe" -runfromtemp -l0x0409 -removeonly
LineageII --> MsiExec.exe /I{229C319E-7261-470A-B91A-E5B90ECFAC56}
Macromedia Flash MX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3BE480ED-E17A-431A-981C-5C2EDDBCD3BF}\Setup.exe" -l0x9 UNINSTALL
Microsoft Office XP Professional with FrontPage --> MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
Mozilla Firefox (2.0.0.11) --> C:\PROGRA~1\Mozilla Firefox\uninstall\helper.exe
MSN --> C:\Program Files\MSN\MsnInstaller\msninst.exe /Action:ARP
Mu --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F57CEB84-3D22-4657-8EDA-F8CD5217B83E}\Setup.exe" -l0x9 UNINSTALL
MySpaceIM --> C:\Program Files\MySpace\IM\Uninstall.exe
NVIDIA Drivers --> C:\WINDOWS\system32\nvudisp.exe UninstallGUI
Panda ActiveScan --> C:\WINDOWS\system32\ASUninst.exe Panda ActiveScan
QuickTime --> MsiExec.exe /I{95A890AA-B3B1-44B6-9C18-A8F7AB3EE7FC}
Ragnarok Online --> MsiExec.exe /I{F70BFC0E-C74A-46C5-B181-1AE86150E907}
Realtek AC'97 Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" -l0x9 -removeonly
ReviewCard V2 Set Up --> C:\PROGRA~1\REVIEW~2\UNWISE.EXE C:\PROGRA~1\REVIEW~2\INSTALL.LOG
RF Online --> "C:\WINDOWS\RF Online\uninstall.exe" "/U:C:\Program Files\RF Online\Uninstall\uninstall.xml"
Rhapsody Player Engine --> MsiExec.exe /I{30C2FCD0-FF7B-4FFA-8DDE-43A22E01A1E7}
Skype™ 3.5 --> MsiExec.exe /X{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}
Smart Menus (Windows Live Toolbar) --> MsiExec.exe /X{F084395C-40FB-4DB3-981C-B51E74E1E83D}
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Spyware Doctor 5.1 --> C:\Program Files\Spyware Doctor\unins000.exe /LOG
Tantra --> MsiExec.exe /I{0F731DE9-6CCC-4B84-ACBC-09492142953E}
TuneUp Utilities 2006 --> MsiExec.exe /I{868D7896-99D4-4513-BC62-2B3AD3E24926}
VDOTool 4.6 --> "C:\Program Files\VDOTool\unins000.exe"
VIA Platform Device Manager --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{20D4A895-748C-4D88-871C-FDB1695B0169}
VIA Rhine-Family Fast Ethernet Adapter --> Rundll32.exe vuins32.dll,vuins32Ex $Rhine $VIA
WarRock --> MsiExec.exe /I{A40FBD4C-BDF3-49BC-A231-36686D3D766C}
Windows Defender --> MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401}
Windows Live Messenger --> MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
Windows Live Outlook Toolbar (Windows Live Toolbar) --> MsiExec.exe /X{35E1A8C8-6646-4101-B0AA-42D1EB2AB3AE}
Windows Live Sign-in Assistant --> MsiExec.exe /I{22B3CC30-77B8-419C-AA4B-F571FDF5D66D}
Windows Live Toolbar --> "C:\Program Files\Windows Live Toolbar\UnInstall.exe" {D5A145FC-D00C-4F1A-9119-EB4D9D659750}
Windows Live Toolbar --> MsiExec.exe /X{D5A145FC-D00C-4F1A-9119-EB4D9D659750}
Windows Live Toolbar Extension (Windows Live Toolbar) --> MsiExec.exe /X{341201D4-4F61-4ADB-987E-9CCE4D83A58D}
Windows Live Toolbar Feed Detector (Windows Live Toolbar) --> MsiExec.exe /X{68108E66-D13A-4EE8-A6F4-40E4B90C2A26}
Yahoo! Browser Services --> C:\PROGRA~1\Yahoo!\Common\UNIN_Y~1.EXE /S
Yahoo! Install Manager --> C:\WINDOWS\system32\regsvr32 /u C:\PROGRA~1\Yahoo!\Common\YINSTH~1.DLL
Yahoo! Internet Mail --> C:\WINDOWS\system32\regsvr32 /u /s C:\PROGRA~1\Yahoo!\Common\YMMAPI.dll
Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG
Yahoo! Toolbar --> C:\PROGRA~1\Yahoo!\Common\unyt.exe
ZoneAlarm --> C:\Program Files\Zone Labs\ZoneAlarm\zauninst.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type1457 / Warning
Event Submitted/Written: 01/23/2008 11:07:27 AM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type1452 / Warning
Event Submitted/Written: 01/22/2008 07:48:27 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type1428 / Error
Event Submitted/Written: 01/20/2008 04:08:05 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application MySpaceIM.exe, version 1.0.745.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type1416 / Warning
Event Submitted/Written: 01/19/2008 03:38:09 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Event Record #/Type1411 / Warning
Event Submitted/Written: 01/18/2008 05:29:26 PM
Event ID/Source: 1524 / Userenv
Event Description:
Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type21243 / Warning
Event Submitted/Written: 01/24/2008 01:58:52 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%PC1127 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %PC1127 can't undo changes that you allow.

For more information please see the following:
%PC11275

Scan ID: {A54339C7-A2EC-4CD8-8BC3-E85567B14856}

User: PC11\user

Name: %PC11271

ID: %PC11272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %PC11276

Alert Type: %PC11278

Detection Type: 1.1.1593.02

Event Record #/Type21242 / Warning
Event Submitted/Written: 01/24/2008 01:58:52 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%PC1127 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %PC1127 can't undo changes that you allow.

For more information please see the following:
%PC11275

Scan ID: {35A48E23-6559-4BDB-AF0A-89678C318F03}

User: PC11\user

Name: %PC11271

ID: %PC11272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %PC11276

Alert Type: %PC11278

Detection Type: 1.1.1593.02

Event Record #/Type21239 / Error
Event Submitted/Written: 01/24/2008 01:54:08 PM
Event ID/Source: 7034 / Service Control Manager
Event Description:
The PC Tools Security Service service terminated unexpectedly. It has done this 1 time(s).

Event Record #/Type21236 / Warning
Event Submitted/Written: 01/24/2008 01:53:35 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%PC1127 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %PC1127 can't undo changes that you allow.

For more information please see the following:
%PC11275

Scan ID: {C96C135B-FC8D-4FCF-BC23-D3E2A3601E53}

User: PC11\user

Name: %PC11271

ID: %PC11272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %PC11276

Alert Type: %PC11278

Detection Type: 1.1.1593.02

Event Record #/Type21233 / Error
Event Submitted/Written: 01/24/2008 11:31:26 AM
Event ID/Source: 8032 / BROWSER
Event Description:
The browser service has failed to retrieve the backup list too many times on transport \Device\NetBT_Tcpip_{99485B82-B12F-4A49-BC7D-2420DBA60F3F}.
The backup browser is stopping.



-- End of Deckard's System Scanner: finished at 2008-01-24 13:59:51 ------------

#5 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:05:54 PM

Posted 24 January 2008 - 08:18 AM

Hi,

Thanks for the logs.

Did you add these 2 lines to your Hosts file?

89.212.75.165 l2authd.lineage2.com
89.212.75.165 l2patcher.lineage2.com

FW: ZoneAlarm Firewall v7.0.462.000 (Check Point, LTD.) Disabled
AV: Spyware Doctor with AntiVirus v4.3.11 (PC Tools)
AV: AVG 7.5.516 v7.5.516 (Grisoft) Outdated

Zone alarm firewall disabled.
Windows firewall is also disabled --
You have a router between you and the internet I hope?
You disable the firewall?
I ask because I need to know if you did it or the malware.

I see also you have 2 antivirus installed.
The one from your Spyware Doctor and also AVG.

I recommend either disabling the AV from Spyware doctor or if you want to keep it -- uninstall AVG.
Otherwise make sure AVG is up to date, keep it running and disable the AV section in Spyware Doctor.

Having 2 antivirus active will cause conflicts.

If you don't use/want the ASK.com toolbar that was installed with Zone alarm -- you can uninstall it via add/remove programs.

-----------------------------------

Ok... fixin up these drives..

Copy the following text to a new notepad window.
Save as file name fix.reg
As file types: All files
Save it to the desktop.

REGEDIT4

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
@=""

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{362923ee-c07c-11dc-9877-0019214977bf}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{61a5effe-c5fb-11dc-934d-0019214977bf}]

Once saved, double click it and let it merge.
If your antimalware warns you -- please allow changes.

Reboot.

Run dss.exe again please and post the new "main.txt"

Keep those fake autorun.inf folders till I see the virus scan please.
If your brontok is gone -- should be able to delete those folders and drives work right.

Next:

Using Internet Explorer please do an online scan with Kaspersky Online Scanner

Click on Kaspersky Online Scanner

Click "I accept"

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
      • Extended (If available otherwise Standard)
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK
  • Now under select a target to scan select My Computer
  • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  • Now click on the Save report button.
  • Call it Kaspersky.txt
  • Expand the arrow beside "file types" and save as .txt file.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.

*Note2
If you have Internet Explorer 7 installed:
If you have trouble getting past the initial download you may need to use the "zoom" tool at bottom right of the scanner window and increase it to 125% to see and press the "accept" button.
Page will reload and you should be able to carry on scan.

Thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#6 ducut

ducut
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:54 AM

Posted 25 January 2008 - 09:39 PM

ELLO SIR TNX AGAIN FOR REPLYING

YES SIR I CLOSED MY ZONE ALARM FIREWALL BEC. IT ALWAYS ASKING TO BLOCK SOME THING BUT I DONT KNOW WHAT IT IS HEHEHE BUT I DONT PUT THE LINEAGE2 IN THE HOST.. BTW I DID THE TASKS THAT YOU TOLD ME TO DO AND HERE IS THE NEW MAIN.TXT BLOG


BUT STILL I HAVE THIS STRANGE SPEACIAL CHARACTER IF I RIGHT CLICK MY DRIVES IN THE SLOT OF OPEN ILL SHOW YOU MY SCREEN SHOT....

TNXXX AGAIN HOPE WE FIX THIS
Deckard's System Scanner v20071014.68
Run by user on 2008-01-26 10:20:57
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as user.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:21:22 AM, on 1/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\Documents and Settings\user\My Documents\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\user.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O1 - Hosts: 89.212.75.165 l2authd.lineage2.com
O1 - Hosts: 89.212.75.165 l2patcher.lineage2.com
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Ask Search Assistant BHO - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [hndclient] C:\Program Files\HandyCafe\Client\_hndguard.exe -rungrd
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1187291448796
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{99485B82-B12F-4A49-BC7D-2420DBA60F3F}: NameServer = 192.168.1.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 9230 bytes

-- Files created between 2007-12-26 and 2008-01-26 -----------------------------

2008-01-26 09:58:21 0 d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-01-06 21:08:18 0 d-------- C:\Program Files\Kyocera
2008-01-06 13:22:17 2738208 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-01-06 04:49:05 0 d-------- C:\Program Files\ZoneAlarmSB
2008-01-06 04:40:53 0 d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-01-06 04:39:37 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-01-06 04:32:29 0 d-------- C:\WINDOWS\system32\ZoneLabs
2008-01-06 04:25:27 0 d-------- C:\WINDOWS\Internet Logs
2008-01-06 02:43:09 0 d-------- C:\WINDOWS\system32\ActiveScan
2008-01-05 19:36:45 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-05 16:25:22 0 d-------- C:\Program Files\Lavasoft
2008-01-05 16:25:17 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-05 15:26:28 0 d-------- C:\Program Files\Trend Micro
2008-01-04 22:00:36 0 d-------- C:\Program Files\AskSBar
2008-01-04 21:59:28 164 --a------ C:\install.dat
2008-01-04 13:19:12 0 d-------- C:\Documents and Settings\user\Application Data\PC Tools


-- Find3M Report ---------------------------------------------------------------

2008-01-25 17:20:05 0 d-------- C:\Program Files\dota
2008-01-24 11:50:26 0 d-------- C:\Program Files\Spyware Doctor
2008-01-22 12:05:50 0 d-------- C:\Program Files\TuneUp Utilities 2006
2008-01-13 16:01:53 0 d-------- C:\Program Files\e-Games
2008-01-06 21:10:51 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-01-05 16:23:59 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-02 17:30:08 0 d-------- C:\Program Files\RF Online
2007-12-28 15:20:23 0 d-------- C:\Documents and Settings\user\Application Data\Adobe
2007-12-26 21:30:08 0 d-------- C:\Program Files\LineageII
2007-12-24 14:08:08 0 d-------- C:\Program Files\Tantra
2007-12-14 23:32:38 0 d-------- C:\Documents and Settings\user\Application Data\Skype
2007-12-09 14:34:21 0 d-------- C:\Program Files\MSN Games
2007-12-02 20:46:30 20320 --a------ C:\Documents and Settings\user\Application Data\GDIPFONTCACHEV1.DAT
2007-12-02 13:44:22 0 d-------- C:\Program Files\Windows Live Toolbar
2007-11-26 14:20:38 4096 --a------ C:\WINDOWS\d3dx.dat
2007-11-26 14:19:31 0 d-------- C:\Program Files\Yahoo! Games


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}]
01/04/2008 10:00 PM 66912 --a------ C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
01/04/2008 10:00 PM 267592 --a------ C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL [01/04/2008 10:00 PM 267592]

[-HKEY_CLASSES_ROOT\CLSID\{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.exe" [02/28/2006 04:00 AM C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [08/11/2006 05:43 AM C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="RUNDLL32.exe" [02/28/2006 04:00 AM C:\WINDOWS\system32\rundll32.exe]
"hndclient"="C:\Program Files\HandyCafe\Client\_hndguard.exe" [01/06/2004 02:35 PM]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [11/03/2006 05:20 PM]
"SoundMan"="SOUNDMAN.EXE" [03/01/2006 12:22 AM C:\WINDOWS\soundman.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [07/12/2007 03:00 AM]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [11/14/2007 04:05 PM]
"SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe" [11/02/2007 05:24 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [02/28/2006 04:00 AM]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [08/31/2007 04:46 PM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [09/15/2007 09:17 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 12:01:04 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
@=

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe
"MsnMsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" /background
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" -atboottime
"Gainward"=C:\Program Files\VDOTool\TBPanel.exe /A
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp




-- End of Deckard's System Scanner: finished at 2008-01-26 10:23:15 ------------

#7 ducut

ducut
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:54 AM

Posted 25 January 2008 - 09:45 PM

I CANT POST THE LOG FROM KASPERKY IT HAS AN ERROR AFTER IT FULL SCAN BUT THE SCAN IS COMPLETED I JUST CANT SAVE THE LOG REPORT.. HOPE THIS HELP

THIS IS THE SHOT OF MY PROBLEM SO YOULL HAVE AN IDEA WHAT TO DO.. TNXX AGAIN.. JAHH BLESS!

Attached Files


Edited by ducut, 26 January 2008 - 04:28 AM.


#8 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:05:54 PM

Posted 26 January 2008 - 06:30 PM

Hi,

what exactly happens when you try to save the scan log?

----------

Thanks for the screenshot.
Not sure where exactly the problem is but I think I'm close. Another leftover joy from brontok.

Let's see if this will tell me why you get those funky characters when right clicking your drives.

Copy the following text to a new notepad file.
Save it as file name peek.bat
As file types: All files
Save to desktop.

cd %systemdrive%\
if not exist menufiles mkdir menufiles
regedit /a menufiles\1.txt HKEY_CLASSES_ROOT\Drive\Shell
regedit /a menufiles\2.txt HKEY_CLASSES_ROOT\Folder\Shell
regedit /a menufiles\3.txt HKEY_CLASSES_ROOT\Drive\ShellEx\ContextMenuHandlers
regedit /a menufiles\4.txt HKEY_CLASSES_ROOT\Folder\ShellEx\ContextMenuHandlers

copy menufiles\*.txt = %systemdrive%\menu.txt
rmdir /s /q menufiles
Notepad %systemdrive%\menu.txt

Once saved, double click peek.bat and let it run.
After a second or 2 a log will pop up.
Please copy/paste results of that log here.

That will have exported some registry info I need to see to a log file.
Then it deletes the files I had it create while making log.

Thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#9 ducut

ducut
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:54 AM

Posted 27 January 2008 - 12:53 AM

not sure about the error but it stop when the scan is completed and no prompt of the save log file

here is the log what u told me to do...


REGEDIT4

[HKEY_CLASSES_ROOT\Drive\Shell]
@="none"

[HKEY_CLASSES_ROOT\Drive\Shell\find]
"SuppressionPolicy"=dword:00000080

[HKEY_CLASSES_ROOT\Drive\Shell\find\command]
@=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,45,78,70,6c,6f,72,65,72,2e,65,\
78,65,00

[HKEY_CLASSES_ROOT\Drive\Shell\find\ddeexec]
@="[FindFolder(\"%l\", %I)]"
"NoActivateHandler"=""

[HKEY_CLASSES_ROOT\Drive\Shell\find\ddeexec\application]
@="Folders"

[HKEY_CLASSES_ROOT\Drive\Shell\find\ddeexec\topic]
@="AppProperties"

REGEDIT4

[HKEY_CLASSES_ROOT\Folder\Shell]

[HKEY_CLASSES_ROOT\Folder\Shell\explore]
"BrowserFlags"=dword:00000022
"ExplorerFlags"=dword:00000021

[HKEY_CLASSES_ROOT\Folder\Shell\explore\command]
@=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,45,78,70,6c,6f,72,65,72,2e,65,\
78,65,20,2f,65,2c,2f,69,64,6c,69,73,74,2c,25,49,2c,25,4c,00

[HKEY_CLASSES_ROOT\Folder\Shell\explore\ddeexec]
@="[ExploreFolder(\"%l\", %I, %S)]"
"NoActivateHandler"=""

[HKEY_CLASSES_ROOT\Folder\Shell\explore\ddeexec\application]
@="Folders"

[HKEY_CLASSES_ROOT\Folder\Shell\explore\ddeexec\ifexec]
@="[]"

[HKEY_CLASSES_ROOT\Folder\Shell\explore\ddeexec\topic]
@="AppProperties"

[HKEY_CLASSES_ROOT\Folder\Shell\open]
"BrowserFlags"=dword:00000010
"ExplorerFlags"=dword:00000012

[HKEY_CLASSES_ROOT\Folder\Shell\open\command]
@=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,45,78,70,6c,6f,72,65,72,2e,65,\
78,65,20,2f,69,64,6c,69,73,74,2c,25,49,2c,25,4c,00

[HKEY_CLASSES_ROOT\Folder\Shell\open\ddeexec]
@="[ViewFolder(\"%l\", %I, %S)]"
"NoActivateHandler"=""

[HKEY_CLASSES_ROOT\Folder\Shell\open\ddeexec\application]
@="Folders"

[HKEY_CLASSES_ROOT\Folder\Shell\open\ddeexec\ifexec]
@="[]"

[HKEY_CLASSES_ROOT\Folder\Shell\open\ddeexec\topic]
@="AppProperties"

REGEDIT4

[HKEY_CLASSES_ROOT\Drive\ShellEx\ContextMenuHandlers]

[HKEY_CLASSES_ROOT\Drive\ShellEx\ContextMenuHandlers\Offline Files]
@="{750fdf0e-2a26-11d1-a3ea-080036587f03}"

[HKEY_CLASSES_ROOT\Drive\ShellEx\ContextMenuHandlers\Sharing]
@="{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"

[HKEY_CLASSES_ROOT\Drive\ShellEx\ContextMenuHandlers\{59099400-57FF-11CE-BD94-0020AF85B590}]

[HKEY_CLASSES_ROOT\Drive\ShellEx\ContextMenuHandlers\{fbeb8a05-beee-4442-804e-409d6c4515e9}]
@=""

REGEDIT4

[HKEY_CLASSES_ROOT\Folder\ShellEx\ContextMenuHandlers]
@=""

[HKEY_CLASSES_ROOT\Folder\ShellEx\ContextMenuHandlers\ZLAVShExt]
@="{D9872D13-7651-4471-9EEE-F0A00218BEBB}"



tnx again man for holding up...

#10 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:05:54 PM

Posted 31 January 2008 - 06:57 AM

Sorry for delay.
Lotsa bad weather here and events to keep me away from posting.

Please follow instructions here for the download and instructions for use information for ComboFix.
Please don't skip the recovery console step.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

If any errors/problems please explain best you can what is happening.

Thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#11 ducut

ducut
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:05:54 AM

Posted 02 February 2008 - 02:35 AM

this my log sorry for the delay ummm my only problem is i cant use now my firefox tnxx again!!!

ei my drive c is in normal noe but im scared opening it the virus might come again... tell me what to do next tnxxx!!!



ComboFix 08-02.02.4 - user 2008-02-02 15:16:01.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.239 [GMT -8:00]
Running from: C:\Documents and Settings\user\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
C:\WINDOWS\svchost.ini

.
((((((((((((((((((((((((( Files Created from 2008-01-02 to 2008-02-02 )))))))))))))))))))))))))))))))
.

2008-02-02 15:11 . 2004-08-03 23:00 260,272 --a------ C:\cmldr
2008-02-02 15:11 . 2007-08-16 02:47 211 --a------ C:\Boot.bak
2008-02-01 17:46 . 2008-02-01 17:46 <DIR> d-------- C:\Program Files\Common Files\INCA Shared
2008-01-26 11:40 . 2008-01-26 11:40 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-26 11:40 . 2008-01-26 11:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-26 09:58 . 2008-01-26 09:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-01-24 13:56 . 2008-01-24 13:56 <DIR> d-------- C:\Deckard
2008-01-06 21:15 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-01-06 21:15 . 2004-08-03 23:08 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-01-06 21:15 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-01-06 21:15 . 2004-08-03 23:01 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2008-01-06 21:10 . 2008-01-06 21:10 58 --a------ C:\WINDOWS\system32\KmTwain.ini
2008-01-06 21:09 . 2005-02-25 12:29 31,232 --a------ C:\WINDOWS\system32\drivers\KMUSBSCN.sys
2008-01-06 21:09 . 2005-01-26 19:34 25,344 --a------ C:\WINDOWS\system32\drivers\KMUSBSC2.sys
2008-01-06 21:08 . 2008-01-06 21:11 <DIR> d-------- C:\Program Files\Kyocera
2008-01-06 21:08 . 2004-10-26 15:37 99,656 --a------ C:\WINDOWS\system32\KMPJLMN.DLL
2008-01-06 13:22 . 2008-02-02 15:18 2,740,256 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-01-06 13:22 . 2008-02-01 19:04 32,732 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-01-06 04:49 . 2008-01-06 04:49 <DIR> d-------- C:\Program Files\ZoneAlarmSB
2008-01-06 04:40 . 2008-01-06 04:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-01-06 04:39 . 2008-01-06 04:57 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-01-06 04:38 . 2007-11-14 16:05 75,248 --a------ C:\WINDOWS\zllsputility.exe
2008-01-06 04:32 . 2008-01-06 04:39 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2008-01-06 04:32 . 2008-01-06 04:32 <DIR> d-------- C:\Program Files\Zone Labs
2008-01-06 04:32 . 2007-11-14 16:05 1,086,952 --a------ C:\WINDOWS\system32\zpeng24.dll
2008-01-06 04:31 . 2008-02-02 14:40 353,367 --a------ C:\WINDOWS\system32\vsconfig.xml
2008-01-06 04:25 . 2008-02-02 14:40 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-01-06 02:43 . 2008-01-06 02:53 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-01-06 02:43 . 2008-01-06 02:59 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-01-06 02:43 . 2008-01-06 02:59 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-01-06 02:43 . 2008-01-06 02:59 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-01-05 19:36 . 2008-01-05 19:36 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-01-05 19:36 . 2008-01-05 20:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-05 16:25 . 2008-01-05 16:25 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-05 16:25 . 2008-01-05 16:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-05 15:26 . 2008-01-05 15:26 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-04 22:00 . 2008-01-04 22:00 <DIR> d-------- C:\Program Files\AskSBar
2008-01-04 21:59 . 2008-01-04 21:59 164 --a------ C:\install.dat
2008-01-04 13:19 . 2008-01-04 13:19 <DIR> d-------- C:\Documents and Settings\user\Application Data\PC Tools
2008-01-04 13:19 . 2005-09-23 08:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2008-01-04 13:19 . 2005-07-06 18:13 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2008-01-04 13:19 . 2005-07-06 18:13 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2008-01-04 13:19 . 2008-01-04 13:20 74,240 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-01-04 13:19 . 2008-01-04 13:20 56,832 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-01-04 13:19 . 2007-10-18 00:14 41,288 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-01-04 13:19 . 2007-10-18 00:16 29,000 --a------ C:\WINDOWS\system32\drivers\kcom.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-01 05:25 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-01 01:27 --------- d-----w C:\Program Files\dota
2008-01-31 21:30 1,438,720 ----a-w C:\WINDOWS\Internet Logs\xDBB.tmp
2008-01-31 21:29 1,438,720 ----a-w C:\WINDOWS\Internet Logs\xDBC.tmp
2008-01-31 03:35 365,056 ----a-w C:\WINDOWS\Internet Logs\xDBA.tmp
2008-01-30 01:03 --------- d-----w C:\Program Files\e-Games
2008-01-30 00:58 --------- d-----w C:\Program Files\RF Online
2008-01-29 00:52 --------- d-----w C:\Program Files\Spyware Doctor
2008-01-25 23:13 1,417,728 ----a-w C:\WINDOWS\Internet Logs\xDB9.tmp
2008-01-23 23:51 25,600 ----a-w C:\WINDOWS\Internet Logs\xDB7.tmp
2008-01-23 23:51 1,412,608 ----a-w C:\WINDOWS\Internet Logs\xDB8.tmp
2008-01-23 19:07 995,840 ----a-w C:\WINDOWS\Internet Logs\xDB6.tmp
2008-01-22 20:05 --------- d-----w C:\Program Files\TuneUp Utilities 2006
2008-01-22 04:32 1,409,536 ----a-w C:\WINDOWS\Internet Logs\xDB5.tmp
2008-01-20 18:46 1,408,000 ----a-w C:\WINDOWS\Internet Logs\xDB4.tmp
2008-01-08 20:30 296,448 ----a-w C:\WINDOWS\Internet Logs\xDB2.tmp
2008-01-08 20:30 1,358,336 ----a-w C:\WINDOWS\Internet Logs\xDB3.tmp
2008-01-08 04:12 1,357,312 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2008-01-07 05:10 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-06 00:23 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-27 05:30 --------- d-----w C:\Program Files\LineageII
2007-12-24 22:08 --------- d-----w C:\Program Files\Tantra
2007-12-15 07:32 --------- d-----w C:\Documents and Settings\user\Application Data\Skype
2007-12-09 22:34 --------- d-----w C:\Program Files\MSN Games
2007-12-03 04:46 20,320 ----a-w C:\Documents and Settings\user\Application Data\GDIPFONTCACHEV1.DAT
2007-12-02 21:44 --------- d-----w C:\Program Files\Windows Live Toolbar
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}]
2008-01-04 22:00 66912 --a------ C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
2008-01-04 22:00 267592 --a------ C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{EF99BD32-C1FB-11D2-892F-0090271D4F88}
{2318C2B1-4965-11D4-9B18-009027A5CD4F}
{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}
{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL [2008-01-04 22:00 267592]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 04:00 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46 1460560]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-15 09:17 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.exe" [2006-02-28 04:00 33280 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2006-08-11 05:43 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="RUNDLL32.exe" [2006-02-28 04:00 33280 C:\WINDOWS\system32\rundll32.exe]
"hndclient"="C:\Program Files\HandyCafe\Client\_hndguard.exe" [2004-01-06 14:35 21504]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 17:20 866584]
"SoundMan"="SOUNDMAN.EXE" [2006-03-01 00:22 577536 C:\WINDOWS\soundman.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 03:00 132496]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05 919016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-12-18 17:47 8720384]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04 83360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe
"MsnMsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" /background
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" -atboottime
"Gainward"=C:\Program Files\VDOTool\TBPanel.exe /A
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys [2006-02-22 19:38]
R0 xfilt;VIA SATA IDE Hot-plug Driver;C:\WINDOWS\system32\DRIVERS\xfilt.sys [2006-02-22 19:39]
R2 UxTuneUp;TuneUp Design Expansion;C:\WINDOWS\System32\svchost.exe [2006-02-28 04:00]
S3 dump_wmimmc;dump_wmimmc;C:\Program Files\e-Games\Ran Online\GameGuard\dump_wmimmc.sys []
S3 KMUSBSC2;KM USB Scan Svc2;C:\WINDOWS\system32\Drivers\KMUSBSC2.sys [2005-01-26 19:34]
S3 KMUSBSCN;KM USB Scan Svc;C:\WINDOWS\system32\Drivers\KMUSBSCN.sys [2005-02-25 12:29]
S3 ZSMC303;A4 TECH PC Camera H;C:\WINDOWS\system32\Drivers\usbVM303.sys [2005-10-27 13:34]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

.
Contents of the 'Scheduled Tasks' folder
"2008-02-02 01:15:00 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2006\SystemOptimizer.exe
"2008-01-22 22:37:13 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-02 23:15:01 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2008-02-02 23:01:31 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-02 15:18:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-02 15:18:52
ComboFix-quarantined-files.txt 2008-02-02 23:18:50
.
2008-02-01 17:56:50 --- E O F ---

Edited by ducut, 02 February 2008 - 02:42 AM.


#12 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:05:54 PM

Posted 06 February 2008 - 05:05 AM

Hi,

sorry I missed your reply...
Didn't mean to hold you waiting...

Firefox don't work right -- does Internet Explorer?
What happens when you try FireFox? Any specific error messages?

I'd like to run an online scanner.

Run the F-Secure Online Scanner
Note: This Scanner is for Internet Explorer Only!
  • Click on Online Services and then Online Scanner
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report in your next reply.
It should be safe to open the C:\ drive.
I don't see the autorun entries in registrty that would cause the virus to run unless of course if you click the bad exe.

Do you still see the strange text when right clicking the C:\ drive?

If FireFox does not run after doing above scan -- see if you can uninstall it and re-install it again.
Let me know if it works right after that.

Thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users