Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hjt Scan. I Removed The Virus.


  • This topic is locked This topic is locked
37 replies to this topic

#1 anjo03

anjo03

  • Members
  • 140 posts
  • OFFLINE
  •  
  • Local time:02:21 PM

Posted 06 March 2008 - 02:51 AM

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 3:50:51 PM, on 3/6/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Boot mode: Normal



Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

D:\Sygate Personal Firewall\smc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Ocean Technology\GG E-Sports Platform\GGclient.exe

C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe



R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [SmcService] D:\SYGATE~1\smc.exe -startgui

O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

O8 - Extra context menu item: &Download All by Gigaget - C:\Program Files\Giganology\Gigaget\getallurl.htm

O8 - Extra context menu item: &Download by Gigaget - C:\Program Files\Giganology\Gigaget\geturl.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll

O17 - HKLM\System\CCS\Services\Tcpip\..\{43D019DA-BA4E-4099-BB20-AB32EB611E4C}: NameServer = 202.78.97.41 210.4.2.61

O20 - Winlogon Notify: !SASWinLogon - D:\Super ANTI-SPYWARE\SASWINLO.dll

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: E1F60700 - Unknown owner - C:\WINDOWS\system32\6B161E00.EXE (file missing)

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - D:\Sygate Personal Firewall\smc.exe



--

End of file - 3442 bytes


BC AdBot (Login to Remove)

 


#2 anjo03

anjo03
  • Topic Starter

  • Members
  • 140 posts
  • OFFLINE
  •  
  • Local time:02:21 PM

Posted 08 March 2008 - 12:33 PM

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 1:32:07 AM, on 3/9/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Boot mode: Normal



Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

D:\Sygate Personal Firewall\smc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe



R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [SmcService] D:\SYGATE~1\smc.exe -startgui

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

O8 - Extra context menu item: &Download All by Gigaget - C:\Program Files\Giganology\Gigaget\getallurl.htm

O8 - Extra context menu item: &Download by Gigaget - C:\Program Files\Giganology\Gigaget\geturl.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll

O17 - HKLM\System\CCS\Services\Tcpip\..\{43D019DA-BA4E-4099-BB20-AB32EB611E4C}: NameServer = 202.78.97.41 210.4.2.61

O20 - AppInit_DLLs: msosmhfp01.dll

O20 - Winlogon Notify: !SASWinLogon - D:\Super ANTI-SPYWARE\SASWINLO.dll

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: E1F60700 - Unknown owner - C:\WINDOWS\system32\6B161E00.EXE

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - D:\Sygate Personal Firewall\smc.exe



--

End of file - 3848 bytes


#3 anjo03

anjo03
  • Topic Starter

  • Members
  • 140 posts
  • OFFLINE
  •  
  • Local time:02:21 PM

Posted 08 March 2008 - 12:49 PM

need help. it slowly puts many viruses on my computer.

#4 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:07:21 AM

Posted 24 March 2008 - 05:11 PM

As you can probably see our HijackThis Team is incredibly busy at the moment, but I apologise for the delay you have experienced. If you are still having problems please post a brand new HijackThis log as a reply to this topic. Before posting the log, please make sure you follow all the steps found in this topic:
Preparation Guide For Use Before Posting A HijackThis Log
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#5 anjo03

anjo03
  • Topic Starter

  • Members
  • 140 posts
  • OFFLINE
  •  
  • Local time:02:21 PM

Posted 02 April 2008 - 11:10 AM

although i waited for too long, let's continue with it.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:10:41 AM, on 4/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\Sygate Personal Firewall\smc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\Garena\Garena.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
O2 - BHO: GigagetIEHelper - {111CAA23-6F4F-42AC-8555-B48C1D87BBAB} - C:\WINDOWS\system32\gigagetbho_v10.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SmcService] D:\SYGATE~1\smc.exe -startgui
O8 - Extra context menu item: &Download All by Gigaget - C:\Program Files\Giganology\Gigaget\getallurl.htm
O8 - Extra context menu item: &Download by Gigaget - C:\Program Files\Giganology\Gigaget\geturl.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{43D019DA-BA4E-4099-BB20-AB32EB611E4C}: NameServer = 202.78.97.41 210.4.2.61
O20 - AppInit_DLLs: msosmhfp01.dll
O20 - Winlogon Notify: !SASWinLogon - D:\Super ANTI-SPYWARE\SASWINLO.dll
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - D:\Sygate Personal Firewall\smc.exe

--
End of file - 3560 bytes


#6 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:07:21 AM

Posted 03 April 2008 - 03:01 PM

Download Combofix to your Desktop.
Double click combofix.exe
Follow the prompts that are displayed.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.

Post that in your next reply with a fresh HijackThis log. Don't use code boxes for your logs; it's pointless and hurts my eyes.

Thanks,

EDIT: why are you running Sygate from the D:\ drive?

Edited by rookie147, 03 April 2008 - 03:02 PM.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#7 anjo03

anjo03
  • Topic Starter

  • Members
  • 140 posts
  • OFFLINE
  •  
  • Local time:02:21 PM

Posted 04 April 2008 - 11:59 AM

"EDIT: why are you running Sygate from the D:\ drive?"

its because want to save disk space :blink:

uhm, i think i accidentally downloaded a malware. need help here.
it goes on my taskbar and when i click it, it open IE Explorer to the www.virusheat.com site.

sir rookie147 what time do you usually online so that we can do this fast. :thumbsup:
it's really a rush.
although i understand you are very busy right now.

Edited by anjo03, 04 April 2008 - 12:35 PM.


#8 anjo03

anjo03
  • Topic Starter

  • Members
  • 140 posts
  • OFFLINE
  •  
  • Local time:02:21 PM

Posted 04 April 2008 - 12:10 PM

COMBOFIX
ComboFix 08-04-03.5 - user 2008-04-05 1:01:52.6 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.192 [GMT 8:00]
Running from: C:\Documents and Settings\user\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
C:\WINDOWS\dxtmechk
C:\WINDOWS\system32\11C0B000.DLL
C:\WINDOWS\system32\209789\209789.dll
C:\WINDOWS\system32\514F1200.DLL
C:\WINDOWS\system32\amvo.exe
C:\WINDOWS\system32\amvo0.dll
C:\WINDOWS\system32\amvo1.dll
C:\WINDOWS\system32\AutoRun.inf
C:\WINDOWS\system32\avpsrv.dll
C:\WINDOWS\system32\bxbmissf.dll
C:\WINDOWS\system32\cmdbcs.dll
C:\WINDOWS\system32\D3D9_32.DLL
C:\WINDOWS\system32\D3D9_64.DLL
C:\WINDOWS\system32\DbgHlp32.dll
C:\WINDOWS\system32\DE329800.EXE
C:\WINDOWS\system32\drivers\msosfpids32.sys
C:\WINDOWS\system32\drivers\usbKeyInit.sys
C:\WINDOWS\system32\DXDLG.EXE
C:\WINDOWS\system32\hfeaur.dll
C:\WINDOWS\system32\k12049958262.exe
C:\WINDOWS\system32\k12049958316.exe
C:\WINDOWS\system32\k12049958353.exe
C:\WINDOWS\system32\k120499584215.exe
C:\WINDOWS\system32\k120713184211.exe
C:\WINDOWS\system32\knlExt.dll
C:\WINDOWS\system32\kvsc3.dll
C:\WINDOWS\system32\LotusHlp.dll
C:\WINDOWS\system32\mppds.dll
C:\WINDOWS\system32\mrykee.dll
C:\WINDOWS\system32\msccrt.dll
C:\WINDOWS\system32\msimms32.dll
C:\WINDOWS\system32\msosmhfp.dat
C:\WINDOWS\system32\msosmhfp00.dll
C:\WINDOWS\system32\msosmhfp01.dll
C:\WINDOWS\system32\msosmhfp02.dll
C:\WINDOWS\system32\NAVMon32.dll
C:\WINDOWS\system32\nvdispdrv.dll
C:\WINDOWS\system32\PTSShell.dll
C:\WINDOWS\system32\readme-net.doc
C:\WINDOWS\system32\REGKEY.hiv
C:\WINDOWS\system32\SHAProc.dll
C:\WINDOWS\system32\upxdnd.dll
C:\WINDOWS\system32\Wingin.exe
C:\WINDOWS\system32\WINSvr32.dll
C:\WINDOWS\system32\WSockDrv32.dll
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_FPIDS32
-------\Legacy_MHFP
-------\Service_fpids32
-------\Service_mhfp
-------\Legacy_422ED600
-------\422ED600


((((((((((((((((((((((((( Files Created from 2008-03-04 to 2008-04-04 )))))))))))))))))))))))))))))))
.

2008-04-05 00:47 . 2008-04-05 00:47 <DIR> d-------- C:\WINDOWS\system32\209789
2008-04-05 00:47 . 2008-04-05 00:47 <DIR> d-------- C:\Program Files\NetProject
2008-04-03 16:18 . 2008-04-03 16:18 <DIR> d-------- C:\Program Files\Yahoo! Games
2008-04-02 19:18 . 2008-04-02 19:18 <DIR> d-------- C:\Program Files\Garena
2008-04-02 19:18 . 2008-04-02 19:18 <DIR> d-------- C:\Documents and Settings\user\Application Data\InstallShield
2008-04-02 19:18 . 2006-03-14 02:26 53,248 --a------ C:\WINDOWS\system32\ImageOle.dll
2008-04-01 14:37 . 2008-04-01 14:37 <DIR> d-------- C:\Documents and Settings\user\Application Data\Gamelab
2008-03-14 10:27 . 2008-03-15 09:36 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-14 10:27 . 2008-03-14 10:27 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-06 14:22 . 2007-09-18 20:44 12,947 --------- C:\auto.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-21 22:40 107,309 --sh--r C:\oufddh.exe
2008-01-20 06:30 272,896 ----a-w C:\WINDOWS\system32\advddr32.exe
2008-01-13 18:14 65,536 ----a-w C:\WINDOWS\IFinst27.exe
2007-11-10 08:14 294 --sh--w C:\Documents and Settings\Default User\PCTeamRulez.bat
2007-11-10 08:14 293 --sh--w C:\Documents and Settings\NetworkService\PCTeamRulez.bat
2007-11-10 02:03 294 --sh--w C:\Documents and Settings\LocalService\PCTeamRulez.bat
2007-08-03 05:24 400 ----a-w C:\Documents and Settings\user\score.dat
2007-11-10 12:11 294 --sh--w C:\WINDOWS\PCTeamRulez.bat
2007-11-21 11:25 32 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2007-11-21 11:25 32 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
2007-09-08 23:40 293 --sh--w C:\WINDOWS\system32\drivers\28866\PCTeamRulez.bat
2007-09-09 05:19 292 --sh--w C:\WINDOWS\system32\drivers\102486\PCTeamRulez.bat
2007-09-09 08:31 294 --sh--w C:\WINDOWS\system32\drivers\76727\PCTeamRulez.bat
2007-09-09 09:16 292 --sh--w C:\WINDOWS\system32\drivers\103631\PCTeamRulez.bat
2007-09-09 09:56 292 --sh--w C:\WINDOWS\system32\drivers\95147\PCTeamRulez.bat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7C109800-A5D5-438F-9640-18D17E168B88}]
2008-04-05 00:50 10240 --a------ C:\Program Files\NetProject\sbmdl.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{DB9FBA9D-AB1B-4CC6-9745-F3B549D64E40}"= C:\Program Files\NetProject\wamdl.dll [2008-04-05 00:47 86016]

[HKEY_CLASSES_ROOT\clsid\{db9fba9d-ab1b-4cc6-9745-f3b549d64e40}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-08-16 15:35 7630848]
"SmcService"="D:\SYGATE~1\smc.exe" [2004-10-15 19:40 2577632]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= D:\Super ANTI-SPYWARE\SASSEH.DLL [2006-12-20 12:55 77824]
"{009FB316-D7A2-456A-AE04-EB9ABF822FE4}"= C:\DOCUME~1\user\LOCALS~1\Temp\k12071318323ow.dll [2008-04-02 18:27 17120]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
D:\Super ANTI-SPYWARE\SASWINLO.dll 2007-02-27 11:39 282624 D:\Super ANTI-SPYWARE\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSVideo8"= VfWWDM32.dll
"VIDC.X264"= x264vfw.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\(Default)]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\amva]
C:\WINDOWS\system32\amvo.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avpa]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVPSrv]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BigDogPath]
--a------ 2004-02-24 16:00 49152 C:\WINDOWS\VM_STI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ChikkaDefault]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cmdbcs]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DataLayer]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hyxclmqe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kvsc3]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LotusHlp]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mppds]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msccrt]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsIMMs32]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NAVMon32]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2006-08-16 15:35 7630848 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVDispDrv]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2006-08-16 15:35 86016 C:\WINDOWS\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PcSync]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PTSShell]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
--a------ 2007-02-26 15:03 16125440 C:\WINDOWS\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SHAProc]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
--a------ 2006-05-16 18:04 2879488 C:\WINDOWS\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 01:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\upxdnd]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WindowsLogon]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winlogon]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WINSvr32]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WSockDrv32]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"PCToolsFirewallPlus"=2 (0x2)
"ray"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Giganology\\Gigaget\\Gigaget.exe"=
"C:\\Program Files\\Softnyx\\Rakion\\Bin\\Rakion.bin"=
"D:\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=

R1 BIOS;BIOS;C:\WINDOWS\system32\drivers\BIOS.sys [2005-03-16 14:23]
S3 projectx1;projectx1;D:\Project X\FelipeZe.sys []
S4 E1F60700;E1F60700;C:\WINDOWS\system32\6B161E00.EXE []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{06368084-2246-11dc-88dc-00e04d23d8a1}]
\Shell\auto\command - auto.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL auto.exe
\Shell\explore\command - Knight.exe open
\Shell\find\command - Knight.exe open
\Shell\install\command - Knight.exe open
\Shell\open\command - Knight.exe open

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b95e2fa4-c34f-11dc-8c63-00e04d23d8a1}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL exiplorer.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c231f60c-3dd4-11dc-8978-00e04d23d8a1}]
\Shell\Auto\command - F:\auto.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL auto.exe

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-05 01:06:32
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
------------------------ Other Running Processes ------------------------
.
D:\Sygate Personal Firewall\smc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
.
**************************************************************************
.
Completion time: 2008-04-05 1:07:46 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-04 17:07:46
Pre-Run: 23,462,969,344 bytes free
Post-Run: 23,473,324,032 bytes free
.
2008-01-15 11:59:34 --- E O F ---


HJT
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:09:25 AM, on 4/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\Sygate Personal Firewall\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
O2 - BHO: GigagetIEHelper - {111CAA23-6F4F-42AC-8555-B48C1D87BBAB} - C:\WINDOWS\system32\gigagetbho_v10.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7C109800-A5D5-438F-9640-18D17E168B88} - C:\Program Files\NetProject\sbmdl.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SmcService] D:\SYGATE~1\smc.exe -startgui
O8 - Extra context menu item: &Download All by Gigaget - C:\Program Files\Giganology\Gigaget\getallurl.htm
O8 - Extra context menu item: &Download by Gigaget - C:\Program Files\Giganology\Gigaget\geturl.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.ieservicegate.com/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.ieservicegate.com/redirect.php (file missing)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{43D019DA-BA4E-4099-BB20-AB32EB611E4C}: NameServer = 202.78.97.41 210.4.2.61
O20 - Winlogon Notify: !SASWinLogon - D:\Super ANTI-SPYWARE\SASWINLO.dll
O22 - SharedTaskScheduler: important - {9c87cb31-93d0-4f3e-a360-4a91ff77aeb7} - (no file)
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - D:\Sygate Personal Firewall\smc.exe

--
End of file - 3832 bytes

#9 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:07:21 AM

Posted 04 April 2008 - 03:12 PM

uhm, i think i accidentally downloaded a malware. need help here.
it goes on my taskbar and when i click it, it open IE Explorer to the www.virusheat.com site.

How did you download malware?

I would also recommend moving Sygate to your C:\ drive; sureley you can't be that desperate for space that you need to run it separately.

You are using peer-to-peer programs.
These are what we call an optional removal. However, anytime you are running any type of peer-to-peer application, you are more prone to infection by malware, and this is probably how you became infected in the first place. The choice to remove them is entirely up to you, but I would strongly recommend that you do.
If you do not want to, please at least refrain from using any peer-to-peer programs for the remainder of my fix.
For more information about infections as a result of p2p programs, take a look here: http://p2p.malwareremoval.com/

Download AVG Anti-Spyware to your Desktop.
Start the set-up program by double clicking the installer.
Follow the on screen instructions to install the program, making sure that "Launch AVG Anti-Spyware" is checked.
Click the Update tab then select Start update; a progress bar will show the updates being installed.
Now press the Scanner icon, and click the Settings tab.
Click Recommended actions, then set it to Quarantine.
Close the programme now, we will scan with it later on.

Reboot your computer into Safe Mode.
This is done by rebooting Windows and pressing F8 at boot/Windows startup, usually right after the beep.
Then select Safe Mode from the list.
Make sure you choose the option without Networking Support.

Launch AVG Anti-Spyware by double clicking the icon on your Desktop.
Press the Scanner icon.
Then click on the Complete System Scan button.
If any infections are found, you will be asked for an action; select Apply all actions.
Now press the Reports icon at the top.
Choose Save report as and save the text file to your Desktop.
Please post this log in your next reply.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#10 anjo03

anjo03
  • Topic Starter

  • Members
  • 140 posts
  • OFFLINE
  •  
  • Local time:02:21 PM

Posted 04 April 2008 - 09:11 PM

i downloaded it when i was surfing the net. and some site used active x to put it on my computer.

my p2p program,LimeWire, has nothing to do with it because i only download .mp3 files and makes sure it's clean.

uhm, i have SUPER ANTI-SPYWARE on my computer. can that be a replacement for the AVG scan?

#11 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:07:21 AM

Posted 05 April 2008 - 11:53 AM

my p2p program,LimeWire, has nothing to do with it because i only download .mp3 files and makes sure it's clean.

Like I said, any kind of P2P programme still contains it's fair share of malware that you can easily download, even by mistake. Besides, there are the obvious legal implications of downloading such items.

hm, i have SUPER ANTI-SPYWARE on my computer. can that be a replacement for the AVG scan?

No.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#12 anjo03

anjo03
  • Topic Starter

  • Members
  • 140 posts
  • OFFLINE
  •  
  • Local time:02:21 PM

Posted 10 April 2008 - 08:08 AM

sorry for the long wait, i got 4 parts here. i scanned using SUPER ANTI-SPYWARE because the "virusheat" was on the computer when i hadn't had the reply of the download of AVG Anti-Spyware. and the scans also were interrupted.


SUPERAntiSpyware Scan Log
Generated 04/05/2008 at 11:51 AM

Application Version : 3.6.1000

Core Rules Database Version : 3408
Trace Rules Database Version: 1400

Scan type : Complete Scan
Total Scan Time : 00:03:00

Memory items scanned : 323
Memory threats detected : 1
Registry items scanned : 2981
Registry threats detected : 0
File items scanned : 0
File threats detected : 1

Trojan.Media-Codec/V5
C:\PROGRAM FILES\NETPROJECT\SBMDL.DLL
C:\PROGRAM FILES\NETPROJECT\SBMDL.DLL

SUPERAntiSpyware Scan Log
Generated 04/05/2008 at 01:48 PM

Application Version : 3.6.1000

Core Rules Database Version : 3408
Trace Rules Database Version: 1400

Scan type : Complete Scan
Total Scan Time : 01:06:51

Memory items scanned : 300
Memory threats detected : 0
Registry items scanned : 4443
Registry threats detected : 3
File items scanned : 73004
File threats detected : 14

Trojan.Smitfraud Variant/IE Anti-Spyware
HKLM\Software\Microsoft\Internet Explorer\Extensions\{9034A523-D068-4BE8-A284-9DF278BE776E}

Trojan.Security Toolbar
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.url
C:\Documents and Settings\All Users\Start Menu\Security Troubleshooting.url

Trojan.Media-Codec/V4
HKCR\videoPl.chl
HKCR\videoPl.chl\CLSID

Trojan.Media-Codec/V5
C:\PROGRAM FILES\NETPROJECT\SCU.EXE
C:\PROGRAM FILES\NETPROJECT\SCM.EXE
C:\PROGRAM FILES\NETPROJECT\WAMDL.DLL
C:\PROGRAM FILES\NETPROJECT\SBSM.EXE
C:\PROGRAM FILES\NETPROJECT\WAUN.EXE
C:\WINDOWS\Prefetch\SCM.EXE-10EE30C5.pf
C:\WINDOWS\Prefetch\SBSM.EXE-0482749B.pf

Trojan.Unknown Origin
C:\PROGRAM FILES\NETPROJECT\TS.ICO
C:\PROGRAM FILES\NETPROJECT\OT.ICO

Trojan.Unclassified/QQLogin-A
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B3DCA597-51D3-44E3-99AD-AD130AFDCFAC}\RP646\A0147602.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B3DCA597-51D3-44E3-99AD-AD130AFDCFAC}\RP646\A0147607.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B3DCA597-51D3-44E3-99AD-AD130AFDCFAC}\RP652\A0148861.DLL

---------------------------------------------------------
AVG Anti-Spyware - Scan Report---------------------------------------------------------

+ Created at: 1:35:50 PM 4/9/2008

+ Scan result:



C:\WINDOWS\APISMTPDos.exe -> Backdoor.DSSdoor.c : Cleaned with backup (quarantined).
C:\Documents and Settings\user\Cookies\user@atdmt[1].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\user\Cookies\user@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\user\Cookies\user@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\user\My Documents\Downloads\Adobe Photoshop CS3 v10 with Crack full version.zip/_crack_/aps3ekg.exe -> Trojan.Agent.cj : Cleaned with backup (quarantined).


::Report end

---------------------------------------------------------
AVG Anti-Spyware - Scan Report---------------------------------------------------------

+ Created at: 4:16:23 PM 4/10/2008

+ Scan result:



C:\System Volume Information\_restore{B3DCA597-51D3-44E3-99AD-AD130AFDCFAC}\RP657\A0149451.exe -> Backdoor.DSSdoor.c : Cleaned.
C:\QooBox\Quarantine\C\WINDOWS\system32\D3D9_32.DLL.vir -> Downloader.Agent.loa : Cleaned.
C:\QooBox\Quarantine\C\WINDOWS\system32\DXDLG.EXE.vir -> Downloader.Agent.loa : Cleaned.
C:\System Volume Information\_restore{B3DCA597-51D3-44E3-99AD-AD130AFDCFAC}\RP647\snapshot\MFEX-1.DAT -> Downloader.Agent.loa : Cleaned.
C:\System Volume Information\_restore{B3DCA597-51D3-44E3-99AD-AD130AFDCFAC}\RP652\A0148867.DLL -> Downloader.Agent.loa : Cleaned.
C:\System Volume Information\_restore{B3DCA597-51D3-44E3-99AD-AD130AFDCFAC}\RP652\A0148869.EXE -> Downloader.Agent.loa : Cleaned.
C:\QooBox\Quarantine\C\WINDOWS\system32\DE329800.EXE.vir -> Downloader.Flux.f : Cleaned.
C:\System Volume Information\_restore{B3DCA597-51D3-44E3-99AD-AD130AFDCFAC}\RP652\A0148872.exe -> Downloader.Flux.f : Cleaned.
C:\System Volume Information\_restore{B3DCA597-51D3-44E3-99AD-AD130AFDCFAC}\RP652\A0148882.EXE -> Downloader.Flux.f : Cleaned.
C:\System Volume Information\_restore{B3DCA597-51D3-44E3-99AD-AD130AFDCFAC}\RP653\A0149035.exe -> Downloader.Flux.f : Cleaned.
D:\System Volume Information\_restore{B3DCA597-51D3-44E3-99AD-AD130AFDCFAC}\RP652\A0148873.exe -> Downloader.Flux.f : Cleaned.
D:\System Volume Information\_restore{B3DCA597-51D3-44E3-99AD-AD130AFDCFAC}\RP653\A0149038.exe -> Downloader.Flux.f : Cleaned.
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\msosfpids32.sys.vir -> Rootkit.Agent.abq : Cleaned.
C:\System Volume Information\_restore{B3DCA597-51D3-44E3-99AD-AD130AFDCFAC}\RP652\A0148898.sys -> Rootkit.Agent.abq : Cleaned.
C:\Documents and Settings\user\Cookies\user@atdmt[1].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\user\Cookies\user@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\user\Cookies\user@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\user\Cookies\user@ad.yieldmanager[3].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\QooBox\Quarantine\C\WINDOWS\system32\Wingin.exe.vir -> Trojan.Inject.agw : Cleaned.
C:\System Volume Information\_restore{B3DCA597-51D3-44E3-99AD-AD130AFDCFAC}\RP652\A0148864.exe -> Trojan.Inject.agw : Cleaned.
C:\QooBox\Quarantine\C\WINDOWS\system32\amvo0.dll.vir -> Trojan.OnLineGames.rol : Cleaned.
C:\QooBox\Quarantine\C\WINDOWS\system32\amvo1.dll.vir -> Trojan.OnLineGames.rol : Cleaned.
C:\System Volume Information\_restore{B3DCA597-51D3-44E3-99AD-AD130AFDCFAC}\RP652\A0148857.dll -> Trojan.OnLineGames.rol : Cleaned.
C:\System Volume Information\_restore{B3DCA597-51D3-44E3-99AD-AD130AFDCFAC}\RP652\A0148858.dll -> Trojan.OnLineGames.rol : Cleaned.
C:\QooBox\Quarantine\C\WINDOWS\system32\amvo.exe.vir -> Trojan.OnLineGames.ros : Cleaned.
C:\System Volume Information\_restore{B3DCA597-51D3-44E3-99AD-AD130AFDCFAC}\RP652\A0148856.exe -> Trojan.OnLineGames.ros : Cleaned.
C:\oufddh.exe -> Trojan.OnLineGames.ros : Cleaned.
D:\oufddh.exe -> Trojan.OnLineGames.ros : Cleaned.
C:\QooBox\Quarantine\catchme2008-04-05_ 10625.67.zip/Documents and Settings/user/Desktop/catchme.zip/msosmhfp00.dll -> Trojan.OnLineGames.rzf : Cleaned.
C:\QooBox\Quarantine\catchme2008-04-05_ 10625.67.zip/Documents and Settings/user/Desktop/catchme.zip/msosmhfp01.dll -> Trojan.OnLineGames.rzf : Cleaned.
C:\System Volume Information\_restore{B3DCA597-51D3-44E3-99AD-AD130AFDCFAC}\RP646\A0147621.exE -> Trojan.OnLineGames.sbm : Cleaned.
C:\QooBox\Quarantine\C\WINDOWS\system32\mppds.dll.vir -> Trojan.OnLineGames.scq : Cleaned.
C:\System Volume Information\_restore{B3DCA597-51D3-44E3-99AD-AD130AFDCFAC}\RP646\A0147610.dll -> Trojan.OnLineGames.scq : Cleaned.
C:\System Volume Information\_restore{B3DCA597-51D3-44E3-99AD-AD130AFDCFAC}\RP652\A0148849.dll -> Trojan.OnLineGames.scq : Cleaned.
C:\System Volume Information\_restore{B3DCA597-51D3-44E3-99AD-AD130AFDCFAC}\RP646\A0147626.exe -> Trojan.OnLineGames.scr : Cleaned.
C:\System Volume Information\_restore{B3DCA597-51D3-44E3-99AD-AD130AFDCFAC}\RP646\A0147631.exe -> Trojan.OnLineGames.sol : Cleaned.
C:\QooBox\Quarantine\C\WINDOWS\system32\knlExt.dll.vir -> Trojan.OnLineGames.sxz : Cleaned.
C:\System Volume Information\_restore{B3DCA597-51D3-44E3-99AD-AD130AFDCFAC}\RP652\A0148866.dll -> Trojan.OnLineGames.sxz : Cleaned.
C:\System Volume Information\_restore{B3DCA597-51D3-44E3-99AD-AD130AFDCFAC}\RP646\A0147609.dll -> Trojan.OnLineGames.tip : Cleaned.
C:\System Volume Information\_restore{B3DCA597-51D3-44E3-99AD-AD130AFDCFAC}\RP646\A0147625.exe -> Trojan.OnLineGames.ufj : Cleaned.
C:\QooBox\Quarantine\C\WINDOWS\system32\NVDispDrv.dll.vir -> Trojan.OnLineGames.uqx : Cleaned.
C:\System Volume Information\_restore{B3DCA597-51D3-44E3-99AD-AD130AFDCFAC}\RP646\A0147608.dll -> Trojan.OnLineGames.uqx : Cleaned.
C:\System Volume Information\_restore{B3DCA597-51D3-44E3-99AD-AD130AFDCFAC}\RP652\A0148854.dll -> Trojan.OnLineGames.uqx : Cleaned.
C:\System Volume Information\_restore{B3DCA597-51D3-44E3-99AD-AD130AFDCFAC}\RP646\A0147620.exe -> Trojan.OnLineGames.vsi : Cleaned.
C:\System Volume Information\_restore{B3DCA597-51D3-44E3-99AD-AD130AFDCFAC}\RP646\A0147633.exe -> Trojan.OnLineGames.vwr : Cleaned.
C:\System Volume Information\_restore{B3DCA597-51D3-44E3-99AD-AD130AFDCFAC}\RP646\A0147622.exe -> Trojan.OnLineGames.vwu : Cleaned.
C:\QooBox\Quarantine\C\WINDOWS\system32\k120713184211.exe.vir -> Trojan.Vaklik.mn : Cleaned.
C:\System Volume Information\_restore{B3DCA597-51D3-44E3-99AD-AD130AFDCFAC}\RP646\A0147630.EXE -> Trojan.Vaklik.mn : Cleaned.
C:\System Volume Information\_restore{B3DCA597-51D3-44E3-99AD-AD130AFDCFAC}\RP652\A0148878.exe -> Trojan.Vaklik.mn : Cleaned.
C:\System Volume Information\_restore{B3DCA597-51D3-44E3-99AD-AD130AFDCFAC}\RP646\A0147632.exe -> Trojan.Vaklik.ns : Cleaned.
C:\QooBox\Quarantine\C\WINDOWS\system32\k120499584215.exe.vir -> Trojan.Vaklik.nz : Cleaned.
C:\System Volume Information\_restore{B3DCA597-51D3-44E3-99AD-AD130AFDCFAC}\RP652\A0148875.exe -> Trojan.Vaklik.nz : Cleaned.


::Report end

#13 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:07:21 AM

Posted 10 April 2008 - 03:48 PM

We need to purge your infected system restore points.
On the Desktop, right-click My Computer, then click Properties.
Click the System Restore tab near the top of the window.
Check Turn off System Restore, click Apply, and then click OK.
More information on how to disable your system restore can be found here.

We want to create a new, clean restore point. Please first reboot your computer.
On the Desktop, right-click My Computer, then click Properties.
Click the System Restore tab near the top of the window.
Uncheck "Turn off System Restore", click Apply, and then click OK.

Click Start | All Programs | Accessories | System Tools, and select System Restore.
In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button.
Type a description for your new restore point - Something like "After trojan/spyware cleanup".
Click Create, and after it has created the restore point, click "Close".
Further instructions on creating a restore point can be found here

Then I'd like a new HJT log, since it's been quite a while.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#14 anjo03

anjo03
  • Topic Starter

  • Members
  • 140 posts
  • OFFLINE
  •  
  • Local time:02:21 PM

Posted 11 April 2008 - 09:24 PM

Here It Is. HJT Scan

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:22:21 AM, on 4/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\Sygate Personal Firewall\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
O2 - BHO: GigagetIEHelper - {111CAA23-6F4F-42AC-8555-B48C1D87BBAB} - C:\WINDOWS\system32\gigagetbho_v10.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7C109800-A5D5-438F-9640-18D17E168B88} - C:\Program Files\NetProject\sbmdl.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SmcService] D:\SYGATE~1\smc.exe -startgui
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O8 - Extra context menu item: &Download All by Gigaget - C:\Program Files\Giganology\Gigaget\getallurl.htm
O8 - Extra context menu item: &Download by Gigaget - C:\Program Files\Giganology\Gigaget\geturl.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{43D019DA-BA4E-4099-BB20-AB32EB611E4C}: NameServer = 202.78.97.41 210.4.2.61
O20 - Winlogon Notify: !SASWinLogon - D:\Super ANTI-SPYWARE\SASWINLO.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - D:\Sygate Personal Firewall\smc.exe

--
End of file - 3604 bytes

#15 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:07:21 AM

Posted 13 April 2008 - 03:03 PM

Okay, how do things seem to be running now?

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users