Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Amvo.dll Keeps Coming Back


  • This topic is locked This topic is locked
6 replies to this topic

#1 Wassim

Wassim

  • Members
  • 376 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Byblos, Lebanon, Middle East.
  • Local time:05:48 PM

Posted 13 April 2008 - 12:56 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:50:34 PM, on 4/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\VM_STI.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Folder Guard Pro\FGKey.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Wass\Desktop\HiJackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Flashget] C:\Program Files\FlashGet\flashget.exe /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE VIMICRO USB PC Camera 301x
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [FG_Monitor] C:\Program Files\Folder Guard Pro\FGKey.exe /Start
O4 - HKLM\..\Run: [Barsaka] explorer.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O24 - Desktop Component AutorunsDisabled: (no name) - (no file)

--
End of file - 4836 bytes
"Stuffy Hall Admin of the Typing Skills Enhancing School Program"

BC AdBot (Login to Remove)

 


#2 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:06:48 PM

Posted 14 April 2008 - 02:56 PM

Hello.... :thumbsup:

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once we're finished.
  • Open Spybot Search & Destroy.
  • In the Mode menu click "Advanced mode" if not already selected.
  • Choose "Yes" at the Warning prompt.
  • Expand the "Tools" menu.
  • Click "Resident".
  • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  • In the File menu click "Exit" to exit Spybot Search & Destroy.
When disabled, please download ResetTeaTimer.bat.
Double-click ResetTeaTimer.bat to remove all entries set by TeaTimer. This is done so it can be re-enabled without problems after cleaning.

-----

Please rerun a scan with HijackThis (scan only) and check the following objects for removal:

O2 - BHO: (no name) - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - (no file)
O4 - HKLM\..\Run: [Barsaka] explorer.exe
O24 - Desktop Component AutorunsDisabled: (no name) - (no file)


Now close ALL other open windows but HijackThis and hit FIX CHECKED. Exit HijackThis.

-----

Please download Malwarebytes' Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Double-click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • If you have trouble with the update process, please download the latest updates here.
  • Double-click the mbam-rules.exe file on your desktop and let it update the application.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to restart. (see extra note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Please copy and paste the entire report in your next reply along with a fresh HijackThis log. :blink:
Extra note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
Hi there, stranger!

#3 Wassim

Wassim
  • Topic Starter

  • Members
  • 376 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Byblos, Lebanon, Middle East.
  • Local time:05:48 PM

Posted 14 April 2008 - 03:33 PM

here the Malwarebytes log:

Malwarebytes' Anti-Malware 1.11
Database version: 628

Scan type: Full Scan (C:\|)
Objects scanned: 68911
Time elapsed: 12 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


and here's the HijackThis log after scanning with Malwarebytes

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:24:11 PM, on 4/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\VM_STI.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Folder Guard Pro\FGKey.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Data\Applications\Antivirus\HiJackThis.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe, explorer.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Flashget] C:\Program Files\FlashGet\flashget.exe /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE VIMICRO USB PC Camera 301x
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [FG_Monitor] C:\Program Files\Folder Guard Pro\FGKey.exe /Start
O4 - HKLM\..\Run: [Barsaka] explorer.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O24 - Desktop Component AutorunsDisabled: (no name) - (no file)

--
End of file - 4096 bytes

i guess 2 of the entries you asked me to check were not fixed though i cheked them and fixed them....

Thanks for your help

PS: my My Documents opens on startup..

Edited by Wassim, 14 April 2008 - 03:35 PM.

"Stuffy Hall Admin of the Typing Skills Enhancing School Program"

#4 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:06:48 PM

Posted 15 April 2008 - 12:50 AM

Well, that didn't go as I planned. :thumbsup:

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

Hi there, stranger!

#5 Wassim

Wassim
  • Topic Starter

  • Members
  • 376 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Byblos, Lebanon, Middle East.
  • Local time:05:48 PM

Posted 15 April 2008 - 03:10 PM

Main.txt LOG

Deckard's System Scanner v20071014.68
Run by Wass on 2008-04-15 23:03:02
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Wass.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:03:04 PM, on 4/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\FlashGet\flashget.exe
C:\WINDOWS\VM_STI.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Folder Guard Pro\FGKey.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Wass\Desktop\dss.exe
C:\Data\APPLIC~1\ANTIVI~1\Wass.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe, explorer.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Flashget] C:\Program Files\FlashGet\flashget.exe /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE VIMICRO USB PC Camera 301x
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [FG_Monitor] C:\Program Files\Folder Guard Pro\FGKey.exe /Start
O4 - HKLM\..\Run: [Barsaka] explorer.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O24 - Desktop Component AutorunsDisabled: (no name) - (no file)

--
End of file - 4445 bytes

-- Files created between 2008-03-15 and 2008-04-15 -----------------------------

2008-04-14 23:04:56 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-14 20:11:26 2560 -r-hs---- C:\WINDOWS\system32\fooool.exe
2008-04-13 23:44:09 0 d-------- C:\Program Files\Common Files\Stardock
2008-04-13 23:44:09 0 d-------- C:\LogonXP
2008-04-12 21:52:53 104140 -r-hs---- C:\0hct8ybw.bat
2008-04-12 16:20:25 0 d-------- C:\Program Files\Asset Tracker for Networks
2008-04-12 13:41:26 0 d-------- C:\WINDOWS\RegisteredPackages
2008-04-12 02:02:23 0 d-------- C:\Documents and Settings\Wass\Application Data\Malwarebytes
2008-04-12 02:02:18 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-12 02:02:08 0 d-------- C:\Program Files\Common Files\Download Manager
2008-04-11 00:05:56 0 d-------- C:\Program Files\a-squared Free
2008-04-10 23:48:50 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-10 23:43:55 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-04-10 23:43:55 86528 --a------ C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-04-10 23:43:55 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-04-10 23:43:55 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-04-10 23:43:55 82432 --a------ C:\WINDOWS\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-04-10 23:43:55 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-04-10 17:15:45 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-04-10 17:15:40 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-04-10 17:15:40 0 d-------- C:\Documents and Settings\Wass\Application Data\SUPERAntiSpyware.com
2008-04-10 13:32:28 0 d-------- C:\Program Files\Trend Micro
2008-04-08 20:59:44 0 d-------- C:\Program Files\Smart AntiVirus
2008-04-04 21:22:05 0 d-------- C:\Documents and Settings\Wass\Application Data\DeskSoft
2008-04-03 21:05:29 0 d-------- C:\Documents and Settings\All Users\Application Data\SweetIM
2008-04-03 21:03:45 0 d-------- C:\Program Files\Winamp
2008-04-03 18:31:21 356352 --a------ C:\WINDOWS\eSellerateEngine.dll <Not Verified; eSellerate Inc.; eSellerateEngine>
2008-04-03 18:31:21 0 d-------- C:\Program Files\QO Labs
2008-04-02 15:11:31 0 d-------- C:\Documents and Settings\Wass\Application Data\Winamp
2008-04-01 22:24:02 0 d-------- C:\Documents and Settings\Wass\Application Data\BWMonitor
2008-04-01 20:28:45 0 d-------- C:\Documents and Settings\Wass\Application Data\Ahead
2008-04-01 20:28:06 364544 --a------ C:\WINDOWS\system32\TwnLib4.dll <Not Verified; Pegasus Imaging Corp.; TwnLib4>
2008-04-01 20:28:05 471040 --a------ C:\WINDOWS\system32\imagXRA7.dll <Not Verified; Pegasus Imaging Corp.; ImagXpress7>
2008-04-01 20:28:05 262144 --a------ C:\WINDOWS\system32\imagXR7.dll <Not Verified; Pegasus Imaging Corp.; ImagXpress7>
2008-04-01 20:28:05 1568768 --a------ C:\WINDOWS\system32\imagX7.dll <Not Verified; Pegasus Imaging Corp.; ImagXpress7>
2008-04-01 20:28:00 0 d-------- C:\Program Files\Common Files\Ahead
2008-04-01 20:27:56 0 d-------- C:\Program Files\Nero
2008-04-01 19:51:53 0 d-------- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2008-04-01 14:03:09 0 d-------- C:\Documents and Settings\Wass\Application Data\Skype
2008-04-01 02:51:09 0 d-------- C:\Documents and Settings\Wass\Application Data\Thinstall
2008-04-01 01:34:30 0 d-------- C:\Documents and Settings\Wass\Application Data\TeamViewer
2008-03-31 22:50:45 101888 --a------ C:\WINDOWS\system32\VB6STKIT.DLL <Not Verified; Microsoft Corporation; Microsoft® Visual Basic pour Windows>
2008-03-31 22:50:45 119568 --a------ C:\WINDOWS\system32\VB6FR.DLL <Not Verified; Microsoft Corporation; Environnement Visual Basic>
2008-03-31 22:50:45 21504 --a------ C:\WINDOWS\system32\TABCTFR.DLL <Not Verified; Microsoft Corporation; Bibliothèque d'objets TabCtl32>
2008-03-31 22:50:44 141312 --a------ C:\WINDOWS\system32\MSCMCFR.DLL <Not Verified; Microsoft Corporation; COMCTL>
2008-03-31 22:50:44 59904 --a------ C:\WINDOWS\system32\Mscc2fr.dll <Not Verified; Microsoft Corporation; Bibliothèque d'objets de Microsoft Common Controls 2>
2008-03-31 22:50:44 32768 --a------ C:\WINDOWS\system32\CMDLGFR.DLL <Not Verified; Microsoft Corporation; CMDIALOG>
2008-03-31 20:30:38 1703936 --a------ C:\WINDOWS\system32\gdiplus.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-03-31 20:30:38 110592 --a------ C:\WINDOWS\system32\ccrpbds6.dll <Not Verified; Common Controls Replacement Project (CCRP); CCRPBrowseDlgSvr6.BrowseDialog>
2008-03-31 20:30:38 0 d-------- C:\Program Files\PIXresizer
2008-03-31 19:10:30 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2008-03-31 19:10:23 0 d-------- C:\Program Files\Common Files\Adobe
2008-03-30 20:02:31 0 d-------- C:\Program Files\Folder Guard Pro
2008-03-30 19:13:45 0 d-------- C:\Data
2008-03-30 18:50:45 0 dr-h----- C:\Documents and Settings\Wass\Recent
2008-03-29 23:20:54 0 d-------- C:\Documents and Settings\Wass\Application Data\NCH Swift Sound
2008-03-28 12:52:32 0 d-------- C:\Program Files\Windows Live
2008-03-28 02:13:35 0 d-------- C:\Documents and Settings\Wass\Application Data\DivX
2008-03-28 02:06:33 0 d-------- C:\Program Files\DivX
2008-03-27 13:12:56 0 d-------- C:\Program Files\EMS
2008-03-26 21:43:57 0 d-------- C:\WINDOWS\Downloaded Installations
2008-03-26 20:53:48 0 d-------- C:\WINDOWS\system32\appmgmt
2008-03-26 00:39:28 0 d-------- C:\Documents and Settings\Wass\Application Data\WaveMax Sound Editor
2008-03-25 23:05:58 0 d-------- C:\Documents and Settings\Wass\Application Data\FairStars Recorder
2008-03-22 03:01:06 0 d-------- C:\Documents and Settings\Wass\Application Data\Tsarfin Computing
2008-03-22 02:03:06 0 d-------- C:\Documents and Settings\Wass\Incomplete
2008-03-22 02:02:30 0 d-------- C:\Program Files\LimeWire
2008-03-21 16:14:12 0 d-------- C:\Program Files\Alwil Software
2008-03-21 00:51:30 0 d-------- C:\Documents and Settings\Wass\Application Data\gtopala
2008-03-21 00:12:05 0 d-------- C:\Documents and Settings\Wass\temp
2008-03-20 19:42:05 0 d-------- C:\WINDOWS\bintemp01
2008-03-20 19:39:24 569344 --a------ C:\WINDOWS\system32\Zip2Exe.dll <Not Verified; Chilkat Software, Inc.; Zip2Exe Module>
2008-03-20 19:39:24 102160 --a------ C:\WINDOWS\system32\VB6CHT.DLL <Not Verified; Microsoft Corporation; Visual Basic Environment>
2008-03-20 19:39:24 20530 --a------ C:\WINDOWS\system32\scrrncht.dll <Not Verified; Microsoft Corporation; Microsoft ® Script Runtime>
2008-03-20 19:39:24 28160 --a------ C:\WINDOWS\system32\CMDLGCHT.DLL <Not Verified; Microsoft Corporation; CMDIALOG>
2008-03-20 19:39:24 1097728 --a------ C:\WINDOWS\system32\chilkatZip2.dll <Not Verified; Chilkat Software, Inc.; Chilkat Zip>
2008-03-20 01:23:15 30740 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-03-20 00:20:25 0 d-------- C:\Program Files\Safari
2008-03-19 05:16:34 0 d--hs---- C:\$RECYCLE.BIN
2008-03-19 01:57:50 0 d-------- C:\Documents and Settings\Wass\Application Data\LimeWire
2008-03-18 18:51:06 0 d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-18 18:46:07 0 d-------- C:\Program Files\LSoft Technologies
2008-03-17 23:52:01 147456 -ra------ C:\WINDOWS\VMCap.exe <Not Verified; VM; >
2008-03-17 23:52:00 40960 -ra------ C:\WINDOWS\VM_STI.EXE <Not Verified; VM.; >
2008-03-17 23:52:00 49152 -ra------ C:\WINDOWS\amcap.exe
2008-03-17 23:51:59 61440 -ra------ C:\WINDOWS\system32\VM31bSTI.dll <Not Verified; VM; >
2008-03-17 23:51:57 90581 -ra------ C:\WINDOWS\system32\drivers\usbVM31b.sys <Not Verified; VM; >


-- Find3M Report ---------------------------------------------------------------

2008-04-15 23:02:42 0 d-------- C:\Program Files\FlashGet
2008-04-13 23:44:09 0 d-------- C:\Program Files\Common Files
2008-03-31 19:14:06 0 d-------- C:\Documents and Settings\Wass\Application Data\Adobe
2008-03-20 00:20:47 0 d-------- C:\Documents and Settings\Wass\Application Data\Apple Computer
2008-03-13 15:45:58 0 d-------- C:\Program Files\Mayoko
2008-03-13 14:29:20 0 d-------- C:\Program Files\CCleaner
2008-03-13 13:50:14 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-03-13 13:41:04 0 d-------- C:\Program Files\QuickTime
2008-03-13 13:40:30 0 d-------- C:\Program Files\Apple Software Update
2008-03-13 03:26:24 0 d-------- C:\Program Files\Common Files\Hypnotizer
2008-03-13 02:40:17 0 d-------- C:\Documents and Settings\Wass\Application Data\Media Player Classic
2008-03-13 02:39:47 0 d-------- C:\Program Files\XP Codec Pack
2008-03-13 00:26:10 0 d-------- C:\Documents and Settings\Wass\Application Data\Sun
2008-03-13 00:25:57 0 d-------- C:\Program Files\Java
2008-03-13 00:06:31 0 d-------- C:\Program Files\Common Files\Java
2008-03-12 21:16:28 0 d-------- C:\Program Files\Messenger
2008-03-09 22:11:47 0 d-------- C:\Documents and Settings\Wass\Application Data\Macromedia
2008-03-08 03:14:27 0 d-------- C:\Program Files\Kaspersky Lab
2008-03-07 10:19:55 0 d-------- C:\Program Files\Microsoft.NET
2008-03-07 10:19:52 0 d-------- C:\Program Files\Microsoft ActiveSync
2008-03-07 07:52:20 0 d-------- C:\Program Files\Common Files\ODBC
2008-03-07 07:52:17 0 d-------- C:\Program Files\Common Files\SpeechEngines
2008-03-07 07:51:54 62 --ahs---- C:\Documents and Settings\Wass\Application Data\desktop.ini
2008-03-07 06:18:31 0 d-------- C:\Program Files\Common Files\InstallShield
2008-03-07 06:12:48 0 d-------- C:\Program Files\Realtek
2008-03-07 06:09:46 0 d-------- C:\Program Files\Intel
2008-03-07 06:06:51 0 d-------- C:\Documents and Settings\Wass\Application Data\Identities
2008-03-07 06:02:23 0 d-------- C:\Program Files\microsoft frontpage
2008-03-07 06:02:10 0 -rahs---- C:\MSDOS.SYS
2008-03-07 06:02:10 0 -rahs---- C:\IO.SYS
2008-03-07 06:02:10 0 --a------ C:\CONFIG.SYS
2008-03-07 06:02:10 0 --a------ C:\AUTOEXEC.BAT
2008-03-07 06:00:48 0 d--h----- C:\Program Files\WindowsUpdate
2008-03-07 06:00:06 0 d-------- C:\Program Files\Common Files\MSSoap
2008-03-07 05:59:58 0 d-------- C:\Program Files\Movie Maker
2008-03-07 05:59:18 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-03-07 05:59:00 0 d-------- C:\Program Files\Online Services
2008-03-07 05:58:52 0 d-------- C:\Program Files\MSN Gaming Zone
2008-03-07 05:58:45 0 d-------- C:\Program Files\Windows NT
2008-03-06 18:29:44 962560 --a------ C:\WINDOWS\system32\VSFilter.dll <Not Verified; Gabest; VSFilter>
2008-02-21 05:05:44 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-02-21 05:04:16 196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2008-02-21 05:04:16 81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-02-21 05:04:04 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2008-02-21 05:04:04 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2008-02-21 05:04:04 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2008-02-21 05:04:04 682496 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2008-02-21 05:03:24 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [01/07/2005 06:07 PM C:\WINDOWS\system32\HdAShCut.exe]
"RTHDCPL"="RTHDCPL.EXE" [05/05/2005 03:28 AM C:\WINDOWS\RTHDCPL.EXE]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [06/15/2005 12:20 PM]
"nwiz"="nwiz.exe" [06/15/2005 12:20 PM C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [06/15/2005 12:20 PM]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" [05/18/2007 06:09 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 05:25 AM]
"Flashget"="C:\Program Files\FlashGet\flashget.exe" [09/20/2007 10:21 AM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [02/01/2008 12:13 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM]
"BigDogPath"="C:\WINDOWS\VM_STI.exe" [01/21/2003 10:19 AM]
"BluetoothAuthenticationAgent"="bthprops.cpl" [08/04/2004 12:56 AM C:\WINDOWS\system32\bthprops.cpl]
"FG_Monitor"="C:\Program Files\Folder Guard Pro\FGKey.exe" [01/05/2008 12:00 AM]
"Barsaka"="explorer.exe" [08/04/2004 12:56 AM C:\WINDOWS\explorer.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)
"DisableRegistryTools"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"Hidden"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\WINDOWS\system32\userinit.exe, explorer.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{01df7cc5-0096-11dd-bb58-000acd0e6c77}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL antihost.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6e8dd2f3-0645-11dd-bba1-000acd0e6c77}]
AutoRun\command- E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7daca310-0868-11dd-bba8-000acd0e6c77}]
AutoRun\command- fooool.exe
explore\Command- fooool.exe
open\Command- fooool.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f666bd8b-0ac2-11dd-bbb0-000acd0e6c77}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL copy.exe




-- End of Deckard's System Scanner: finished at 2008-04-15 23:03:37 ------------

Only the main.txt Notepad opened
"Stuffy Hall Admin of the Typing Skills Enhancing School Program"

#6 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:06:48 PM

Posted 15 April 2008 - 03:39 PM

Go to Start » Run » type in: regedit » OK.
  • On the leftside, click to highlight My Computer at the top.
  • Go up to File » Export
    Make sure in that window there is a tick next to "All" under Export Branch.
    Leave the "Save As Type" as "Registration Files".
    Under "Filename" put RegBackup.
  • Choose to save it to C:\
  • Click Save and then go to File » Exit.
This is so the registry can be restored to this point if we need it. It may take a minute.

Next, please copy the following text in the quotebox below to a blank notepad file. Make sure the filetype is set to "All Files" and save it as Fixit.reg on your desktop.

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Barsaka"=-

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{01df7cc5-0096-11dd-bb58-000acd0e6c77}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7daca310-0868-11dd-bba8-000acd0e6c77}]

Now double-click on the Fixit.reg on your desktop and allow it to merge with registry by clicking YES on the prompt. Reboot.

------

Next, please copy the following text in the quotebox below to a blank notepad file. Make sure the filetype is set to "All Files" and save it as delete.bat on your desktop.

@echo off

attrib -r -h C:\0hct8ybw.bat
del /a /f /q C:\0hct8ybw.bat
attrib -r -h C:\WINDOWS\system32\fooool.exe
del /a /f /q C:\WINDOWS\system32\fooool.exe
del delete.bat
exit

Now double-click on the delete.bat on your desktop -- a window will popup and close, this is normal.

------

Please do an online scan with Kaspersky WebScanner

Next Click on Launch Kaspersky Anti-Virus Web Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Standard
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This program will start to scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post. :thumbsup:

Hi there, stranger!

#7 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:06:48 PM

Posted 29 April 2008 - 02:20 PM

Due to lack of feedback, this thread has been closed. If you're the original poster and need this topic reopened, please PM a Staff member.
Hi there, stranger!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users