Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Pop-ups And Reg Key Entries


  • This topic is locked This topic is locked
2 replies to this topic

#1 Durmant

Durmant

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:11 PM

Posted 14 April 2008 - 07:05 PM

Hello, Couple nights ago my girldfriend infected my computer while formatting her own because of this same issue..... I am getting random advertisment pop-ups when I am browsing that have something in common with what im browsing about IE...im looking at www.penny-arcade.com it comes up with bitefight ads or when I went to Kasperkys site to do the online scan it came up with one of those fake you are infected things. AND........ something is trying to add a reg key every once in a while but teatimer.exe is catching it
4/14/2008 7:41:43 PM Denied (based on user blacklist) value "{DB3BE94A-EFDC-4449-8008-94F419D4E638}" (new data: "") added in Browser Helper Object!

but heres the text file from DSS.exe

Deckard's System Scanner v20071014.68
Run by Charles Matthews on 2008-04-14 19:54:15
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
83: 2008-04-14 23:54:25 UTC - RP158 - Deckard's System Scanner Restore Point
82: 2008-04-13 20:51:32 UTC - RP157 - Installed ESET NOD32 Antivirus
81: 2008-04-13 19:04:09 UTC - RP156 - System Checkpoint
80: 2008-04-13 19:04:09 UTC - RP155 - System Checkpoint
79: 2008-04-13 19:04:08 UTC - RP154 - Software Distribution Service 3.0


-- First Restore Point --
1: 2008-04-13 19:03:59 UTC - RP76 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Charles Matthews.exe) ------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:55:21 PM, on 4/14/2008
Platform: Windows XP SP3, v.3311 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Slim Multimedia Keyboard\MagicKey.exe
C:\PROGRA~1\MICROS~2\rapimgr.exe
C:\Program Files\Slim Multimedia Keyboard\OSD.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Charles Matthews\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Charles Matthews.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
F2 - REG:system.ini: Shell=
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {153E5AD4-B62B-4E0D-B04A-87111B0466DB} - C:\WINDOWS\system32\awtrOgdd.dll
O2 - BHO: (no name) - {4A0B2B73-E6C6-40E1-982E-575D972E230F} - C:\WINDOWS\system32\cbXRHaaW.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: DVA Storm - {C796500F-4B97-4F2B-B886-11FA6B72F13F} - C:\WINDOWS\nslbvxpgrno.dll (file missing)
O2 - BHO: (no name) - {E861B044-F3E8-4A59-8605-0EB60CA5B483} - C:\WINDOWS\system32\byXppqNH.dll (file missing)
O2 - BHO: (no name) - {EEC73EA5-1367-49D1-93F4-CA1D8C22E9F9} - C:\WINDOWS\system32\opnkhfEt.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - Global Startup: Slim Multimedia Keyboard.lnk = C:\Program Files\Slim Multimedia Keyboard\MagicKey.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {254AA86E-5655-4518-AA87-185D7CC41801} (LogMeIn Rescue Technician Console) - https://secure.logmeinrescue.com/TechConsol...scueControl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1196810364726
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O20 - Winlogon Notify: opnkhfEt - C:\WINDOWS\SYSTEM32\opnkhfEt.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe

--
End of file - 6658 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080413-233655-212 O3 - Toolbar: sgoblxtm - {54CF4CA2-C46C-4B5C-8DC5-0C0D42ECD69E} - C:\WINDOWS\sgoblxtm.dll (file missing)
backup-20080413-233655-598 O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
backup-20080413-233656-170 O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
backup-20080413-233656-442 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
backup-20080413-233656-478 O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
backup-20080413-233656-971 O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~2\INetRepl.dll
backup-20080413-233657-205 O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
backup-20080413-233657-222 O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
backup-20080413-233658-437 O17 - HKLM\System\CCS\Services\Tcpip\..\{B0F6756C-0736-467C-85BE-4B322AD4A263}: NameServer = 4.2.2.1,4.2.2.4

-- File Associations -----------------------------------------------------------

.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 kbfilter (Keyboard Filter Driver) - c:\windows\system32\drivers\kbfilter.sys <Not Verified; WayTech Development, Inc.; Keyboard filter driver>
R3 smbusp (Intel® SMBus 2.0 Driver) - c:\windows\system32\drivers\intelsmb.sys <Not Verified; Intel Corporation; Intel® SMBus Controller>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S3 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
S4 Nero BackItUp Scheduler 3 - c:\program files\nero\nero8\nero backitup\nbservice.exe


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: AT&T Plug&Share 54Mbps Wireless PCI Adapter
Device ID: PCI\VEN_168C&DEV_0013&SUBSYS_300118A3&REV_01\4&23C0B1C&0&18F0
Manufacturer: AT&T
Name: AT&T Plug&Share 54Mbps Wireless PCI Adapter
PNP Device ID: PCI\VEN_168C&DEV_0013&SUBSYS_300118A3&REV_01\4&23C0B1C&0&18F0
Service: AR5211

Class GUID: {4D36E96B-E325-11CE-BFC1-08002BE10318}
Description: Standard 101/102-Key or Microsoft Natural PS/2 Keyboard
Device ID: ACPI\PNP0303\4&2D2D400&0
Manufacturer: (Standard keyboards)
Name: Standard 101/102-Key or Microsoft Natural PS/2 Keyboard
PNP Device ID: ACPI\PNP0303\4&2D2D400&0
Service: i8042prt


-- Files created between 2008-03-14 and 2008-04-14 -----------------------------

2008-04-14 19:52:00 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-14 19:51:58 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-14 19:51:55 0 d-------- C:\WINDOWS\LastGood
2008-04-14 11:02:11 177536 --ahs---- C:\WINDOWS\system32\ddgOrtwa.ini2
2008-04-14 11:02:05 273408 --a------ C:\WINDOWS\system32\awtrOgdd.dll
2008-04-14 00:22:56 0 dr-h----- C:\Documents and Settings\Charles Matthews\Recent
2008-04-13 23:31:39 183401 --ahs---- C:\WINDOWS\system32\HNqppXyb.ini2
2008-04-13 22:59:19 0 d-------- C:\Program Files\Trend Micro
2008-04-13 22:56:34 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-13 18:18:49 1744 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-13 16:44:00 0 d-------- C:\Documents and Settings\Charles Matthews\Application Data\TmpRecentIcons
2008-04-13 15:03:48 187566 --ahs---- C:\WINDOWS\system32\WaaHRXbc.ini2
2008-04-13 14:56:48 38400 --a------ C:\WINDOWS\system32\geBropNH.dll
2008-04-13 14:55:07 38400 --a------ C:\WINDOWS\system32\khfFUOGA.dll
2008-04-13 14:52:52 0 d-------- C:\Documents and Settings\All Users\Application Data\anojinuf
2008-04-13 14:52:50 38400 --a------ C:\WINDOWS\system32\qoMgeffD.dll
2008-04-13 14:52:32 0 dr-h----- C:\$VAULT$.AVG
2008-04-13 14:48:21 0 d--hs---- C:\WINDOWS\CSC
2008-04-13 14:45:44 98304 --a------ C:\WINDOWS\spnkfwad.exe
2008-04-13 14:45:38 4096 --a------ C:\WINDOWS\system32taack.dat
2008-04-13 14:45:38 4096 --a------ C:\WINDOWS\system32hxiwlgpm.dat
2008-04-13 14:45:37 4096 --a------ C:\WINDOWS\system32ssvchost.com
2008-04-13 14:45:37 4096 --a------ C:\WINDOWS\system32bdn.com
2008-04-13 14:45:30 0 d-------- C:\Documents and Settings\All Users\Application Data\hsvoxolw
2008-04-13 14:45:26 38400 --a------ C:\WINDOWS\system32\opnkhfEt.dll
2008-04-06 12:50:15 0 d-------- C:\Program Files\Steam
2008-04-06 12:21:58 0 d-------- C:\Documents and Settings\Charles Matthews\Contacts
2008-04-06 12:14:40 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-04-06 12:14:31 0 d-------- C:\Program Files\Windows Live
2008-04-06 12:14:20 0 d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-04-06 12:06:38 0 d-------- C:\Program Files\AIM6
2008-04-05 02:08:25 0 d-------- C:\Program Files\Aspell
2008-04-05 02:08:02 0 d-------- C:\Program Files\Pidgin
2008-04-03 18:16:15 0 d-------- C:\Program Files\Curse
2008-04-02 23:55:07 0 d-------- C:\Documents and Settings\Charles Matthews\Application Data\AVG7
2008-04-02 23:55:02 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-04-02 23:54:33 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-04-02 23:54:33 0 d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-03-28 00:40:35 0 d-------- C:\Program Files\Common Files\L&H
2008-03-28 00:39:36 0 d-------- C:\Program Files\Microsoft Works
2008-03-28 00:39:10 0 d-------- C:\WINDOWS\SHELLNEW
2008-03-27 22:58:10 0 d-------- C:\Program Files\Reference Assemblies
2008-03-27 22:57:58 0 d-------- C:\Program Files\Microsoft.NET
2008-03-27 22:54:44 0 d-------- C:\Program Files\Microsoft Silverlight
2008-03-27 20:28:49 0 d--h----- C:\Documents and Settings\All Users\Application Data\{0E8E33D8-193A-414A-A909-0F101A142D26}
2008-03-27 20:15:52 0 d-------- C:\Program Files\Stardock Games
2008-03-26 23:46:21 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-18 11:23:52 0 d-------- C:\WINDOWS\Sun
2008-03-18 11:23:52 0 d-------- C:\Documents and Settings\Charles Matthews\Application Data\Sun
2008-03-18 11:07:05 0 d-------- C:\Program Files\Java
2008-03-18 11:06:43 0 d-------- C:\Program Files\Common Files\Java
2008-03-17 01:05:18 6144 --a------ C:\WINDOWS\system32\atiicdxx.sys <Not Verified; ATI Technologies Inc.; ATI Graphics Accelerators>
2008-03-17 01:05:15 2060288 --a------ C:\WINDOWS\system32\atipuixx.dll <Not Verified; ATI Technologies, Inc.; ATI Desktop Component>
2008-03-17 01:05:15 114688 --a------ C:\WINDOWS\system32\atippaxx.dll <Not Verified; ATI Technologies, Inc.; ATI Desktop Component>
2008-03-17 01:05:15 274432 --a------ C:\WINDOWS\system32\atipdsxx.dll <Not Verified; ATI Technologies, Inc.; ATI Desktop Component>
2008-03-17 01:05:14 380928 --a------ C:\WINDOWS\system32\atiicdxx.dll <Not Verified; ATI Technologies Inc.; ATI Graphics Accelerators>
2008-03-17 01:05:14 348160 --a------ C:\WINDOWS\system32\aticds10.dll <Not Verified; ATI Technologies Inc.; ATI Graphics Accelerators>
2008-03-17 01:05:10 344064 --a------ C:\WINDOWS\system32\atiptaxx.exe <Not Verified; ATI Technologies, Inc.; ATI Desktop Component>
2008-03-17 01:05:10 139264 --a------ C:\WINDOWS\system32\atiprbxx.exe <Not Verified; ATI Technologies, Inc.; ATI Desktop Component>
2008-03-17 01:05:10 61440 --a------ C:\WINDOWS\system32\atiphexx.exe <Not Verified; ATI Technologies, Inc.; ATI Desktop Component>
2008-03-17 01:05:10 36864 --a------ C:\WINDOWS\system32\atiiprxx.exe
2008-03-17 01:05:10 1830912 --a------ C:\WINDOWS\system32\atiadaxx.exe <Not Verified; ATI Technologies, Inc.; ATI Desktop Component>
2008-03-17 01:04:54 0 d-------- C:\Program Files\Radeon Omega Drivers
2008-03-16 21:14:24 1324 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-03-16 18:38:14 1648 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-03-15 15:35:49 0 d-------- C:\Documents and Settings\All Users\Application Data\CCP


-- Find3M Report ---------------------------------------------------------------

2008-04-14 00:08:43 0 d-------- C:\Program Files\LogMeIn
2008-04-13 13:24:17 0 d-------- C:\Documents and Settings\Charles Matthews\Application Data\uTorrent
2008-04-13 08:57:21 0 d-------- C:\Program Files\uTorrent
2008-04-07 19:58:09 0 d-------- C:\Program Files\Microsoft ActiveSync
2008-04-06 12:14:40 0 d-------- C:\Program Files\Common Files
2008-04-06 12:08:31 0 d-------- C:\Documents and Settings\Charles Matthews\Application Data\.purple
2008-04-06 12:06:53 0 d-------- C:\Program Files\Common Files\AOL
2008-04-05 02:04:55 0 d-------- C:\Documents and Settings\Charles Matthews\Application Data\PlayFirst
2008-04-01 19:32:57 0 d-------- C:\Program Files\World of Warcraft
2008-03-17 22:37:56 0 d-------- C:\Documents and Settings\Charles Matthews\Application Data\gtk-2.0
2008-03-17 01:45:42 4096 --a------ C:\WINDOWS\system32\crash
2008-03-15 20:02:32 0 d-------- C:\Program Files\AIM
2008-03-15 20:02:21 0 d-------- C:\Documents and Settings\Charles Matthews\Application Data\Aim
2008-03-15 16:06:04 0 d-------- C:\Documents and Settings\Charles Matthews\Application Data\EVEMon
2008-03-15 16:01:23 0 d-------- C:\Program Files\EVEMon
2008-03-11 00:14:40 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-03-02 14:51:50 0 d-------- C:\Program Files\DAEMON Tools Lite
2008-03-02 14:47:02 0 d-------- C:\Documents and Settings\Charles Matthews\Application Data\DAEMON Tools
2008-03-01 22:13:02 0 d-------- C:\Documents and Settings\Charles Matthews\Application Data\Nero
2008-03-01 22:12:13 0 d-------- C:\Program Files\Common Files\Nero
2008-03-01 22:10:28 0 d-------- C:\Program Files\Nero
2008-02-23 16:12:26 2528 --a------ C:\Documents and Settings\Charles Matthews\Application Data\$_hpcst$.hpc
2008-02-22 01:02:32 0 d-------- C:\Program Files\Messenger
2008-02-21 19:03:21 0 d-------- C:\Program Files\Movie Maker
2008-02-21 18:59:32 0 d-------- C:\Program Files\Windows NT
2008-02-18 18:24:34 0 --a------ C:\WINDOWS\ativpsrm.bin
2008-02-18 18:21:34 0 d-------- C:\Program Files\ATI Technologies


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{153E5AD4-B62B-4E0D-B04A-87111B0466DB}]
04/14/2008 11:02 AM 273408 --a------ C:\WINDOWS\system32\awtrOgdd.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4A0B2B73-E6C6-40E1-982E-575D972E230F}]
C:\WINDOWS\system32\cbXRHaaW.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C796500F-4B97-4F2B-B886-11FA6B72F13F}]
C:\WINDOWS\nslbvxpgrno.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E861B044-F3E8-4A59-8605-0EB60CA5B483}]
C:\WINDOWS\system32\byXppqNH.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EEC73EA5-1367-49D1-93F4-CA1D8C22E9F9}]
04/13/2008 02:45 PM 38400 --a------ C:\WINDOWS\system32\opnkhfEt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [01/07/2005 06:07 PM C:\WINDOWS\system32\HdAShCut.exe]
"LogMeIn GUI"="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [08/03/2007 04:09 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [12/11/2007 11:56 AM]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [03/13/2008 04:48 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [11/13/2006 02:39 PM]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 11:43 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Slim Multimedia Keyboard.lnk - C:\Program Files\Slim Multimedia Keyboard\MagicKey.exe [12/4/2007 8:11:32 PM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{EEC73EA5-1367-49D1-93F4-CA1D8C22E9F9}"= C:\WINDOWS\system32\opnkhfEt.dll [04/13/2008 02:45 PM 38400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 11/15/2007 07:46 PM 87352 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnkhfEt]
opnkhfEt.dll 04/13/2008 02:45 PM 38400 C:\WINDOWS\system32\opnkhfEt.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\awtrOgdd

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\b8370359]
rundll32.exe "C:\WINDOWS\system32\kbxubojp.dll",b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SandraTheSrv"=3 (0x3)
"SandraDataSrv"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc




-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

8120 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-04-14 19:57:35 ------------


Thanks in advance fothe help :-D

BC AdBot (Login to Remove)

 


m

#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:04:11 AM

Posted 22 April 2008 - 08:50 AM

Hello Durmant and welcome to BleepingComputer,

1. * Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Under Browsing History, click Delete.
  • Click Delete Files, Delete cookies and Delete history
  • Click Close below.
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu..
  • Click the Clear now button below.. A new window will popup what to clear.
  • Select all and click the Clear button again.
  • Click OK to close the Options window
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
2. Please download Malwarebytes' Anti-Malware from Here or Here

Doubleclick mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

3. Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you .

In the event you already have Combofix, delete your current version and download the latest version as described in the tutorial.
It must be saved directly to your desktop.


Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :thumbsup:

If you have any questions along the way, STOP and ask them before proceeding !!

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#3 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:04:11 AM

Posted 19 May 2008 - 07:38 AM

Since there is no feedback anymore, I assume this issue is resolved ... so, this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users