Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected By Various Fake Anti-virus. Cleaned, But Still Gt Left Some Residues.


  • This topic is locked This topic is locked
13 replies to this topic

#1 mabok

mabok

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:09 PM

Posted 05 May 2008 - 04:13 AM

Problems : Fake System-Defender Security Center Pop-ups + CPU Slowing down.

Infected by various fake anti-virus (Antispyware,System-Defender,MalWarrior,AntiVir,etc...).
Cleaned, but still got some residues left.





Deckard's System Scanner v20071014.68
Run by Owner on 2008-05-05 17:00:17
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
45: 2008-05-05 09:00:20 UTC - RP53 - Deckard's System Scanner Restore Point
44: 2008-05-01 14:52:13 UTC - RP52 - System Checkpoint
43: 2008-04-30 14:43:17 UTC - RP51 - System Checkpoint
42: 2008-04-28 02:06:33 UTC - RP50 - System Checkpoint
41: 2008-04-26 12:13:21 UTC - RP49 - System Checkpoint


-- First Restore Point --
1: 2008-03-09 16:03:12 UTC - RP9 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-05-05 17:04:10
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\alg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\GetRight\GetRight.exe
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avconfig.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
O2 - BHO: AbsoluteTransfer module - {18CB1A7B-94CD-4582-8022-ADA16851E44B} - C:\Program Files\AbsoluteTransfer\AbsoluteTransfer.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [Adobe Version Cue CS2] C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (file missing)
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://download.microsoft.com/download/8/b...heckControl.cab
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{7A114341-6B30-4305-B1B6-CD83923D6651}: NameServer = 85.255.116.77,85.255.112.133
O17 - HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.77 85.255.112.133
O17 - HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.77 85.255.112.133
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.77 85.255.112.133
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O20 - Winlogon Notify: __c008C0FC - C:\WINDOWS\system32\__c008C0FC.dat (file missing)
O21 - SSODL: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINDOWS\system32\stobject.dll
O21 - SSODL: fkdnrwsv - {5DAE992B-0A93-4B17-A116-0DE126E1B8C3} - C:\WINDOWS\fkdnrwsv.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe


--
End of file - 7214 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

All drivers whitelisted.


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Adobe Version Cue CS2 - "c:\program files\adobe\adobe version cue cs2\bin\versioncuecs2.exe" -win32service <Not Verified; Adobe Systems Incorporated; Adobe Version Cue CS2>
R2 AntiVirScheduler (AntiVir PersonalEdition Classic Scheduler) - "c:\program files\avira\antivir personaledition classic\sched.exe" <Not Verified; Avira GmbH; AntiVir Workstation>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-05-05 16:31:12 254 --a------ C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job


-- Files created between 2008-04-05 and 2008-05-05 -----------------------------

2008-05-04 17:32:48 0 d-------- C:\quran
2008-05-01 13:41:31 0 d-------- C:\Program Files\Alwil Software
2008-04-30 20:42:42 0 d--hs---- C:\FOUND.005
2008-04-20 19:33:45 0 d-------- C:\Documents and Settings\Owner\Application Data\YouSendIt
2008-04-20 19:33:22 0 d-------- C:\Program Files\YouSendIt
2008-04-20 19:33:00 0 d-------- C:\WINDOWS\Downloaded Installations
2008-04-18 18:09:05 0 d-------- C:\Program Files\Microsoft ActiveSync
2008-04-18 18:08:50 0 d-------- C:\Program Files\Microsoft Works
2008-04-18 18:08:47 0 d-------- C:\Program Files\Common Files\SpeechEngines
2008-04-18 18:08:47 0 d-------- C:\Program Files\Common Files\L&H
2008-04-18 18:07:52 0 d-------- C:\Program Files\Microsoft.NET
2008-04-18 17:59:02 0 d--hs---- C:\FOUND.004
2008-04-18 17:35:24 0 d-------- C:\Program Files\Microsoft Visual Studio 8
2008-04-18 17:33:23 0 d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-04-13 17:04:49 313344 --a------ C:\WINDOWS\system32\Thawbrkr.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-13 17:04:00 5632 --a------ C:\WINDOWS\system32\kbdarmw.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-13 17:03:34 5632 --a------ C:\WINDOWS\system32\kbdarme.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-13 17:03:01 5120 --a------ C:\WINDOWS\system32\kbdgeo.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-13 17:02:00 6144 --a------ C:\WINDOWS\system32\kbdinkan.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-13 17:01:39 6144 --a------ C:\WINDOWS\system32\kbdintel.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-13 17:01:15 6144 --a------ C:\WINDOWS\system32\kbdinguj.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-13 17:00:46 6144 --a------ C:\WINDOWS\system32\kbdinpun.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-13 17:00:21 5632 --a------ C:\WINDOWS\system32\kbdinhin.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-13 16:59:59 6144 --a------ C:\WINDOWS\system32\kbdinmar.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-13 16:59:22 5632 --a------ C:\WINDOWS\system32\kbdintam.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-13 16:58:40 6144 --a------ C:\WINDOWS\system32\kbdindev.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-13 16:57:55 10752 --a------ C:\WINDOWS\system32\c_iscii.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-13 16:56:32 6144 --a------ C:\WINDOWS\system32\kbdvntc.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-13 16:45:26 6144 --a------ C:\WINDOWS\system32\kbdsyr2.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-13 16:45:05 6144 --a------ C:\WINDOWS\system32\kbdsyr1.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-13 16:44:30 6144 --a------ C:\WINDOWS\system32\kbddiv2.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-13 16:43:55 6144 --a------ C:\WINDOWS\system32\kbddiv1.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-13 16:43:21 5632 --a------ C:\WINDOWS\system32\kbdurdu.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-13 16:42:54 5632 --a------ C:\WINDOWS\system32\kbdfa.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-13 16:42:22 6144 --a------ C:\WINDOWS\system32\kbdusa.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-13 16:41:56 6144 --a------ C:\WINDOWS\system32\kbda3.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-13 16:41:13 5632 --a------ C:\WINDOWS\system32\kbda2.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-13 16:38:47 6144 --a------ C:\WINDOWS\system32\kbda1.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-13 15:30:24 5632 --a------ C:\WINDOWS\system32\kbdheb.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-13 14:43:43 6144 --a------ C:\WINDOWS\system32\kbdth3.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-13 14:43:08 6144 --a------ C:\WINDOWS\system32\kbdth2.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-13 14:42:44 6144 --a------ C:\WINDOWS\system32\kbdth1.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-13 14:42:15 6144 --a------ C:\WINDOWS\system32\kbdth0.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-13 14:28:17 6144 --a------ C:\WINDOWS\system32\ftlx041e.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-13 10:43:33 0 d-------- C:\Documents and Settings\Owner\Application Data\Opera
2008-04-13 10:26:47 0 d-------- C:\Program Files\Common Files\Adobe Systems Shared
2008-04-08 08:44:16 0 d--hs---- C:\FOUND.003
2008-04-05 22:11:48 0 d-------- C:\Program Files\Avira
2008-04-05 22:11:48 0 d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-04-05 19:00:31 0 d-------- C:\WINDOWS\pss
2008-04-05 17:54:03 0 d--h----- C:\WINDOWS\system32\GroupPolicy
2008-04-05 17:39:36 0 d--hs---- C:\FOUND.002
2008-04-05 12:33:51 0 --a------ C:\winxplogon.sys
2008-04-05 12:10:38 0 d-------- C:\Program Files\AbsoluteTransfer
2008-04-05 12:10:32 0 d-------- C:\Documents and Settings\Owner\Application Data\Adsl Software Limited
2008-04-05 12:10:31 0 d-------- C:\Documents and Settings\All Users\Application Data\Adsl Software Limited
2008-04-05 12:07:33 0 d-------- C:\Documents and Settings\Owner\Application Data\PC-Cleaner
2008-04-05 04:44:00 0 d-------- C:\Documents and Settings\Owner\Application Data\TmpRecentIcons
2008-04-05 00:25:25 4096 --a------ C:\WINDOWS\winsystem.exe
2008-04-05 00:25:25 4096 --a------ C:\WINDOWS\userconfig9x.dll
2008-04-05 00:25:25 4096 --a------ C:\WINDOWS\system32WINWGPX.EXE
2008-04-05 00:25:25 4096 --a------ C:\WINDOWS\system32winsystem.exe
2008-04-05 00:25:25 4096 --a------ C:\WINDOWS\system32winlogonpc.exe
2008-04-05 00:25:25 4096 --a------ C:\WINDOWS\system32vcatchpi.dll
2008-04-05 00:25:25 4096 --a------ C:\WINDOWS\system32vbsys2.dll
2008-04-05 00:25:25 4096 --a------ C:\WINDOWS\system32thun32.dll
2008-04-05 00:25:25 4096 --a------ C:\WINDOWS\system32thun.dll
2008-04-05 00:25:25 4096 --a------ C:\WINDOWS\system32temp#01.exe
2008-04-05 00:25:25 4096 --a------ C:\WINDOWS\system32taack.exe
2008-04-05 00:25:25 4096 --a------ C:\WINDOWS\system32taack.dat
2008-04-05 00:25:25 4096 --a------ C:\WINDOWS\system32sysreq.exe
2008-04-05 00:25:25 4096 --a------ C:\WINDOWS\system32ssvchost.exe
2008-04-05 00:25:25 4096 --a------ C:\WINDOWS\system32ssvchost.com
2008-04-05 00:25:25 4096 --a------ C:\WINDOWS\system32ssurf022.dll
2008-04-05 00:25:25 4096 --a------ C:\WINDOWS\system32sncntr.exe
2008-04-05 00:25:25 0 d-------- C:\WINDOWS\system32smp
2008-04-05 00:25:25 4096 --a------ C:\WINDOWS\system32Rundl1.exe
2008-04-05 00:25:25 4096 --a------ C:\WINDOWS\system32regm64.dll
2008-04-05 00:25:25 4096 --a------ C:\WINDOWS\system32regc64.dll
2008-04-05 00:25:25 4096 --a------ C:\WINDOWS\system32psoft1.exe
2008-04-05 00:25:25 4096 --a------ C:\WINDOWS\system32psof1.exe
2008-04-05 00:25:25 4096 --a------ C:\WINDOWS\system32ps1.exe
2008-04-05 00:25:25 4096 --a------ C:\WINDOWS\system32newsd32.exe
2008-04-05 00:25:25 4096 --a------ C:\WINDOWS\system32netode.exe
2008-04-05 00:25:25 4096 --a------ C:\WINDOWS\system32mwin32.exe
2008-04-05 00:25:25 4096 --a------ C:\WINDOWS\system32mtr2.exe
2008-04-05 00:25:25 4096 --a------ C:\WINDOWS\system32msvchost.exe
2008-04-05 00:25:25 4096 --a------ C:\WINDOWS\system32mssecu.exe
2008-04-05 00:25:25 4096 --a------ C:\WINDOWS\system32msnbho.dll
2008-04-05 00:25:25 4096 --a------ C:\WINDOWS\system32msgp.exe
2008-04-05 00:25:25 4096 --a------ C:\WINDOWS\system32medup020.dll
2008-04-05 00:25:25 4096 --a------ C:\WINDOWS\system32medup012.dll
2008-04-05 00:25:25 4096 --a------ C:\WINDOWS\system32hxiwlgpm.exe
2008-04-05 00:25:25 4096 --a------ C:\WINDOWS\system32hxiwlgpm.dat
2008-04-05 00:25:25 4096 --a------ C:\WINDOWS\system32hoproxy.dll
2008-04-05 00:25:25 4096 --a------ C:\WINDOWS\system32h@tkeysh@@k.dll
2008-04-05 00:25:25 4096 --a------ C:\WINDOWS\system32emesx.dll
2008-04-05 00:25:25 4096 --a------ C:\WINDOWS\system32dpcproxy.exe
2008-04-05 00:25:25 4096 --a------ C:\WINDOWS\system32bsva-egihsg52.exe
2008-04-05 00:25:25 4096 --a------ C:\WINDOWS\system32bdn.com
2008-04-05 00:25:25 4096 --a------ C:\WINDOWS\system32awtoolb.dll
2008-04-05 00:25:25 4096 --a------ C:\WINDOWS\system32anticipator.dll
2008-04-05 00:25:25 4096 --a------ C:\WINDOWS\system32akttzn.exe
2008-04-05 00:25:25 4096 --a------ C:\WINDOWS\mssecu.exe
2008-04-05 00:25:25 0 d-------- C:\WINDOWS\mslagent
2008-04-05 00:25:25 4096 --a------ C:\WINDOWS\iTunesMusic.exe
2008-04-05 00:25:25 4096 --a------ C:\WINDOWS\FVProtect.exe
2008-04-05 00:25:25 4096 --a------ C:\WINDOWS\bdn.com
2008-04-05 00:25:25 4096 --a------ C:\WINDOWS\a.bat
2008-04-05 00:25:25 0 d-------- C:\Program Files\Inet Delivery
2008-04-05 00:25:25 0 d-------- C:\Documents and Settings\Owner\Desktopvirii
2008-04-05 00:25:22 212992 --a------ C:\WINDOWS\fkdnrwsv.dll
2008-04-05 00:25:17 0 d-------- C:\Documents and Settings\All Users\Application Data\ihijoncx


-- Find3M Report ---------------------------------------------------------------

2008-04-05 21:59:42 1466 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-05 21:39:58 2682 --a------ C:\WINDOWS\mozver.dat
2008-04-02 19:16:16 0 d-------- C:\Program Files\Warcraft3x
2008-03-29 17:22:32 0 d-------- C:\Program Files\GetRight
2008-03-22 08:47:32 0 d-------- C:\Documents and Settings\Owner\Application Data\Azureus
2008-03-22 08:46:46 0 d-------- C:\Program Files\Azureus
2008-03-18 19:38:12 0 d-------- C:\Documents and Settings\Owner\Application Data\GetRight
2008-03-16 14:49:58 0 d-------- C:\Program Files\Outspark
2008-03-16 11:44:34 0 d-------- C:\Documents and Settings\Owner\Application Data\Winamp
2008-03-16 11:44:32 0 d-------- C:\Program Files\Winamp
2008-03-14 20:04:52 0 d-------- C:\Documents and Settings\Owner\Application Data\U3
2008-03-12 22:43:54 0 d-------- C:\Program Files\Common Files\Adobe
2008-03-12 22:41:32 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-03-11 15:08:08 0 d-------- C:\Program Files\DivX
2008-03-11 13:55:22 0 d-------- C:\Documents and Settings\Owner\Application Data\Adobe
2008-03-10 17:46:18 0 d-------- C:\Documents and Settings\Owner\Application Data\vlc
2008-03-10 13:45:02 0 d-------- C:\Program Files\VideoLAN
2008-03-10 10:45:08 0 d-------- C:\Program Files\Steam
2008-03-10 09:03:24 0 --a------ C:\WINDOWS\nsreg.dat
2008-03-10 09:03:16 0 d-------- C:\Documents and Settings\Owner\Application Data\Mozilla
2008-03-09 13:10:32 0 d-------- C:\Program Files\MSXML 6.0
2008-03-09 13:08:50 0 d-------- C:\Program Files\MSXML 4.0


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{18CB1A7B-94CD-4582-8022-ADA16851E44B}]
03/27/2008 09:34 PM 247296 --a------ C:\Program Files\AbsoluteTransfer\AbsoluteTransfer.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Version Cue CS2"="C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe" [05/25/2005 04:50 PM]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [04/22/2008 05:26 PM]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [03/30/2008 02:37 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/12/2004 06:00 AM]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [10/18/2007 11:34 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"nltide_3"=rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"=1 (0x1)
"NoRecentDocsMenu"=1 (0x1)
"NoRecentDocsHistory"=1 (0x1)
"NoSMConfigurePrograms"=1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"=1 (0x1)
"NoRecentDocsMenu"=1 (0x1)
"NoRecentDocsHistory"=1 (0x1)
"NoSMConfigurePrograms"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"fkdnrwsv"= {5DAE992B-0A93-4B17-A116-0DE126E1B8C3} - C:\WINDOWS\fkdnrwsv.dll [04/03/2008 06:44 PM 212992]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"System"="kddng.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c008C0FC]
C:\WINDOWS\system32\__c008C0FC.dat

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^.protected]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\.protected
backup=C:\WINDOWS\pss\.protectedCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^.protected]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\.protected
backup=C:\WINDOWS\pss\.protectedStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\A00F13C2B7.exe]
C:\DOCUME~1\Owner\LOCALS~1\Temp\_A00F13C2B7.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Version Cue CS2]
"C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nForce Tray Options]
sstray.exe /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VistaDrive]
C:\WINDOWS\VistaDrive\VistaDrive.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\walinusj]
C:\WINDOWS\system32\unqnqvqb.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MDM"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService WebClient LmHosts upnphost SSDPSRV


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{07fb71c6-0180-11dd-bf39-0010dcd5264b}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL delautorun.bat
ɱ¶¾(&K)\command- I:\delautorun.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3f969f2e-f79f-11dc-bf1e-0010dcd5264b}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL delautorun.bat
ɱ¶¾(&K)\command- delautorun.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{be639380-0d29-11dd-bf66-0010dcd5264b}]
AutoRun\command- I:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c3c1b3f4-f373-11dc-bf0f-0010dcd5264b}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Setup.pif

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cb0d597c-f22b-11dc-bf0c-0010dcd5264b}]
AutoRun\command- I:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cb0d597d-f22b-11dc-bf0c-0010dcd5264b}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Setup.pif




-- End of Deckard's System Scanner: finished at 2008-05-05 17:05:58 ------------











Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Athlon™
Percentage of Memory in Use: 50%
Physical Memory (total/avail): 1023.49 MiB / 503.82 MiB
Pagefile Memory (total/avail): 2464.37 MiB / 1877.52 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1914.93 MiB

A: is Removable (No Media)
C: is Fixed (FAT32) - 42.72 GiB total, 16.54 GiB free.
D: is Fixed (FAT32) - 29.02 GiB total, 28.9 GiB free.
E: is Fixed (FAT32) - 39.99 GiB total, 0.81 GiB free.
F: is Fixed (FAT32) - 35.1 GiB total, 19.77 GiB free.
G: is Fixed (FAT32) - 2.14 GiB total, 2.02 GiB free.
H: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - ST3160812A - 149.05 GiB - 5 partitions
\PARTITION0 (bootable) - Unknown - 42.74 GiB - C:
\PARTITION1 - Extended w/Extended Int 13 - 106.31 GiB - D: - E: - F: - G:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

AV: Avira AntiVir PersonalEdition v8.0.1.15 (Avira GmbH) Outdated
AV: avast! antivirus 4.8.1169 [VPS 080418-0] v4.8.1169 (ALWIL Software) Disabled Outdated

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\Adobe\\Adobe Version Cue CS2\\bin\\VersionCueCS2.exe"="C:\\Program Files\\Adobe\\Adobe Version Cue CS2\\bin\\VersionCueCS2.exe:*:Enabled:Adobe Version Cue CS2"
"C:\\Program Files\\Azureus\\Azureus.exe"="C:\\Program Files\\Azureus\\Azureus.exe:*:Enabled:Azureus"
"C:\\Program Files\\Steam\\steamapps\\slogd3ad\\condition zero\\hl.exe"="C:\\Program Files\\Steam\\steamapps\\slogd3ad\\condition zero\\hl.exe:*:Enabled:Half-Life Launcher"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Owner\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=ISMAILSH
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Owner
LOGONSERVER=\\ISMAILSH
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Common Files\Adobe\AGL
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 8 Stepping 1, AuthenticAMD
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0801
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
TMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
USERDOMAIN=ISMAILSH
USERNAME=Owner
USERPROFILE=C:\Documents and Settings\Owner
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Owner (admin)
Administrator (new local, admin)


-- Add/Remove Programs ---------------------------------------------------------

--> msiexec /I {236BB7C4-4419-42FD-0409-1E257A25E34D}
--> msiexec /I{7F4C8163-F259-49A0-A018-2857A90578BC}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
AbsoluteTransfer --> "C:\Program Files\AbsoluteTransfer\Uninstall.exe"
Adobe Bridge 1.0 --> MsiExec.exe /I{B74D4E10-6884-0000-0000-000000000103}
Adobe Common File Installer --> MsiExec.exe /I{8EDBA74D-0686-4C99-BFDD-F894678E5101}
Adobe Creative Suite 2 --> C:\PROGRA~1\INSTAL~1\{0134A~1\setup.exe /relaunched/rootloc=h:\adobe creative suite 2.0/lang=0409
Adobe Help Center 1.0 --> MsiExec.exe /I{E9787678-1033-0000-8E67-000000000001}
Adobe Stock Photos 1.0 --> MsiExec.exe /I{786C5747-1437-443D-B06E-79A00FE45110}
avast! Antivirus --> C:\Program Files\Alwil Software\Avast4\aswRunDll.exe "C:\Program Files\Alwil Software\Avast4\Setup\setiface.dll",RunSetup
Avira AntiVir Personal – Free Antivirus --> C:\Program Files\Avira\AntiVir PersonalEdition Classic\SETUP.EXE /REMOVE
Azureus Vuze --> C:\Program Files\Azureus\uninstall.exe
Condition Zero --> "C:\Program Files\Steam\steam.exe" steam://uninstall/80
Counter-Strike --> "C:\Program Files\Steam\steam.exe" steam://uninstall/10
CPL All-in-One --> rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\CPLBonus.inf,CPLuninstall
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
eMusic - 50 Free MP3 offer --> "C:\Program Files\Winamp\eMusic\Uninst-eMusic-promotion.exe"
Fiesta --> C:\Program Files\Outspark\Fiesta\uninstall.exe
GetRight --> "C:\Program Files\GetRight\unins000.exe"
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Macromedia Shockwave Player --> C:\WINDOWS\system32\MACROMED\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\MACROMED\SHOCKW~1\Install.log
Microsoft Office Access MUI (English) 2007 --> MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007 --> MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Groove MUI (English) 2007 --> MsiExec.exe /X{90120000-00BA-0409-0000-0000000FF1CE}
Microsoft Office Groove Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0114-0409-0000-0000000FF1CE}
Microsoft Office InfoPath MUI (English) 2007 --> MsiExec.exe /X{90120000-0044-0409-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007 --> MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007 --> MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007 --> MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Proof (English) 2007 --> MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007 --> MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007 --> MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007 --> MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Publisher MUI (English) 2007 --> MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007 --> MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007 --> MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
mIRC --> "E:\Folder\Irc\mirc.exe" -uninstall
Mozilla Firefox (2.0.0.14) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
NotePad++ 3.6 --> rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\Note.inf,Npaduninstall
NVIDIA Drivers --> C:\WINDOWS\system32\nvudisp.exe UninstallGUI
Outspark Launcher --> C:\Program Files\Outspark\Launcher\uninstall.exe
Rhapsody Player Engine --> MsiExec.exe /I{8A62A068-3FD6-495A-9F66-26FE94F32EC9}
Secret of the Solstice --> C:\Program Files\Outspark\Solstice\uninstall.exe
Steam --> MsiExec.exe /X{048298C9-A4D3-490B-9FF9-AB023A9238F3}
Suite Specific --> MsiExec.exe /I{C49DAA9C-5BA8-459A-8244-E57B69DF0F04}
The Noble Quran 1.2 --> "c:\quran\unins000.exe"
VideoLAN VLC media player 0.8.6f --> C:\Program Files\VideoLAN\VLC\uninstall.exe
Winamp --> "C:\Program Files\Winamp\UninstWA.exe"
Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger --> MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live Sign-in Assistant --> MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
Windows Live Toolbar --> "C:\Program Files\Windows Live Toolbar\UnInstall.exe" {DA0FFF7B-DA9D-46A2-A329-87804ECA58EA}
Windows Live Toolbar --> MsiExec.exe /X{DA0FFF7B-DA9D-46A2-A329-87804ECA58EA}
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
YouSendIt Express --> C:\Program Files\InstallShield Installation Information\{1193600A-134F-40F9-9F71-FEF54C93C629}\setup.exe -runfromtemp -l0x0409


-- Application Event Log -------------------------------------------------------

Event Record #/Type714 / Error
Event Submitted/Written: 05/05/2008 05:04:32 PM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This network connection does not exist.

Event Record #/Type713 / Error
Event Submitted/Written: 05/05/2008 05:04:32 PM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This network connection does not exist.

Event Record #/Type712 / Error
Event Submitted/Written: 05/05/2008 05:04:31 PM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This network connection does not exist.

Event Record #/Type711 / Error
Event Submitted/Written: 05/05/2008 05:04:31 PM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This network connection does not exist.

Event Record #/Type710 / Error
Event Submitted/Written: 05/05/2008 05:04:31 PM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This network connection does not exist.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type4632 / Error
Event Submitted/Written: 05/05/2008 05:00:12 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1058" attempting to start the service MDM with arguments ""
in order to run the server:
{0C0A3666-30C9-11D0-8F20-00805F2CD064}

Event Record #/Type4631 / Error
Event Submitted/Written: 05/05/2008 04:51:46 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1058" attempting to start the service MDM with arguments ""
in order to run the server:
{0C0A3666-30C9-11D0-8F20-00805F2CD064}

Event Record #/Type4630 / Error
Event Submitted/Written: 05/05/2008 04:21:25 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1058" attempting to start the service MDM with arguments ""
in order to run the server:
{0C0A3666-30C9-11D0-8F20-00805F2CD064}

Event Record #/Type4629 / Error
Event Submitted/Written: 05/05/2008 04:17:45 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1058" attempting to start the service MDM with arguments ""
in order to run the server:
{0C0A3666-30C9-11D0-8F20-00805F2CD064}

Event Record #/Type4628 / Error
Event Submitted/Written: 05/05/2008 04:04:05 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1058" attempting to start the service MDM with arguments ""
in order to run the server:
{0C0A3666-30C9-11D0-8F20-00805F2CD064}



-- End of Deckard's System Scanner: finished at 2008-05-05 17:05:58 ------------

BC AdBot (Login to Remove)

 


#2 pskelley

pskelley

  • Members
  • 1,487 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:09 AM

Posted 07 May 2008 - 02:50 PM

Welcome to Bleeping Computer, please be sure you have read and followed the
Preparation Guide For Use Before Posting A Hijackthis Log, Instructions for receiving help in cleaning your computer http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/
All advice given is taken at your own risk.

You have some problems, I may be able to help you clean them but it is going to take some time and patience. You are also hacked by these Ukrainians:
http://whois.domaintools.com/85.255.116.77 I suggest you keep this computer offline except when troubleshooting to deny them access and keep the junk from downloading more.

If you wish to proceed, start like this.

1) You are running two antivirus programs at the same time and this is not a good thing. They conflict with each other and you will be less safe than if you ran one good program and maintained it properly.
http://service1.symantec.com/SUPPORT/nav.n...000031316555206
"Microsoft recommends that you have only one anti-virus program installed on your computer."
http://www.washingtonpost.com/wp-dyn/conte...5120300087.html
http://www.smartcomputing.com/editorial/ar...38s07/38s07.asp

Avira\AntiVir PersonalEdition Classic
Alwil Software\Avast4
(uninstall one of those)

2) Thanks to LonnyBJones and anyone else who helped with this fix.

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to yourDesktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts.
You will be asked to reboot your computer; please do so.
Your system may take longer than usual to load; this is normal.
Once the desktop loads post the text that will open (report.txt) and a new Hijackthis log using Add Reply.

3) Instructions for the HJT log:
Download Trend Micro Hijack This™
http://download.bleepingcomputer.com/hijac.../HJTInstall.exe
Doubleclick the HJTInstall.exe to start it.
By default it will install HijackThis in the Program Files\Trendmicro folder and create a desktop shortcut.
HijackThis will open after install. Press the Scan button below.
This will start the scan and open a log.
Copy and paste the contents of the log in your next reply.

Thanks

If your issues are resolved, post to let me know so I can close your topic.
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#3 mabok

mabok
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:09 PM

Posted 08 May 2008 - 01:27 AM

I did follow your instructions, but then my anti-virus detects alot of NEW viruses from fixwareout.exe .
Well, i hope it didn't harm my computer.

So, after this i should delete/uninstall all the files you gave me?




Username "Owner" - 05/08/2008 14:16:03 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check
HKLM\SOFTWARE\~\Winlogon\ "System"="kddng.exe"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
"nameserver"="85.255.116.77 85.255.112.133" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{7A114341-6B30-4305-B1B6-CD83923D6651}
"nameserver"="85.255.116.77,85.255.112.133" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{A0A4AB1B-F6B0-481E-8C67-45058433F544}
"DhcpNameServer"="85.255.116.77,85.255.112.133" <Value cleared.

Successfully flushed the DNS Resolver Cache.


System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....
~~~~~ Other
C:\WINDOWS\TEMP\kddng.ren 62976 06/13/2007

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Version Cue CS2"="C:\\Program Files\\Adobe\\Adobe Version Cue CS2\\ControlPanel\\VersionCueCS2Tray.exe"
"avgnt"="\"C:\\Program Files\\Avira\\AntiVir PersonalEdition Classic\\avgnt.exe\" /min"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"msnmsgr"="\"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe\" /background"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~






Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:23:47 PM, on 5/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: AbsoluteTransfer module - {18CB1A7B-94CD-4582-8022-ADA16851E44B} - C:\Program Files\AbsoluteTransfer\AbsoluteTransfer.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [Adobe Version Cue CS2] C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.77 85.255.112.133
O17 - HKLM\System\CS1\Services\Tcpip\..\{7A114341-6B30-4305-B1B6-CD83923D6651}: NameServer = 85.255.116.77,85.255.112.133
O20 - Winlogon Notify: __c008C0FC - C:\WINDOWS\system32\__c008C0FC.dat (file missing)
O21 - SSODL: fkdnrwsv - {5DAE992B-0A93-4B17-A116-0DE126E1B8C3} - C:\WINDOWS\fkdnrwsv.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

--
End of file - 4688 bytes




*EDIT* : The Virus Ads & The Memory "Eater" still acts up.
When i open IE i look at my Task Manager's CPU USAGE suddenly goes up to 100%.
But when i'm using Mozilla, it doesn't.

Edited by mabok, 08 May 2008 - 01:43 AM.


#4 pskelley

pskelley

  • Members
  • 1,487 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:09 AM

Posted 08 May 2008 - 06:24 AM

You have some problems, I may be able to help you clean them but it is going to take some time and patience.

This junk does not come off your computer as easily as you got it on, we completed the first step only, but thanks for the feedback.

1) Thanks to andymanchesta and anyone else who helped with the fix.

Download SDFix and save it to your Desktop
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.
Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally post the contents of the Report.txt back on the forum with a new HijackThis log

(wait until you finish to post the log and reports)

2) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.

3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O2 - BHO: AbsoluteTransfer module - {18CB1A7B-94CD-4582-8022-ADA16851E44B} - C:\Program Files\AbsoluteTransfer\AbsoluteTransfer.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.77 85.255.112.133
O17 - HKLM\System\CS1\Services\Tcpip\..\{7A114341-6B30-4305-B1B6-CD83923D6651}: NameServer = 85.255.116.77,85.255.112.133
O20 - Winlogon Notify: __c008C0FC - C:\WINDOWS\system32\__c008C0FC.dat (file missing)
O21 - SSODL: fkdnrwsv - {5DAE992B-0A93-4B17-A116-0DE126E1B8C3} - C:\WINDOWS\fkdnrwsv.dll

Close all programs but HJT and all browser windows, then click on "Fix Checked"

4) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart and post the report from SDFix, a new HJT log and some feedback from you.

Thanks
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#5 mabok

mabok
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:09 PM

Posted 09 May 2008 - 02:25 AM

SDFix: Version 1.181
Run by Owner on Fri 05/09/2008 at 03:00 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\Documents and Settings\Owner\Application Data\TmpRecentIcons\AntiSpywareMaster.lnk - Deleted
C:\Documents and Settings\Owner\Application Data\TmpRecentIcons\spywareisolator.lnk - Deleted
C:\.protected - Deleted
C:\WINDOWS\system32\drivers\etc\.protected - Deleted
C:\WINDOWS\mslagent\2_mslagent.dll - Deleted
C:\WINDOWS\mslagent\mslagent.exe - Deleted
C:\WINDOWS\mslagent\uninstall.exe - Deleted
C:\Program Files\Inet Delivery\inetdl.exe - Deleted
C:\Program Files\Inet Delivery\intdel.exe - Deleted
C:\winxplogon.sys - Deleted
C:\WINDOWS\a.bat - Deleted
C:\WINDOWS\base64.tmp - Deleted
C:\WINDOWS\bdn.com - Deleted
C:\WINDOWS\FVProtect.exe - Deleted
C:\WINDOWS\iTunesMusic.exe - Deleted
C:\WINDOWS\mssecu.exe - Deleted
C:\WINDOWS\userconfig9x.dll - Deleted
C:\WINDOWS\Web\def.htm - Deleted
C:\WINDOWS\winsystem.exe - Deleted
C:\WINDOWS\zip1.tmp - Deleted
C:\WINDOWS\zip2.tmp - Deleted
C:\WINDOWS\zip3.tmp - Deleted
C:\WINDOWS\zipped.tmp - Deleted


Could Not Remove C:\WINDOWS\system32smp

Folder C:\Program Files\Inet Delivery - Removed
Folder C:\WINDOWS\mslagent - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1359.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-09 15:05:50
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\Adobe\\Adobe Version Cue CS2\\bin\\VersionCueCS2.exe"="C:\\Program Files\\Adobe\\Adobe Version Cue CS2\\bin\\VersionCueCS2.exe:*:Enabled:Adobe Version Cue CS2"
"C:\\Program Files\\Azureus\\Azureus.exe"="C:\\Program Files\\Azureus\\Azureus.exe:*:Enabled:Azureus"
"C:\\Program Files\\Steam\\steamapps\\slogd3ad\\condition zero\\hl.exe"="C:\\Program Files\\Steam\\steamapps\\slogd3ad\\condition zero\\hl.exe:*:Enabled:Half-Life Launcher"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

Remaining Files :

C:\WINDOWS\system32smp Found

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Thu 1 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\2769b111678c52099a3b3123b12f2325\BIT6.tmp"
Thu 1 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\ab59ac72525ea90a47679441587835c9\BIT2.tmp"
Thu 1 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fa6c916bb150f8a929e7a4ffdfbc120f\BIT3.tmp"
Thu 1 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\d77b9b5b8fed23dd91f50d167cce60d3\BIT7.tmp"
Thu 1 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\0a67b6c406b1d7e0f5c1e6f6d44a3f6e\BIT4.tmp"
Fri 9 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\BIT1.tmp"
Thu 1 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b69c46c5109d0f8b0dee9fab84906813\BIT5.tmp"
Sat 25 Aug 2007 667,648 A.SH. --- "C:\Documents and Settings\Owner\Desktop\New Folder\100NIKON\SIV19E.tmp"
Sat 25 Aug 2007 196,608 A.SH. --- "C:\Documents and Settings\Owner\Desktop\New Folder\100NIKON\SIV19F.tmp"
Sat 25 Aug 2007 667,648 A.SH. --- "C:\Documents and Settings\Owner\Desktop\DCIM\100NIKON\SIV19E.tmp"
Sat 25 Aug 2007 196,608 A.SH. --- "C:\Documents and Settings\Owner\Desktop\DCIM\100NIKON\SIV19F.tmp"
Thu 7 Dec 2006 3,096,576 A..H. --- "C:\Documents and Settings\Owner\Application Data\U3\temp\Launchpad Removal.exe"

Finished!


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:18:11 PM, on 5/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [Adobe Version Cue CS2] C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

--
End of file - 4116 bytes



Ok, first of all would like to thank you for the help.
When i'm at the HJT thingy, you asked my to select those lists you gave me.

...O21 - SSODL: fkdnrwsv - {5DAE992B-0A93-4B17-A116-0DE126E1B8C3} - C:\WINDOWS\fkdnrwsv.dll...
only that line didn't appear in the HJT list.

Well, i try opening my IE (eventhough i'm a firefox-user) ...
and amazed at my Task Manager's CPU USAGE : it didn't max out.
So i guess my problems is half way.

I'm wondering about the Ukranian dude you told me.
And is my computer is clean from "various" fake anti-virus?

#6 pskelley

pskelley

  • Members
  • 1,487 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:09 AM

Posted 09 May 2008 - 04:49 AM

Thanks for returning your information, Please continue to copy/paste your information, do not quote or code it.

I suggest you remove this program from your computer unless you paid for it, see this:
C:\Program Files\GetRight\
http://www.castlecops.com/startuplist-1321.html

Besides that the HJT log looks free of malware, how is the computer running?

DSS is showing this: AV: avast! antivirus 4.8.1169 [VPS 080418-0] v4.8.1169 (ALWIL Software) Disabled Outdated
Update the antivirus program and run a complete system scan, make sure everything is working as it should be and report any items it locates and can not delete or quarantine.

Run this online scan using Internet Explorer:
Kaspersky Online Scanner from http://www.kaspersky.com/virusscanner

Next Click on Launch Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.

Then post it here.

Thanks
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#7 mabok

mabok
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:09 PM

Posted 09 May 2008 - 06:54 AM

Question about the Kaspersky :
Could i just scan each of my HD at a time?
This might save me some time.
Because, i have alot of HD.

As i said,
IE's fake antivirus pop-ups is no more, also the memory "eater" is gone. Thanks.

#8 pskelley

pskelley

  • Members
  • 1,487 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:09 AM

Posted 09 May 2008 - 07:00 AM

If you are satisfied your computer is running as it should be, you don't even have to run that scan. It takes a little over an hour on my computer which is clean and not cluttered with junk. If you are going to run it, then follow the directions for maximum results.

If you are not going to run it, let me know so I can post valuable closing information for you.

Thanks...Phil
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#9 mabok

mabok
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:09 PM

Posted 09 May 2008 - 08:28 AM

As i scan using the Kaspersky Online Scanner,
My Avira will detect some viruses along the way...
so should i just delete those viruses?
but i don't know wheter it is a virus...but my instinct tells me that it is a virus...

such like a new virus i found :
Virus or unwanted program 'SPR/HideWindows.I [riskware]'
detected in file 'C:\WINDOWS\system32\cmdow.exe.
Action performed: Deny access


cmdow.exe is maybe a commandline utility (i google-ed it)

so, should i just str8 away delete all detect viruses?

#10 pskelley

pskelley

  • Members
  • 1,487 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:09 AM

Posted 09 May 2008 - 09:15 AM

I can't say for sure, but it may be part of the Kaspersky Online Scan. Turn your AV off just long enough to run that scan, then turn it right back on. If there is malware on the computer, Kaspersky will find it.

Thanks
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#11 mabok

mabok
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:09 PM

Posted 13 May 2008 - 06:39 AM

Ok, scanning tooks alot of hours.
So i think i'll skip this steps.

#12 pskelley

pskelley

  • Members
  • 1,487 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:09 AM

Posted 13 May 2008 - 07:49 AM

Here is another good tool if you wish to do another check?

Download Malwarebytes' Anti-Malware to your desktop.
http://www.besttechie.net/tools/mbam-setup.exe

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post contents of that file & a new HJT log in your next reply.

Some good information for you:
http://users.telenet.be/bluepatchy/miekiem...owcomputer.html
http://www.microsoft.com/windowsxp/using/h...ps/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiem...prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
BleepingComputer
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#13 mabok

mabok
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:09 PM

Posted 13 May 2008 - 08:01 AM

Hmmm...

from this link:
http://users.telenet.be/bluepatchy/miekiem...irus%20Scanners

Should i d/l both Anti-Spyware & Anti-Virus ?
recommend me one if you could.

#14 pskelley

pskelley

  • Members
  • 1,487 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:09 AM

Posted 13 May 2008 - 08:09 AM

You need to have ONE antivirus program and ONE firewall. The jury is still out on how many spyware programs is too many. I believe it will turn out that ONE good program is enough. If you wish to try a good free one, try: http://www.microsoft.com/athome/security/s...re/default.mspx

Thanks for the question
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users