Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Packed.win32.monder.gen


  • Please log in to reply
1 reply to this topic

#1 greenhurst

greenhurst

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:50 AM

Posted 18 May 2008 - 05:43 AM

fSecure has shown that I am infected with packed.win32.monder.gen but is unable to remove or disinfect. I also have lots of random pop up windows appearing. I have followed the steps requested to post a new topic other than Kasperkys (I have limited time today as I am doing this for a friend) and pasted the logfiles below. I would appreciate your help to remove the malware. Thank you. Dave

Deckard's System Scanner v20071014.68
Run by Kevin Bracegirdle on 2008-05-18 11:31:05
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
6: 2008-05-18 10:31:13 UTC - RP598 - Deckard's System Scanner Restore Point
5: 2008-05-18 10:02:11 UTC - RP597 - System Checkpoint
4: 2008-05-03 13:26:10 UTC - RP596 - System Checkpoint
3: 2008-04-27 11:28:37 UTC - RP595 - F-Secure PersonalExpress 6.02 build 20 Installation
2: 2008-04-20 09:34:28 UTC - RP594 - System Checkpoint


-- First Restore Point --
1: 2008-04-19 08:55:38 UTC - RP593 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Percentage of Memory in Use: 77% (more than 75%).
Total Physical Memory: 510 MiB (512 MiB recommended).


-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-05-18 11:33:56
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\SYSTEM32\SMSS.EXE
C:\WINDOWS\SYSTEM32\WINLOGON.EXE
C:\WINDOWS\SYSTEM32\SERVICES.EXE
C:\WINDOWS\SYSTEM32\LSASS.EXE
C:\WINDOWS\SYSTEM32\SVCHOST.EXE
C:\WINDOWS\SYSTEM32\SVCHOST.EXE
C:\WINDOWS\SYSTEM32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\TalkTalk Online Security\backweb\81720\Program\ServiceWrapper-81720.exe
C:\Program Files\TalkTalk Online Security\Anti-Virus\fsgk32st.exe
C:\Program Files\TalkTalk Online Security\backweb\81720\Program\fsbwsys.exe
C:\Program Files\TalkTalk Online Security\Anti-Virus\fsgk32.exe
C:\Program Files\TalkTalk Online Security\Common\FSMA32.EXE
C:\Program Files\TalkTalk Online Security\Anti-Virus\fssm32.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\TalkTalk Online Security\Common\FSMB32.EXE
C:\WINDOWS\SYSTEM32\SVCHOST.EXE
C:\Program Files\TalkTalk Online Security\Common\FCH32.EXE
C:\Program Files\TalkTalk Online Security\Common\FAMEH32.EXE
C:\Program Files\TalkTalk Online Security\Anti-Virus\FSRW.exe
C:\Program Files\TalkTalk Online Security\FWES\program\fsdfwd.exe
C:\Program Files\TalkTalk Online Security\Anti-Virus\FSAV32.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\SYSTEM32\wuauclt.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Real\RealPlayer\realplay.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\WINDOWS\SYSTEM32\hkcmd.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\WINDOWS\SYSTEM32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\SYSTEM32\kwinlmdn.exe
C:\WINDOWS\SYSTEM32\RUNDLL32.EXE
C:\Program Files\Common Files\WinAnonymous\stm.exe
C:\Program Files\WinAnonymous\GDC.exe
C:\Program Files\TalkTalk Online Security\Common\FSM32.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\TalkTalk Online Security\FSGUI\ispnews.exe
C:\WINDOWS\SYSTEM32\CTFMON.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\TalkTalk Online Security\Anti-Spyware\FSAW.exe
C:\Program Files\TalkTalk Online Security\backweb\81720\Program\fspex.exe
C:\Program Files\TalkTalk Online Security\FSGUI\fsguidll.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Dave Downloads\Bleeping computer\dss.exe
C:\Program Files\TalkTalk Online Security\FSGUI\fsavgui.exe
C:\Program Files\TalkTalk Online Security\FSGUI\fsavaui.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://uk.msn.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://uk.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: nextads browser optimizer - {163ce791-3db5-22ca-f565-651eecf93684} - C:\WINDOWS\SYSTEM32\{8e53d3bf-f3a6-e965-ef71-b12970547456}.dll
O2 - BHO: (no name) - {24E9519B-3F70-429B-99BC-4B2B49B96F66} - C:\WINDOWS\system32\ljJDTkJa.dll (file missing)
O2 - BHO: (no name) - {3CAB59B4-55A3-4737-9FD5-B93C6430BF75} - C:\WINDOWS\SYSTEM32\svknpljs.dll
O2 - BHO: {c0fb0606-f1b7-54c9-f3f4-541a304abac5} - {5caba403-a145-4f3f-9c45-7b1f6060bf0c} - C:\WINDOWS\system32\xlmqxwnh.dll (file missing)
O2 - BHO: Search Assistant MySidesearch - {6156A32A-C512-4e23-AA9A-2315F4265681} - C:\WINDOWS\SYSTEM32\myss_sb.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: gooochi browser optimizer - {9e5a7dbc-b23e-8b55-60ba-cc4c01561357} - C:\WINDOWS\SYSTEM32\{b2058875-cd8a-7f6a-808a-b6519f3d2074}.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar1.dll
O2 - BHO: (no name) - {ADF5E0E2-A4F3-4BD2-B4E4-66C8861812E6} - C:\WINDOWS\system32\khfFuRiJ.dll (file missing)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: (no name) - {B3AD4480-821C-FEE4-16E7-A38F710B2EB3} - C:\WINDOWS\system32\waedys.dll (file missing)
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (file missing)
O2 - BHO: (no name) - {BDFD4E80-8343-F8E9-42E7-A38F71537AE5} - C:\WINDOWS\system32\lrvzdfkc.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: (no name) - {4596013b-6c31-408b-a266-deae5c086dc2} - (no file)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar1.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [{DC-CA-A1-19-ZN}] C:\WINDOWS\SYSTEM32\lkdsrngr.exe P2D002
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [g]eeV\mWhjlnspB] C:\WINDOWS\system32\kwinlmdn.exe P2D002
O4 - HKLM\..\Run: [spa_start] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\{b2058875-cd8a-7f6a-808a-b6519f3d2074}.dll" DllInit
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu572.exe 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C88332017491394662EA4EBF968951185EFC412806867680AEDE604D64C2661377FE13FD97CB77
O4 - HKLM\..\Run: [SBI] C:\Documents and Settings\Craig Bracegirdle\Local Settings\Temporary Internet Files\Content.IE5\EPUVJRPE\installer_sbd_en[1].exe
O4 - HKLM\..\Run: [Salestart(1)] "C:\Program Files\Common Files\WinAnonymous\stm.exe" dm=http://winanonymous.com ad=http://winanonymous.com sd=http://ilp.winanonymous.com
O4 - HKLM\..\Run: [WinAnonymous] C:\Program Files\WinAnonymous\GDC.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\TalkTalk Online Security\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\TalkTalk Online Security\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\TalkTalk Online Security\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [News Service] "C:\Program Files\TalkTalk Online Security\FSGUI\ispnews.exe"
O4 - HKLM\..\Run: [6cddcab6] rundll32.exe "C:\WINDOWS\system32\cvxhttpx.dll",b
O4 - HKLM\..\Run: [BM6feef92a] Rundll32.exe "C:\WINDOWS\system32\bjpkptri.dll",s
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BM6feef92a] Rundll32.exe "C:\WINDOWS\system32\bjpkptri.dll",s
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Startup: Deewoo.lnk = C:\WINDOWS\SYSTEM32\kwinlmdn.exe
O4 - Global Startup: TalkTalk Online Security.lnk = C:\Program Files\TalkTalk Online Security\backweb\81720\Program\fspex.exe
O8 - Extra context menu item: &Block this popup - C:\Program Files\TalkTalk Online Security\Anti-Spyware\blockpopups.htm
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\TalkTalk Online Security\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\TalkTalk Online Security\Anti-Spyware\ieshield.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O20 - Winlogon Notify: dDspqpqq - C:\WINDOWS\system32\dDspqpqq.dll (file missing)
O20 - Winlogon Notify: ljJDTkJa - C:\WINDOWS\system32\ljJDTkJa.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: TalkTalk Online Security (BackWeb Plug-in - 81720) - BackWeb Technologies Inc. - C:\Program Files\TalkTalk Online Security\backweb\81720\Program\ServiceWrapper-81720.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\SYSTEM32\dlbtcoms.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corp. - C:\Program Files\TalkTalk Online Security\Anti-Virus\fsgk32st.exe
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\TalkTalk Online Security\backweb\81720\Program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\TalkTalk Online Security\FWES\program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\TalkTalk Online Security\Common\FSMA32.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe


--
End of file - 13525 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 FSFW (F-Secure Firewall Driver) - c:\windows\system32\drivers\fsdfw.sys <Not Verified; F-Secure Corporation; F-Secure Anti-Virus Internet Shield>
R2 ASCTRM - c:\windows\system32\drivers\asctrm.sys <Not Verified; Windows ® 2000 DDK provider; Windows ® 2000 DDK driver>
R2 F-Secure Filter (F-Secure File System Filter) - c:\program files\talktalk online security\anti-virus\win2k\fsfilter.sys
R2 F-Secure Gatekeeper - c:\program files\talktalk online security\anti-virus\win2k\fsgk.sys
R2 F-Secure Recognizer (F-Secure File System Recognizer) - c:\program files\talktalk online security\anti-virus\win2k\fsrec.sys
R2 MASPINT - c:\windows\system32\drivers\maspint.sys <Not Verified; MicroStaff Co.,Ltd.; Aspi32 Driver for WinNT>
R3 iadusb (MT882) - c:\windows\system32\drivers\glauiad.sys <Not Verified; Conexant Systems Inc.; Conexant USB to Ethernet (LAN) Viking Modem>

S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 BackWeb Plug-in - 81720 (TalkTalk Online Security) - c:\progra~1\talkta~1\backweb\81720\program\servic~1.exe <Not Verified; BackWeb Technologies Inc.; RunnerEXE Application>
R2 fsbwsys - "c:\program files\talktalk online security\backweb\81720\program\fsbwsys.exe" <Not Verified; F-Secure Corp.; F-Secure BackWeb>
R2 F-Secure Gatekeeper Handler Starter (FSGKHS) - "c:\program files\talktalk online security\anti-virus\fsgk32st.exe" <Not Verified; F-Secure Corp.; F-Secure Corp. Startup service>
R2 FSMA (F-Secure Management Agent) - "c:\program files\talktalk online security\common\fsma32.exe" <Not Verified; F-Secure Corporation; F-Secure Management Agent>
R3 FSDFWD (F-Secure Anti-Virus Firewall Daemon) - "c:\program files\talktalk online security\fwes\program\fsdfwd.exe" <Not Verified; F-Secure Corporation; F-Secure Anti-Virus Internet Shield>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-05-18 11:12:01 278 --a------ C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job
2008-05-18 10:29:10 544 --a------ C:\WINDOWS\Tasks\Scheduled scanning task.job
2008-04-08 07:01:01 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-04-18 and 2008-05-18 -----------------------------

2008-05-18 10:32:18 0 d-------- C:\WINDOWS\LastGood
2008-04-27 12:25:19 0 d-------- C:\Dave Downloads
2008-04-27 10:43:21 53312 --a------ C:\WINDOWS\system32\svknpljs.dll
2008-04-20 12:22:26 33840 --a------ C:\WINDOWS\system32\drivers\fsndis5.sys <Not Verified; F-Secure Corporation; F-Secure Anti-Virus Internet Shield>
2008-04-20 12:22:26 70224 --a------ C:\WINDOWS\system32\drivers\fsdfw.sys <Not Verified; F-Secure Corporation; F-Secure Anti-Virus Internet Shield>
2008-04-20 12:22:20 0 d-------- C:\Documents and Settings\All Users\Application Data\F-Secure
2008-04-20 10:43:38 94272 --a------ C:\WINDOWS\system32\rjvwcbmv.dll
2008-04-20 10:40:31 96320 --a------ C:\WINDOWS\system32\lqjtwrri.dll
2008-04-20 10:38:29 53312 --a------ C:\WINDOWS\system32\csldcaob.dll
2008-04-18 15:55:31 96320 --a------ C:\WINDOWS\system32\ytroahwy.dll
2008-04-18 15:54:52 233698 --ahs---- C:\WINDOWS\system32\StBeOUvw.ini2
2008-04-18 15:54:50 274432 --a------ C:\WINDOWS\system32\wvUOeBtS.dll
2008-04-18 14:13:04 0 d-------- C:\Documents and Settings\Kevin Bracegirdle\Application Data\WinAnonymous


-- Find3M Report ---------------------------------------------------------------

2008-05-18 10:40:47 923 --a------ C:\WINDOWS\system32\winpfz33.sys
2008-04-27 12:26:54 373647 --ahs---- C:\WINDOWS\system32\JiRuFfhk.ini2
2008-04-27 12:26:46 0 d-------- C:\Program Files\Windows Live Toolbar
2008-04-20 13:59:11 0 d-------- C:\Program Files\Common Files
2008-04-20 13:49:20 0 d-------- C:\Program Files\BearShare
2008-04-20 13:38:50 0 d-------- C:\Program Files\nvcoi
2008-04-20 12:29:14 0 d-------- C:\Documents and Settings\Kevin Bracegirdle\Application Data\F-Secure
2008-04-20 12:21:55 0 d-------- C:\Program Files\TalkTalk Online Security
2008-04-17 18:42:46 0 d-------- C:\Program Files\WinAnonymous
2008-04-17 18:40:19 92736 --a------ C:\WINDOWS\system32\khpcewcr.dll
2008-04-17 12:36:02 92736 --a------ C:\WINDOWS\system32\xapjywjg.dll
2008-04-17 12:35:06 345 --ahs---- C:\WINDOWS\system32\JRXbcJlm.ini2
2008-04-17 12:31:04 0 d-------- C:\Program Files\Common Files\?ystem32
2008-04-15 17:38:05 0 d-------- C:\Program Files\Common Files\WinAnonymous
2008-04-15 17:19:47 91712 --a------ C:\WINDOWS\system32\qlappmrd.dll
2008-04-15 17:16:47 53312 --a------ C:\WINDOWS\system32\xkaukuyu.dll
2008-04-15 17:14:56 96320 --a------ C:\WINDOWS\system32\kbcgwdgq.dll
2008-04-15 05:36:38 92224 --a------ C:\WINDOWS\system32\obrkfwmf.dll
2008-04-15 05:33:17 85056 --a------ C:\WINDOWS\system32\nnjdlpyd.dll
2008-04-15 05:31:04 0 d-------- C:\Program Files\Temporary
2008-04-14 22:45:22 53312 --a------ C:\WINDOWS\system32\ckcbjmei.dll
2008-04-14 22:42:11 96320 --a------ C:\WINDOWS\system32\hixxutvo.dll
2008-04-14 22:36:02 0 d-------- C:\Program Files\AntiSpywareMaster
2008-04-14 21:11:09 89070 --a------ C:\WINDOWS\system32\myss_sb_uninstall.exe
2008-04-13 22:53:11 41723 ---hs---- C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
2008-04-13 22:42:11 92736 --a------ C:\WINDOWS\system32\gwjfiwpj.dll
2008-04-13 22:40:20 95296 --a------ C:\WINDOWS\system32\jcyiagyq.dll
2008-04-13 22:40:14 53312 --a------ C:\WINDOWS\system32\kavuhtqp.dll
2008-04-13 22:34:41 0 d-------- C:\Program Files\Outerinfo
2008-04-13 22:34:39 0 d-------- C:\Program Files\Common Files\?ecurity
2008-04-13 22:34:35 687592 --a------ C:\WINDOWS\system32\atmtd.dll
2008-04-11 16:46:26 334848 --a------ C:\WINDOWS\system32\myss_sb.dll
2008-04-10 21:07:41 88961 --a------ C:\WINDOWS\system32\mysidesearch_sidebar_uninstall.exe
2008-04-07 17:23:34 331264 --a------ C:\WINDOWS\system32\{b2058875-cd8a-7f6a-808a-b6519f3d2074}.dll
2008-04-04 13:35:02 329728 --a------ C:\WINDOWS\system32\{8e53d3bf-f3a6-e965-ef71-b12970547456}.dll
2008-04-04 09:56:23 0 d-------- C:\Documents and Settings\Kevin Bracegirdle\Application Data\Adobe
2008-03-31 22:51:25 0 d-------- C:\Program Files\Kontiki
2008-03-30 01:20:10 0 d-------- C:\Program Files\Google
2008-03-29 21:33:56 0 d-------- C:\Documents and Settings\Kevin Bracegirdle\Application Data\AdobeUM
2008-03-28 09:43:40 196678 --a------ C:\WINDOWS\system32\kwinlmdn.exe
2008-03-13 15:58:50 200774 --a------ C:\WINDOWS\system32\kwinlmdo.exe
2008-03-04 20:32:27 105984 --a------ C:\WINDOWS\b152.exe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{163ce791-3db5-22ca-f565-651eecf93684}]
04/04/2008 13:35 329728 --a------ C:\WINDOWS\system32\{8e53d3bf-f3a6-e965-ef71-b12970547456}.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{24E9519B-3F70-429B-99BC-4B2B49B96F66}]
C:\WINDOWS\system32\ljJDTkJa.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3CAB59B4-55A3-4737-9FD5-B93C6430BF75}]
27/04/2008 10:43 53312 --a------ C:\WINDOWS\system32\svknpljs.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5caba403-a145-4f3f-9c45-7b1f6060bf0c}]
C:\WINDOWS\system32\xlmqxwnh.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6156A32A-C512-4e23-AA9A-2315F4265681}]
11/04/2008 16:46 334848 --a------ C:\WINDOWS\system32\myss_sb.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9e5a7dbc-b23e-8b55-60ba-cc4c01561357}]
07/04/2008 17:23 331264 --a------ C:\WINDOWS\system32\{b2058875-cd8a-7f6a-808a-b6519f3d2074}.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ADF5E0E2-A4F3-4BD2-B4E4-66C8861812E6}]
C:\WINDOWS\system32\khfFuRiJ.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B3AD4480-821C-FEE4-16E7-A38F710B2EB3}]
C:\WINDOWS\system32\waedys.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BDFD4E80-8343-F8E9-42E7-A38F71537AE5}]
C:\WINDOWS\system32\lrvzdfkc.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [14/10/2004 16:42]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [19/11/2003 18:48]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [11/04/2004 21:15]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [03/09/2003 21:12]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [08/02/2005 02:15]
"Dell Photo AIO Printer 922"="C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [18/06/2004 16:30]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [04/02/2002 22:32]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [20/09/2005 10:35]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [20/09/2005 10:32]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [20/09/2005 10:36]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [29/06/2007 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [15/08/2007 20:15]
"{DC-CA-A1-19-ZN}"="C:\WINDOWS\SYSTEM32\lkdsrngr.exe" []
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [09/07/2001 11:50]
"g]eeV\mWhjlnspB"="C:\WINDOWS\system32\kwinlmdn.exe" [28/03/2008 09:43]
"spa_start"="C:\WINDOWS\system32\{b2058875-cd8a-7f6a-808a-b6519f3d2074}.dll" [07/04/2008 17:23]
"runner1"="C:\WINDOWS\mrofinu572.exe" []
"SBI"="C:\Documents and Settings\Craig Bracegirdle\Local Settings\Temporary Internet Files\Content.IE5\EPUVJRPE\installer_sbd_en[1].exe" []
"Salestart(1)"="C:\Program Files\Common Files\WinAnonymous\stm.exe" [27/02/2008 19:59]
"WinAnonymous"="C:\Program Files\WinAnonymous\GDC.exe" [03/04/2008 17:38]
"F-Secure Manager"="C:\Program Files\TalkTalk Online Security\Common\FSM32.exe" [09/05/2005 08:05]
"F-Secure TNB"="C:\Program Files\TalkTalk Online Security\TNB\TNBUtil.exe" [02/06/2005 14:05]
"F-Secure Startup Wizard"="C:\Program Files\TalkTalk Online Security\FSGUI\FSSW.exe" [18/11/2005 13:57]
"News Service"="C:\Program Files\TalkTalk Online Security\FSGUI\ispnews.exe" [31/05/2005 13:45]
"6cddcab6"="C:\WINDOWS\system32\cvxhttpx.dll" []
"BM6feef92a"="C:\WINDOWS\system32\bjpkptri.dll" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [13/10/2004 17:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 06:00]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [09/04/2008 20:06]
"BM6feef92a"="C:\WINDOWS\system32\bjpkptri.dll,s" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Documents and Settings\Kevin Bracegirdle\Start Menu\Programs\Startup\
Deewoo.lnk - C:\WINDOWS\SYSTEM32\kwinlmdn.exe [28/03/2008 09:43:37]
DESKTOP.INI [10/08/2004 14:04:12]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DESKTOP.INI [10/08/2004 14:04:12]
TalkTalk Online Security.lnk - C:\Program Files\TalkTalk Online Security\backweb\81720\Program\fspex.exe [20/04/2008 12:18:17]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{24E9519B-3F70-429B-99BC-4B2B49B96F66}"= C:\WINDOWS\system32\ljJDTkJa.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dDspqpqq]
dDspqpqq.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljJDTkJa]
ljJDTkJa.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\khfFuRiJ




-- End of Deckard's System Scanner: finished at 2008-05-18 11:35:03 ------------

Attached Files



BC AdBot (Login to Remove)

 


#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:08:50 AM

Posted 18 May 2008 - 10:51 PM

Hello greenhurst and welcome to BC. Let's see what we can find. Please follow the steps below in order:

Before running a new scan let's clean out the temporary folders.

Download ATF Cleaner to your Desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Click Select All found at the bottom of the list.
  • Click the Empty Selected button.
If you use Firefox browser, do this also:
  • Click Firefox at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser, do this also:
  • Click Opera at the top and choose Select All from the list.
  • Close ALL Internet browsers (very important).
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Now download OTScanIt.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
  • Close ALL OTHER PROGRAMS.
  • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
  • In the Drivers section click on Non-Microsoft.
  • Under Additional Scans click the checkboxes in front of the following items to select them:
    • Reg - BotCheck
      File - Additional Folder Scans
  • Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  • Save the file to your desktop or other location where you can find it back.
Use the Add Reply button and attach the file in your next post (do not try to copy/paste it into the post).

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users