Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Virtumonde.dll And Many Others


  • This topic is locked This topic is locked
2 replies to this topic

#1 shepsta

shepsta

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:05:08 PM

Posted 25 May 2008 - 03:30 AM

Hello,

I have been given an xp computer to fix by a friend.
It was coming up with all sorts of different popups and alerts.
They had no antivirus software but got lured into purchasing one through one of the popups just to find there visa got charged 3 times! I can only access the administrator through safe mode. The rest of the accounts come up with userinit.exe 0xc0000005 error. I have installed and run spybot S&D and it tells me it has cleared all the baddies out I have attached the report from that scan too.
I need help and would prefer not to reinstall windows.

Deckard's System Scanner v20071014.68
Run by Administrator on 2008-05-25 22:13:11
Computer is in Safe Mode with Networking.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Failed to create restore point; computer is in safe mode.


-- Last 5 Restore Point(s) --
69: 2008-05-25 21:05:58 UTC - RP263 - Software Distribution Service 3.0
68: 2008-05-25 19:14:09 UTC - RP262 - Software Distribution Service 3.0
67: 2008-05-25 19:04:26 UTC - RP261 - Last known good configuration
66: 2008-05-25 19:03:43 UTC - RP260 - Restore Operation
65: 2008-05-25 19:03:43 UTC - RP259 - Software Distribution Service 3.0


-- First Restore Point --
1: 2008-05-25 19:03:02 UTC - RP195 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 247 MiB (512 MiB recommended).


-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:14:50 p.m., on 25/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Administrator.LEON\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Administrator.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://hjt-data.trend-braintree.com/hjt/an...?report=6385207
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: 0 - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {B4AE9134-FBB6-484A-89BB-B39C9ED47449} - C:\WINDOWS\system32\nnnoOfcd.dll (file missing)
O3 - Toolbar: mkrndofl - {26FC4874-ECF7-4D7B-AC0C-1040582BE725} - C:\WINDOWS\mkrndofl.dll (file missing)
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [QCTRAY] C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [BM2b4cc966] Rundll32.exe "C:\WINDOWS\system32\fwovxlov.dll",s
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA9142] command /c del "C:\Documents and Settings\tony\Start Menu\XP Antivirus 2008\Uninstall XP Antivirus 2008.lnk"
O4 - HKLM\..\RunOnce: [SpybotDeletingC6711] cmd /c del "C:\Documents and Settings\tony\Start Menu\XP Antivirus 2008\Uninstall XP Antivirus 2008.lnk"
O4 - HKLM\..\RunOnce: [SpybotDeletingA212] command /c del "C:\Documents and Settings\tony\Start Menu\XP Antivirus 2008\XP Antivirus 2008.lnk"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9002] cmd /c del "C:\Documents and Settings\tony\Start Menu\XP Antivirus 2008\XP Antivirus 2008.lnk"
O4 - HKLM\..\RunOnce: [SpybotDeletingA1556] command /c del "C:\Program Files\ContraVirus\secieaddin.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9764] cmd /c del "C:\Program Files\ContraVirus\secieaddin.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA6631] command /c del "C:\Program Files\ContraVirus\cvantispam.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC5730] cmd /c del "C:\Program Files\ContraVirus\cvantispam.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA7231] command /c del "C:\Program Files\ContraVirus\ContraVirusPro.log"
O4 - HKLM\..\RunOnce: [SpybotDeletingC281] cmd /c del "C:\Program Files\ContraVirus\ContraVirusPro.log"
O4 - HKLM\..\RunOnce: [SpybotDeletingA2134] command /c del "C:\Program Files\ContraVirus\uninst.exe"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9930] cmd /c del "C:\Program Files\ContraVirus\uninst.exe"
O4 - HKLM\..\RunOnce: [SpybotDeletingA6237] command /c del "C:\Program Files\ContraVirus\Languages\English.ini"
O4 - HKLM\..\RunOnce: [SpybotDeletingC823] cmd /c del "C:\Program Files\ContraVirus\Languages\English.ini"
O4 - HKLM\..\RunOnce: [SpybotDeletingA350] command /c del "C:\Program Files\ContraVirus\Languages\Spanish.ini"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9917] cmd /c del "C:\Program Files\ContraVirus\Languages\Spanish.ini"
O4 - HKLM\..\RunOnce: [SpybotDeletingA7040] command /c del "C:\Program Files\ContraVirus\extension.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2573] cmd /c del "C:\Program Files\ContraVirus\extension.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA3725] command /c del "C:\Program Files\ContraVirus\plugin.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC750] cmd /c del "C:\Program Files\ContraVirus\plugin.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA6599] command /c del "C:\Program Files\ContraVirus\Plugins\DesktopManager\DesktopManager.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9489] cmd /c del "C:\Program Files\ContraVirus\Plugins\DesktopManager\DesktopManager.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA1598] command /c del "C:\WINDOWS\system32\nnnoOfcd.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4591] cmd /c del "C:\WINDOWS\system32\nnnoOfcd.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA3789] command /c del "C:\WINDOWS\system32\rqRJYrPG.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC766] cmd /c del "C:\WINDOWS\system32\rqRJYrPG.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA7429] command /c del "C:\WINDOWS\wetkadmr.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC5097] cmd /c del "C:\WINDOWS\wetkadmr.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA1580] command /c del "C:\WINDOWS\system32\rqRJYrPG.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7674] cmd /c del "C:\WINDOWS\system32\rqRJYrPG.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA8638] command /c del "C:\WINDOWS\mkrndofl.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC237] cmd /c del "C:\WINDOWS\mkrndofl.dll_old"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB8711] command /c del "C:\Documents and Settings\tony\Start Menu\XP Antivirus 2008\Uninstall XP Antivirus 2008.lnk"
O4 - HKCU\..\RunOnce: [SpybotDeletingD4016] cmd /c del "C:\Documents and Settings\tony\Start Menu\XP Antivirus 2008\Uninstall XP Antivirus 2008.lnk"
O4 - HKCU\..\RunOnce: [SpybotDeletingB6086] command /c del "C:\Documents and Settings\tony\Start Menu\XP Antivirus 2008\XP Antivirus 2008.lnk"
O4 - HKCU\..\RunOnce: [SpybotDeletingD9048] cmd /c del "C:\Documents and Settings\tony\Start Menu\XP Antivirus 2008\XP Antivirus 2008.lnk"
O4 - HKCU\..\RunOnce: [SpybotDeletingB7114] command /c del "C:\Program Files\ContraVirus\secieaddin.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD8876] cmd /c del "C:\Program Files\ContraVirus\secieaddin.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB6193] command /c del "C:\Program Files\ContraVirus\cvantispam.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD6796] cmd /c del "C:\Program Files\ContraVirus\cvantispam.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB312] command /c del "C:\Program Files\ContraVirus\ContraVirusPro.log"
O4 - HKCU\..\RunOnce: [SpybotDeletingD8655] cmd /c del "C:\Program Files\ContraVirus\ContraVirusPro.log"
O4 - HKCU\..\RunOnce: [SpybotDeletingB9780] command /c del "C:\Program Files\ContraVirus\uninst.exe"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1116] cmd /c del "C:\Program Files\ContraVirus\uninst.exe"
O4 - HKCU\..\RunOnce: [SpybotDeletingB160] command /c del "C:\Program Files\ContraVirus\Languages\English.ini"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1403] cmd /c del "C:\Program Files\ContraVirus\Languages\English.ini"
O4 - HKCU\..\RunOnce: [SpybotDeletingB954] command /c del "C:\Program Files\ContraVirus\Languages\Spanish.ini"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7387] cmd /c del "C:\Program Files\ContraVirus\Languages\Spanish.ini"
O4 - HKCU\..\RunOnce: [SpybotDeletingB7408] command /c del "C:\Program Files\ContraVirus\extension.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1967] cmd /c del "C:\Program Files\ContraVirus\extension.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB6707] command /c del "C:\Program Files\ContraVirus\plugin.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD5356] cmd /c del "C:\Program Files\ContraVirus\plugin.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB8039] command /c del "C:\Program Files\ContraVirus\Plugins\DesktopManager\DesktopManager.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD8236] cmd /c del "C:\Program Files\ContraVirus\Plugins\DesktopManager\DesktopManager.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB6758] command /c del "C:\WINDOWS\system32\nnnoOfcd.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD8232] cmd /c del "C:\WINDOWS\system32\nnnoOfcd.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB5308] command /c del "C:\WINDOWS\system32\rqRJYrPG.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD8463] cmd /c del "C:\WINDOWS\system32\rqRJYrPG.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB5482] command /c del "C:\WINDOWS\wetkadmr.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7891] cmd /c del "C:\WINDOWS\wetkadmr.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB7151] command /c del "C:\WINDOWS\system32\rqRJYrPG.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2752] cmd /c del "C:\WINDOWS\system32\rqRJYrPG.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB568] command /c del "C:\WINDOWS\mkrndofl.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD9678] cmd /c del "C:\WINDOWS\mkrndofl.dll_old"
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java141\jre\bin\NPJPI141.dll
O9 - Extra 'Tools' menuitem: IBM Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java141\jre\bin\NPJPI141.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://signin3.valueactive.com/Register/Br...018/flashax.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\__c00FB08B.dat
O21 - SSODL: tdomgafw - {3D09846C-38F8-4A7C-BFAE-085BF8754078} - C:\WINDOWS\tdomgafw.dll
O21 - SSODL: wetkadmr - {9F9DE664-0550-459D-B56E-316E4EE9B036} - C:\WINDOWS\wetkadmr.dll (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe

--
End of file - 13797 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R3 RMSPPPOE (WAN Miniport (PPP over Ethernet Protocol)) - c:\windows\system32\drivers\rmspppoe.sys <Not Verified; Robert Schlabbach; PPP over Ethernet Protocol>

S1 ANC - c:\windows\system32\drivers\anc.sys <Not Verified; IBM Corp.; IBM Access Connections>
S1 IBMTPCHK - c:\windows\system32\drivers\ibmbldid.sys
S1 Smapint - c:\windows\system32\drivers\smapint.sys <Not Verified; Microsoft Corporation; Microsoft® Windows NT™ Operating System>
S1 StarOpen - c:\windows\system32\drivers\staropen.sys
S1 TDSMAPI - c:\windows\system32\drivers\tdsmapi.sys
S1 TPHKDRV - c:\windows\system32\drivers\tphkdrv.sys <Not Verified; IBM Corporation; ThinkPad OnScreenDisplay>
S1 TPPWR - c:\windows\system32\drivers\tppwr.sys <Not Verified; IBM Corp.; IBM ThinkPad Utility>
S1 TSMAPIP - c:\windows\system32\drivers\tsmapip.sys
S2 ibmfilter - c:\windows\system32\drivers\ibmfilter.sys <Not Verified; IBM; FFE and RRU>
S2 PMEM - c:\windows\system32\drivers\pmemnt.sys <Not Verified; Microsoft Corporation; Microsoft® Windows NT™ Operating System>
S3 BVRPMPR5 (BVRPMPR5 NDIS Protocol Driver) - c:\windows\system32\drivers\bvrpmpr5.sys <Not Verified; BVRP Software; BVRPNDIS Rawether for Windows>
S3 NPF (NetGroup Packet Filter Driver) - c:\windows\system32\drivers\npf.sys <Not Verified; Politecnico di Torino; NPF Driver>
S3 psadd (IBM PSA Access Driver) - c:\windows\system32\drivers\psadd.sys <Not Verified; Windows ® 2000 DDK provider; Windows ® 2000 DDK driver>
S3 QCNDISIF - c:\windows\system32\drivers\qcndisif.sys <Not Verified; IBM Corporation.; IBM ThinkPad Utility>
S3 RT73 (DYWUK54 Wireless Adapter) - c:\windows\system32\drivers\rt73.sys <Not Verified; Ralink Technology, Corp.; Ralink 802.11 Wireless Adapters>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S2 IBM Rapid Restore Ultra Service - "c:\program files\ibm\ibm rapid restore ultra\rrpcsb.exe" <Not Verified; ; rrpcsb Module>
S2 QCONSVC - system32\qconsvc.exe <Not Verified; IBM Corp.; IBM ThinkPad Utility>
S2 TpKmpSVC (IBM KCU Service) - c:\windows\system32\tpkmpsvc.exe
S3 PsaSrv (IBM PSA Access Driver Control) - c:\windows\system32\psasrv.exe (file missing)
S3 rpcapd (Remote Packet Capture Protocol v.0 (experimental)) - "c:\program files\winpcap\rpcapd.exe" -d -f "c:\program files\winpcap\rpcapd.ini" <Not Verified; NetGroup - Politecnico di Torino; Remote Packet Capture Daemon>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-05-09 20:00:00 474 --a------ C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - chandra.job
2004-12-10 16:21:46 298 --a------ C:\WINDOWS\Tasks\BMMTask.job


-- Files created between 2008-04-25 and 2008-05-25 -----------------------------

2008-05-25 22:14:39 0 d-------- C:\Program Files\Trend Micro
2008-05-25 19:22:37 0 d-------- C:\Documents and Settings\Administrator.LEON\Application Data\Macromedia
2008-05-25 19:19:15 0 d-------- C:\Documents and Settings\Administrator.LEON\Application Data\Adobe
2008-05-25 19:02:10 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-25 12:37:41 0 d-------- C:\Documents and Settings\Administrator.LEON\Application Data\Identities
2008-05-25 12:37:40 0 d--h----- C:\Documents and Settings\Administrator.LEON\Templates
2008-05-25 12:37:40 0 dr------- C:\Documents and Settings\Administrator.LEON\Start Menu
2008-05-25 12:37:40 0 dr-h----- C:\Documents and Settings\Administrator.LEON\SendTo
2008-05-25 12:37:40 0 dr-h----- C:\Documents and Settings\Administrator.LEON\Recent
2008-05-25 12:37:40 0 d--h----- C:\Documents and Settings\Administrator.LEON\PrintHood
2008-05-25 12:37:40 0 d--h----- C:\Documents and Settings\Administrator.LEON\NetHood
2008-05-25 12:37:40 0 dr------- C:\Documents and Settings\Administrator.LEON\My Documents
2008-05-25 12:37:40 0 d--h----- C:\Documents and Settings\Administrator.LEON\Local Settings
2008-05-25 12:37:40 0 dr------- C:\Documents and Settings\Administrator.LEON\Favorites
2008-05-25 12:37:40 0 d-------- C:\Documents and Settings\Administrator.LEON\Desktop
2008-05-25 12:37:40 0 d--hs---- C:\Documents and Settings\Administrator.LEON\Cookies
2008-05-25 12:37:40 0 dr-h----- C:\Documents and Settings\Administrator.LEON\Application Data
2008-05-25 12:37:40 0 d-------- C:\Documents and Settings\Administrator.LEON\Application Data\Symantec
2008-05-25 12:37:40 0 d-------- C:\Documents and Settings\Administrator.LEON\Application Data\Sonic
2008-05-25 12:37:39 786432 --ah----- C:\Documents and Settings\Administrator.LEON\NTUSER.DAT
2008-05-25 12:13:30 2560 --a------ C:\WINDOWS\system32\cirftafy.exe
2008-05-25 12:06:23 51200 --a------ C:\WINDOWS\system32\__c00FB08B.dat
2008-05-25 12:06:19 51200 --a------ C:\WINDOWS\system32\nuqsohre.dll
2008-05-25 12:05:42 103424 --a------ C:\WINDOWS\system32\fwovxlov.dll
2008-05-25 11:43:28 0 d-------- C:\Documents and Settings\Administrator\Application Data
2008-05-25 11:43:28 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sonic
2008-05-25 11:43:28 0 d-------- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-05-25 11:43:27 0 d-------- C:\Documents and Settings\Administrator\Templates
2008-05-25 11:43:27 0 d-------- C:\Documents and Settings\Administrator\SendTo
2008-05-25 11:43:27 786432 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-05-25 11:43:27 0 d-------- C:\Documents and Settings\Administrator\Local Settings
2008-05-25 11:43:27 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-05-25 11:43:27 0 d-------- C:\Documents and Settings\Administrator\Cookies
2008-05-25 11:30:17 51200 --a------ C:\WINDOWS\system32\__c00DCF10.dat
2008-05-15 23:59:15 32256 --a------ C:\WINDOWS\system32\__c00DD99E.dat
2008-05-15 22:10:45 0 d-------- C:\WINDOWS\privacy_danger(2)
2008-05-10 14:30:38 3407872 --a------ C:\Documents and Settings\tony\ntuser.dat
2008-05-10 14:30:37 233472 --a------ C:\Documents and Settings\LocalService\ntuser.dat
2008-05-10 03:56:26 0 d-------- C:\Program Files\Advanced System Optimizer
2008-05-09 16:50:26 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-09 13:57:10 32256 --a------ C:\WINDOWS\system32\__c006153E.dat
2008-05-08 23:45:53 32 --ahs---- C:\WINDOWS\{197C0ADA-5876-4BFA-A27F-1388A89E6CC7}.dat
2008-05-08 23:45:52 32 --ahs---- C:\WINDOWS\system32\{9A53F505-E48C-461B-9465-423F50FA66BA}.dat
2008-05-08 23:44:18 14 --a------ C:\WINDOWS\system32\SR2.dat
2008-05-08 23:30:32 0 d-------- C:\Program Files\Symantec
2008-05-08 23:29:25 0 d-------- C:\Program Files\Norton AntiVirus
2008-05-08 18:49:21 0 d-------- C:\Program Files\AntiSpywareMaster
2008-05-08 17:25:10 0 d-------- C:\Program Files\CableRouting
2008-05-08 16:50:54 319583 --ahs---- C:\WINDOWS\system32\GPrYJRqr.ini2
2008-05-08 16:45:33 0 d-------- C:\Documents and Settings\tony\Application Data\TmpRecentIcons
2008-05-08 13:27:54 1 --a------ C:\WINDOWS\system32\kr_done1de
2008-05-08 13:26:01 196608 --a------ C:\WINDOWS\tdomgafw.dll
2008-05-08 13:26:01 270336 --a------ C:\WINDOWS\qvlbodmnbew.dll
2008-05-08 13:26:01 81920 --a------ C:\WINDOWS\knxsrgte.exe
2008-05-08 13:25:04 160256 --a------ C:\WINDOWS\system32\blackster.scr <Not Verified; Peter's Productions; Bugs!>
2008-05-08 13:24:47 96256 --a------ C:\WINDOWS\system32\ctfmona.exe
2008-05-05 16:20:56 0 d-------- C:\Program Files\Microsoft Silverlight
2008-04-27 18:39:15 0 d-------- C:\rf
2008-04-27 18:38:54 0 -rahs---- C:\MSDOS.SYS


-- Find3M Report ---------------------------------------------------------------

2008-05-25 19:02:10 0 d-------- C:\Program Files\Common Files
2008-05-25 13:25:36 0 d-------- C:\Program Files\XP Antivirus
2008-05-10 03:54:49 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-05-03 17:39:12 0 d-------- C:\Program Files\Learning TurboCAD 12


-- Registry Dump ---------------------------------------------------------------



-- End of Deckard's System Scanner: finished at 2008-05-25 22:15:25 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Celeron® M processor 1300MHz
Percentage of Memory in Use: 51%
Physical Memory (total/avail): 246.42 MiB / 120.48 MiB
Pagefile Memory (total/avail): 605.4 MiB / 520.08 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1928 MiB

C: is Fixed (NTFS) - 23.45 GiB total, 13.42 GiB free.
D: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - FUJITSU MHT2030AT - 27.95 GiB - 2 partitions
\PARTITION0 (bootable) - Installable File System - 23.45 GiB - C:
\PARTITION1 - Unknown - 4.49 GiB



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

AntiVirusDisableNotify is set.


[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%ProgramFiles%\\IBM\\Updater\\jre\\bin\\javaw.exe"="%ProgramFiles%\\IBM\\Updater\\jre\\bin\\javaw.exe:*:enabled:Java launcher"
"%ProgramFiles%\\IBM\\Updater\\jre\\bin\\java.exe"="%ProgramFiles%\\IBM\\Updater\\jre\\bin\\java.exe:*:enabled:Java launcher"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\IBM\\Updater\\jre\\bin\\java.exe"="C:\\Program Files\\IBM\\Updater\\jre\\bin\\java.exe:*:Enabled:Java launcher "
"C:\\Program Files\\IBM\\Updater\\jre\\bin\\javaw.exe"="C:\\Program Files\\IBM\\Updater\\jre\\bin\\javaw.exe:*:Enabled:Java launcher "
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%ProgramFiles%\\IBM\\Updater\\jre\\bin\\javaw.exe"="%ProgramFiles%\\IBM\\Updater\\jre\\bin\\javaw.exe:*:enabled:Java launcher"
"%ProgramFiles%\\IBM\\Updater\\jre\\bin\\java.exe"="%ProgramFiles%\\IBM\\Updater\\jre\\bin\\java.exe:*:enabled:Java launcher"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\IBM\\Updater\\jre\\bin\\java.exe"="C:\\Program Files\\IBM\\Updater\\jre\\bin\\java.exe:*:Enabled:Java launcher "
"C:\\Program Files\\IBM\\Updater\\jre\\bin\\javaw.exe"="C:\\Program Files\\IBM\\Updater\\jre\\bin\\javaw.exe:*:Enabled:Java launcher "
"C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"="C:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe:*:Disabled:TaskPanl"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\WINDOWS\\system32\\LEXPPS.EXE"="C:\\WINDOWS\\system32\\LEXPPS.EXE:*:Enabled:LEXPPS.EXE"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"


-- Environment Variables -------------------------------------------------------



-- User Profiles ---------------------------------------------------------------

chandra (admin)
tony (admin)
leon sp (admin)
Administrator.LEON (admin)


-- Add/Remove Programs ---------------------------------------------------------



-- Application Event Log -------------------------------------------------------

Event Record #/Type4210 / Warning
Event Submitted/Written: 05/25/2008 07:03:16 PM
Event ID/Source: 1015 / MsiInstaller
Event Description:
Failed to connect to server. Error: 0x8007043C

Event Record #/Type4209 / Error
Event Submitted/Written: 05/25/2008 07:02:16 PM
Event ID/Source: 1008 / MsiInstaller
Event Description:
The installation of C:\Program Files\Common Files\Wise Installation Wizard\WISDED53B0BB67C4244AE6AD6FD3C28D1EF_7_1_0_7.MSI is not permitted due to an error in software restriction policy processing. The object cannot be trusted.

Event Record #/Type4201 / Error
Event Submitted/Written: 05/25/2008 00:29:16 PM / 05/25/2008 00:29:17 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application iexplore.exe, version 7.0.6000.16640, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type4200 / Error
Event Submitted/Written: 05/25/2008 00:29:15 PM / 05/25/2008 00:29:16 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application iexplore.exe, version 7.0.6000.16640, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type4194 / Error
Event Submitted/Written: 05/25/2008 11:30:30 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application explorer.exe, version 6.0.2900.3156, faulting module ntdll.dll, version 5.1.2600.2180, fault address 0x00013396.
Processing media-specific event for [explorer.exe!ws!]



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type33732 / Error
Event Submitted/Written: 05/25/2008 10:11:18 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
ANC
Fips
IBMTPCHK
intelppm
Smapint
StarOpen
TDSMAPI
TPHKDRV
TPPWR
TSMAPIP

Event Record #/Type33731 / Error
Event Submitted/Written: 05/25/2008 10:10:13 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Event Record #/Type33719 / Error
Event Submitted/Written: 05/25/2008 09:46:41 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Application Layer Gateway Service service failed to start due to the following error:
%%1053

Event Record #/Type33718 / Error
Event Submitted/Written: 05/25/2008 09:46:40 PM
Event ID/Source: 7009 / Service Control Manager
Event Description:
Timeout (30000 milliseconds) waiting for the Application Layer Gateway Service service to connect.

Event Record #/Type33708 / Error
Event Submitted/Written: 05/25/2008 09:45:21 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}



-- End of Deckard's System Scanner: finished at 2008-05-25 22:15:25 ------------

Spybot Report

--- Report generated: 2008-05-25 15:02 ---

ContraVirus: [SBI $12F97C3D] Interface (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{307C2E42-267A-11DC-ACA0-7CCB56D89593}

ContraVirus: [SBI $DC991302] Type library (Registry key, nothing done)
HKEY_CLASSES_ROOT\TypeLib\{FE4054F8-266A-11DC-AEA3-B9A056D89593}

ContraVirus: [SBI $A959C141] Settings (Registry key, nothing done)
HKEY_CLASSES_ROOT\AppID\IEControl.DLL

ContraVirus: [SBI $82AF123D] Application ID (Registry key, nothing done)
HKEY_CLASSES_ROOT\AppID\{7C11C36C-2AE0-4489-9B09-A6129139D52D}

ContraVirus: [SBI $C59C9350] Browser helper object (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBE5BEE8-F032-11DB-826A-C4BB56D89593}

ContraVirus: [SBI $B5D8DCF8] Root class (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CVPro.Server

ContraVirus: [SBI $B5D8DCF8] Root class (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CVPro.Server.1

ContraVirus: [SBI $3C6A022A] Uninstall settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ContraVirus

ContraVirus: [SBI $7E45960C] Executable (File, nothing done)
C:\WINDOWS\system32\xpuupdate.exe

Smitfraud-C.: [SBI $12AFAB04] Program directory (Directory, nothing done)
C:\WINDOWS\privacy_danger\

Smitfraud-C.gp: [SBI $901C9C72] Link (File, nothing done)
C:\Documents and Settings\leon sp\Favorites\Error Cleaner.url

Smitfraud-C.gp: [SBI $901C9C72] Link (File, nothing done)
C:\Documents and Settings\tony\Favorites\Error Cleaner.url

Smitfraud-C.gp: [SBI $A66DB21C] Link (File, nothing done)
C:\Documents and Settings\leon sp\Favorites\Privacy Protector.url

Smitfraud-C.gp: [SBI $A66DB21C] Link (File, nothing done)
C:\Documents and Settings\tony\Favorites\Privacy Protector.url

Smitfraud-C.gp: [SBI $472076AC] Link (File, nothing done)
C:\Documents and Settings\leon sp\Favorites\Spyware&Malware Protection.url

Smitfraud-C.gp: [SBI $472076AC] Link (File, nothing done)
C:\Documents and Settings\tony\Favorites\Spyware&Malware Protection.url

Smitfraud-C.gp: [SBI $D1117B94] Link (File, nothing done)
C:\Documents and Settings\leon sp\Desktop\Spyware&Malware Protection.url

Smitfraud-C.gp: [SBI $D1117B94] Link (File, nothing done)
C:\Documents and Settings\tony\Desktop\Spyware&Malware Protection.url

Smitfraud-C.gp: [SBI $C4C37DA6] Link (File, nothing done)
C:\Documents and Settings\leon sp\Desktop\Error Cleaner.url

Smitfraud-C.gp: [SBI $C4C37DA6] Link (File, nothing done)
C:\Documents and Settings\tony\Desktop\Error Cleaner.url

Smitfraud-C.MSVPS: [SBI $B4181187] Browser helper object (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D23BF150-4C7B-4632-A723-DC604C2A47FB}

Smitfraud-C.MSVPS: [SBI $B4181187] Class ID (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D23BF150-4C7B-4632-A723-DC604C2A47FB}

Vario.AntiVirus: [SBI $C872C8EA] Executable (File, nothing done)
C:\Documents and Settings\tony\Local Settings\Temp\~uavsetup.exe

VirusBlast: [SBI $B621D0FD] Class ID (Registry key, nothing done)
HKEY_CLASSES_ROOT\CLSID\{E6B4AB50-F423-4EE6-9839-B35DCFCDFA49}

VirusBlast: [SBI $86D5094B] Type library (Registry key, nothing done)
HKEY_CLASSES_ROOT\TypeLib\{283ED043-D403-4808-BF28-FCDE29DCF1FB}

Hotbar: [SBI $5B09860F] Class ID (Registry key, nothing done)
HKEY_CLASSES_ROOT\CLSID\{74CC49F7-EB32-4A08-B204-948962A6E3DB}

SpyShield: [SBI $F9625484] Application ID (Registry key, nothing done)
HKEY_CLASSES_ROOT\AppID\{9DA1990B-9BCA-4c80-AEFB-11A40FA849F9}

SpyShield: [SBI $AD1ACA7B] Application ID (Registry key, nothing done)
HKEY_CLASSES_ROOT\AppID\{C628512D-A058-4BD4-B47B-B036F45FA02B}

SpyShield: [SBI $2282C6CA] Application ID (Registry key, nothing done)
HKEY_CLASSES_ROOT\AppID\spamdet.DLL

SpyShield: [SBI $B4578B69] Interface (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{214345B8-BB69-498D-A168-29F58F15D806}

Win32.Agent.cn: [SBI $39D44109] Picture (File, nothing done)
C:\WINDOWS\system32\ctfmonb.bmp

Win32.BHO.df: [SBI $BCBE3835] Autorun settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs=...C:\WINDOWS\system32\__c00?????.dat...

Zlob.Downloader.vcd: [SBI $D8DF6192] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VideoPlugin

Zlob.Downloader.vcd: [SBI $3A7819FB] Uninstall settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WebVideo

Virtumonde.dll: [SBI $7D88F9AF] Library (File, nothing done)
C:\WINDOWS\system32\nnnoOfcd.dll

Virtumonde.dll: [SBI $171716F8] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NNNOOFCD

Virtumonde.dll: [SBI $778378E6] Browser helper object (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B4AE9134-FBB6-484A-89BB-B39C9ED47449}

Virtumonde.dll: [SBI $778378E6] Class ID (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B4AE9134-FBB6-484A-89BB-B39C9ED47449}

Virtumonde.dll: [SBI $7442D4BC] Library (File, nothing done)
C:\WINDOWS\system32\rqRJYrPG.dll

Virtumonde.dll: [SBI $960C7A04] Browser helper object (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2D9548E9-F9AC-4D7C-A683-B0C99FE40ED4}

Virtumonde.dll: [SBI $960C7A04] Class ID (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2D9548E9-F9AC-4D7C-A683-B0C99FE40ED4}

Zlob.Downloader.bs: [SBI $0D9D15D5] Library (File, nothing done)
C:\WINDOWS\wetkadmr.dll

Zlob.Downloader.bs: [SBI $AC0911AB] Library (File, nothing done)
C:\WINDOWS\mkrndofl.dll


--- Spybot - Search & Destroy version: 1.5.2 (build: 20080128) ---

2008-01-28 blindman.exe (1.0.0.7)
2008-01-28 SDDelFile.exe (1.0.2.4)
2008-01-28 SDMain.exe (1.0.0.5)
2008-01-28 SDUpdate.exe (1.0.8.8)
2008-01-28 SDWinSec.exe (1.0.0.11)
2008-01-28 SpybotSD.exe (1.5.2.20)
2008-01-28 TeaTimer.exe (1.5.2.16)
2008-05-25 unins000.exe (51.49.0.0)
2008-01-28 Update.exe (1.4.0.6)
2008-01-28 advcheck.dll (1.5.4.5)
2007-04-02 aports.dll (2.1.0.0)
2007-11-17 DelZip179.dll (1.79.7.4)
2008-01-28 SDFiles.dll (1.5.1.19)
2008-01-28 SDHelper.dll (1.5.0.11)
2008-01-28 Tools.dll (2.1.3.3)
2008-04-16 Includes\Adware.sbi (*)
2008-05-21 Includes\AdwareC.sbi (*)
2008-05-21 Includes\Cookies.sbi (*)
2007-12-26 Includes\Dialer.sbi (*)
2008-05-21 Includes\DialerC.sbi (*)
2008-05-21 Includes\HeavyDuty.sbi (*)
2008-04-30 Includes\Hijackers.sbi (*)
2008-05-21 Includes\HijackersC.sbi (*)
2008-04-30 Includes\Keyloggers.sbi (*)
2008-05-21 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2008-05-21 Includes\Malware.sbi (*)
2008-05-21 Includes\MalwareC.sbi (*)
2008-03-26 Includes\PUPS.sbi (*)
2008-05-21 Includes\PUPSC.sbi (*)
2008-05-21 Includes\Revision.sbi (*)
2008-01-09 Includes\Security.sbi (*)
2008-05-21 Includes\SecurityC.sbi (*)
2008-04-16 Includes\Spybots.sbi (*)
2008-05-21 Includes\SpybotsC.sbi (*)
2008-04-16 Includes\Spyware.sbi (*)
2008-05-21 Includes\SpywareC.sbi (*)
2007-11-06 Includes\Tracks.uti
2008-05-21 Includes\Trojans.sbi (*)
2008-05-21 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll

BC AdBot (Login to Remove)

 


#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:06:08 AM

Posted 28 May 2008 - 06:25 AM

Hello Shepsta and welcome to BleepingComputer,

1. * Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Under Browsing History, click Delete.
  • Click Delete Files, Delete cookies and Delete history
  • Click Close below.
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu..
  • Click the Clear now button below.. A new window will popup what to clear.
  • Select all and click the Clear button again.
  • Click OK to close the Options window
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
2. Please download Malwarebytes' Anti-Malware from Here or Here

Doubleclick mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

3. Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you .

In the event you already have Combofix, delete your current version and download the latest version as described in the tutorial.
It must be saved directly to your desktop.


Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :thumbsup:

If you have any questions along the way, STOP and ask them before proceeding !!

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#3 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:06:08 AM

Posted 25 June 2008 - 06:54 AM

Since there is no feedback anymore, I assume this issue is resolved ... so, this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users