Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijackthis Log: Please Help Diagnose


  • This topic is locked This topic is locked
12 replies to this topic

#1 azzzy

azzzy

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:18 AM

Posted 19 June 2008 - 03:12 AM

here is the hijack this log file ..pls help


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:19:41 PM, on 6/19/2008
Platform: Windows XP SP2, v.2096 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2096)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\6XW8gQ5M.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AdVantage\AdVantage.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Documents and Settings\Administrator\My Documents\shorcuts\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = literotica
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: QUICKfind BHO Object - {C08DF07A-3E49-4E25-9AB0-D3882835F153} - C:\PROGRA~1\TEXTware\QUICKF~1\PlugIns\IEHelp.dll (file missing)
O2 - BHO: (no name) - {D53763BE-67A0-4403-9C8E-FB76BD2DFBB7} - C:\WINDOWS\system32\adsmsex.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [amva] C:\WINDOWS\system32\amvo.exe
O4 - HKCU\..\Run: [AdVantage] "C:\Program Files\AdVantage\AdVantage.exe"
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Administrator\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Administrator\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Administrator\Start Menu\Programs\IMVU\Run IMVU.lnk
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{21E474DB-80CC-4D16-A23E-C758B336110B}: NameServer = 192.168.111.200 4.2.2.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{8AF4E612-F4BE-46DF-A023-745F9F29800F}: NameServer = 172.172.172.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{21E474DB-80CC-4D16-A23E-C758B336110B}: NameServer = 192.168.111.200 4.2.2.2
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

--
End of file - 6425 bytes

Attached Files



BC AdBot (Login to Remove)

 


m

#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:48 PM

Posted 19 June 2008 - 09:09 AM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:


Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new hijackthis log

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 azzzy

azzzy
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:18 AM

Posted 19 June 2008 - 01:11 PM

thanks fr the help dude ... the pc already seems better

here is the sdfix log



SDFix: Version 1.194
Run by Administrator on Thu 06/19/2008 at 11:17 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat - Contains Links to Malware Sites! - Deleted
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat - Contains Links to Malware Sites! - Deleted
C:\autorun.inf - Deleted
C:\WINDOWS\dat.txt - Deleted
C:\WINDOWS\rs.txt - Deleted
C:\WINDOWS\search_res.txt - Deleted
C:\WINDOWS\system32\ntos.exe - Deleted
C:\WINDOWS\system32\wsnpoem\audio.dll.cla - Deleted
C:\WINDOWS\system32\wsnpoem\video.dll - Deleted
C:\WINDOWS\system32\wsnpoem\audio.dll - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-19 23:24:30
Windows 5.1.2600 Service Pack 2, v.2096 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:Remote Assistance"
"C:\\Program Files\\DAP\\DAP.exe"="C:\\Program Files\\DAP\\DAP.exe:*:Enabled:Download Accelerator Plus (DAP)"
"C:\\Program Files\\Harley-Davidsonr - Race Around The World\\Harley3.exe"="C:\\Program Files\\Harley-Davidsonr - Race Around The World\\Harley3.exe:*:Enabled:Harley3"
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"="C:\\Program Files\\Google\\Google Talk\\googletalk.exe:*:Enabled:Google Talk"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\wcesmgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcesmgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:Remote Assistance"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\wcesmgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcesmgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sun 15 Jun 2008 115,058 ..SHR --- "C:\WINDOWS\system32\amvo.exe"
Thu 19 Jun 2008 74,752 ..SHR --- "C:\WINDOWS\system32\amvo0.dll"
Sun 15 Jun 2008 74,752 ..SHR --- "C:\WINDOWS\system32\amvo1.dll"

Finished!












AND THIS IS THE NEW HIJACKTHIS LOG

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:32:25 PM, on 6/19/2008
Platform: Windows XP SP2, v.2096 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2096)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\6XW8gQ5M.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\My Documents\shorcuts\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = literotica
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {2A72AF08-F4C3-42B0-851A-4260C066BA06} - C:\WINDOWS\system32\adsmsex.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: QUICKfind BHO Object - {C08DF07A-3E49-4E25-9AB0-D3882835F153} - C:\PROGRA~1\TEXTware\QUICKF~1\PlugIns\IEHelp.dll (file missing)
O2 - BHO: (no name) - {D53763BE-67A0-4403-9C8E-FB76BD2DFBB7} - C:\WINDOWS\system32\adsmsex.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [amva] C:\WINDOWS\system32\amvo.exe
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe (User 'Default user')
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Administrator\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Administrator\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Administrator\Start Menu\Programs\IMVU\Run IMVU.lnk
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{21E474DB-80CC-4D16-A23E-C758B336110B}: NameServer = 192.168.111.200 4.2.2.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{8AF4E612-F4BE-46DF-A023-745F9F29800F}: NameServer = 172.172.172.1
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

--
End of file - 5862 bytes


tell me if there is anything else to do ... thanks in advance :thumbsup:

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:48 PM

Posted 19 June 2008 - 08:43 PM

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\WINDOWS\system32\amvo.exe
    C:\WINDOWS\system32\amvo0.dll
    C:\WINDOWS\system32\amvo1.dll
    C:\WINDOWS\system32\adsmsex.dll
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


==================


Please download Deckard's System Scanner (DSS) and save to your Desktop.
alternate download site

DSS will do the following:
  • Create a new System Restore point in Windows XP and Vista.
  • Clean your Temporary Files, Downloaded Program Files, Internet Cache Files, and empty the Recycle Bin on all drives.
  • Check some important areas of your system and produce a report for an analyst to review.
  • Automatically run HijackThis. It will also install and place a shortcut to HijackThis on your desktop if you do not already have it installed. So if HijackThis is not installed and DSS prompts you to download it, please answer yes.
You must be logged onto an account with administrator privileges when using.
  • Close all applications and windows.
  • Double-click on dss.exe to run it and follow the prompts.
  • If your anti-virus or firewall complains, please allow this script to run as it is not
    malicious.
  • When the scan is complete, two text files will open in Notepad:
    • main.txt <- this one will be maximized
    • extra.txt <- this one will be minimized
  • If not, they both can be found in the C:\Deckard\System Scanner folder.
  • Please copy (Ctrl+C) and paste (Ctrl+V) the contents of main.txt and extra.txt in your next reply.
-- When running DSS, some firewalls may warn that it is trying to access the Internet especially if your asked to download the most current version of HijackThis. Please ensure that you allow it permission to do so.
-- If you get a warning from your anti-virus while DSS is scanning, please allow DSS to continue as the scan is not harmful.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 azzzy

azzzy
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:18 AM

Posted 20 June 2008 - 01:15 AM

hi ... here is the OTmoveit log

C:\WINDOWS\system32\amvo.exe moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\amvo0.dll
C:\WINDOWS\system32\amvo0.dll NOT unregistered.
C:\WINDOWS\system32\amvo0.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\amvo1.dll
C:\WINDOWS\system32\amvo1.dll NOT unregistered.
C:\WINDOWS\system32\amvo1.dll moved successfully.
C:\WINDOWS\system32\adsmsex.dll unregistered successfully.
C:\WINDOWS\system32\adsmsex.dll moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 06202008_111705





THIS IS THE MAIN.TXT

Deckard's System Scanner v20071014.68
Run by Administrator on 2008-06-20 11:22:55
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
27: 2008-06-20 05:53:04 UTC - RP48 - Deckard's System Scanner Restore Point
26: 2008-06-14 16:32:19 UTC - RP47 - Installed Adobe Photoshop CS2
25: 2008-06-11 03:12:43 UTC - RP46 - Installed Imperial Wars
24: 2008-06-02 10:13:57 UTC - RP45 - Hitman: Contracts
23: 2008-06-02 10:13:42 UTC - RP44 - Hitman: Contracts


-- First Restore Point --
1: 2008-03-09 14:32:23 UTC - RP22 - Installed Microsoft ActiveSync 4.0


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 255 MiB (512 MiB recommended).


-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:23:57 AM, on 6/20/2008
Platform: Windows XP SP2, v.2096 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2096)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\6XW8gQ5M.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\DAP\DAP.EXE
C:\Documents and Settings\Administrator\Desktop\dss.exe
C:\DOCUME~1\ADMINI~1\MYDOCU~1\shorcuts\Administrator.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = literotica
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {2A72AF08-F4C3-42B0-851A-4260C066BA06} - C:\WINDOWS\system32\adsmsex.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: QUICKfind BHO Object - {C08DF07A-3E49-4E25-9AB0-D3882835F153} - C:\PROGRA~1\TEXTware\QUICKF~1\PlugIns\IEHelp.dll (file missing)
O2 - BHO: (no name) - {D53763BE-67A0-4403-9C8E-FB76BD2DFBB7} - C:\WINDOWS\system32\adsmsex.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [amva] C:\WINDOWS\system32\amvo.exe
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe (User 'Default user')
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Administrator\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Administrator\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Administrator\Start Menu\Programs\IMVU\Run IMVU.lnk
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{21E474DB-80CC-4D16-A23E-C758B336110B}: NameServer = 192.168.111.200 4.2.2.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{8AF4E612-F4BE-46DF-A023-745F9F29800F}: NameServer = 172.172.172.1
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

--
End of file - 5910 bytes

-- HijackThis Fixed Entries (C:\DOCUME~1\ADMINI~1\MYDOCU~1\shorcuts\backups\) --

backup-20071223-204200-203 O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
backup-20071223-204201-188 O4 - HKLM\..\Run: [DownloadAccelerator] "C:\Program Files\DAP\DAP.EXE" /STARTUP
backup-20071223-204201-217 O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
backup-20071223-204201-345 O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
backup-20071223-204201-397 O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
backup-20071223-204201-583 O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
backup-20071223-204201-751 O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
backup-20071223-213816-517 O4 - Startup: PowerReg Scheduler.exe

-- File Associations -----------------------------------------------------------

.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R3 SMBios (Intel ® System Management BIOS Service) - c:\windows\system32\drivers\smbios.sys <Not Verified; Intel Corporation; Intel ® System Management BIOS Driver>

S3 catchme - c:\docume~1\admini~1\locals~1\temp\catchme.sys (file missing)
S3 SYMIDSCO - c:\windows\system32\drivers\symidsco.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-06-20 11:00:10 350 --a------ C:\WINDOWS\Tasks\At12.job
2008-06-20 11:00:05 350 --a------ C:\WINDOWS\Tasks\At36.job
2008-06-20 11:00:02 350 --a------ C:\WINDOWS\Tasks\At60.job
2008-06-20 00:17:05 350 --a------ C:\WINDOWS\Tasks\At25.job
2008-06-20 00:00:10 350 --a------ C:\WINDOWS\Tasks\At1.job
2008-06-19 23:00:10 350 --a------ C:\WINDOWS\Tasks\At24.job
2008-06-19 23:00:06 350 --a------ C:\WINDOWS\Tasks\At48.job
2008-06-19 23:00:03 350 --a------ C:\WINDOWS\Tasks\At72.job
2008-06-19 17:00:10 350 --a------ C:\WINDOWS\Tasks\At18.job
2008-06-19 17:00:05 350 --a------ C:\WINDOWS\Tasks\At42.job
2008-06-19 17:00:03 350 --a------ C:\WINDOWS\Tasks\At66.job
2008-06-19 15:00:12 350 --a------ C:\WINDOWS\Tasks\At64.job
2008-06-19 15:00:12 350 --a------ C:\WINDOWS\Tasks\At16.job
2008-06-19 15:00:07 350 --a------ C:\WINDOWS\Tasks\At40.job
2008-06-19 14:00:10 350 --a------ C:\WINDOWS\Tasks\At15.job
2008-06-19 14:00:05 350 --a------ C:\WINDOWS\Tasks\At39.job
2008-06-19 14:00:02 350 --a------ C:\WINDOWS\Tasks\At63.job
2008-06-19 13:00:11 350 --a------ C:\WINDOWS\Tasks\At14.job
2008-06-19 13:00:05 350 --a------ C:\WINDOWS\Tasks\At38.job
2008-06-19 13:00:03 350 --a------ C:\WINDOWS\Tasks\At62.job
2008-06-19 12:00:17 350 --a------ C:\WINDOWS\Tasks\At13.job
2008-06-19 12:00:07 350 --a------ C:\WINDOWS\Tasks\At37.job
2008-06-19 12:00:05 350 --a------ C:\WINDOWS\Tasks\At61.job
2008-06-19 02:00:10 350 --a------ C:\WINDOWS\Tasks\At3.job
2008-06-19 02:00:05 350 --a------ C:\WINDOWS\Tasks\At51.job
2008-06-19 02:00:05 350 --a------ C:\WINDOWS\Tasks\At27.job
2008-06-19 01:00:10 350 --a------ C:\WINDOWS\Tasks\At2.job
2008-06-19 01:00:08 350 --a------ C:\WINDOWS\Tasks\At26.job
2008-06-19 01:00:02 350 --a------ C:\WINDOWS\Tasks\At50.job
2008-06-19 00:53:04 350 --a------ C:\WINDOWS\Tasks\At49.job
2008-06-17 23:21:16 350 --a------ C:\WINDOWS\Tasks\At43.job
2008-06-17 18:00:11 350 --a------ C:\WINDOWS\Tasks\At19.job
2008-06-17 18:00:03 350 --a------ C:\WINDOWS\Tasks\At67.job
2008-06-17 17:50:43 350 --a------ C:\WINDOWS\Tasks\At41.job
2008-06-17 16:00:12 350 --a------ C:\WINDOWS\Tasks\At17.job
2008-06-17 16:00:03 350 --a------ C:\WINDOWS\Tasks\At65.job
2008-06-16 01:11:13 350 --a------ C:\WINDOWS\Tasks\At44.job
2008-06-15 20:00:11 350 --a------ C:\WINDOWS\Tasks\At21.job
2008-06-15 20:00:06 350 --a------ C:\WINDOWS\Tasks\At45.job
2008-06-15 20:00:03 350 --a------ C:\WINDOWS\Tasks\At69.job
2008-06-15 19:00:11 350 --a------ C:\WINDOWS\Tasks\At20.job
2008-06-15 19:00:03 350 --a------ C:\WINDOWS\Tasks\At68.job
2008-06-15 10:02:42 350 --a------ C:\WINDOWS\Tasks\At22.job
2008-06-14 22:00:10 350 --a------ C:\WINDOWS\Tasks\At23.job
2008-06-14 22:00:05 350 --a------ C:\WINDOWS\Tasks\At47.job
2008-06-14 22:00:02 350 --a------ C:\WINDOWS\Tasks\At71.job
2008-06-14 21:00:06 350 --a------ C:\WINDOWS\Tasks\At46.job
2008-06-14 21:00:03 350 --a------ C:\WINDOWS\Tasks\At70.job
2008-06-13 09:10:29 350 --a------ C:\WINDOWS\Tasks\At10.job
2008-06-13 09:00:05 350 --a------ C:\WINDOWS\Tasks\At34.job
2008-06-13 09:00:02 350 --a------ C:\WINDOWS\Tasks\At58.job
2008-06-12 10:10:45 350 --a------ C:\WINDOWS\Tasks\At11.job
2008-06-12 10:00:05 350 --a------ C:\WINDOWS\Tasks\At35.job
2008-06-12 10:00:02 350 --a------ C:\WINDOWS\Tasks\At59.job
2008-06-12 03:00:11 350 --a------ C:\WINDOWS\Tasks\At4.job
2008-06-12 03:00:06 350 --a------ C:\WINDOWS\Tasks\At28.job
2008-06-12 03:00:03 350 --a------ C:\WINDOWS\Tasks\At52.job
2008-06-07 10:22:09 350 --a------ C:\WINDOWS\Tasks\At33.job
2008-06-07 08:00:16 350 --a------ C:\WINDOWS\Tasks\At9.job
2008-06-07 08:00:15 350 --a------ C:\WINDOWS\Tasks\At57.job
2008-06-01 09:04:58 350 --a------ C:\WINDOWS\Tasks\At32.job
2008-06-01 07:00:05 350 --a------ C:\WINDOWS\Tasks\At8.job
2008-06-01 07:00:02 350 --a------ C:\WINDOWS\Tasks\At56.job
2008-05-30 08:20:19 350 --a------ C:\WINDOWS\Tasks\At31.job
2008-05-30 06:00:05 350 --a------ C:\WINDOWS\Tasks\At7.job
2008-05-30 06:00:02 350 --a------ C:\WINDOWS\Tasks\At55.job
2008-05-24 20:20:20 350 --a------ C:\WINDOWS\Tasks\At54.job
2008-05-24 20:20:20 350 --a------ C:\WINDOWS\Tasks\At53.job
2008-05-15 05:00:05 350 --a------ C:\WINDOWS\Tasks\At30.job
2008-05-15 05:00:01 350 --a------ C:\WINDOWS\Tasks\At6.job
2008-05-15 04:00:05 350 --a------ C:\WINDOWS\Tasks\At29.job
2008-05-15 04:00:01 350 --a------ C:\WINDOWS\Tasks\At5.job


-- Files created between 2008-05-20 and 2008-06-20 -----------------------------

2008-06-19 23:11:55 0 d-------- C:\WINDOWS\ERUNT
2008-06-18 00:47:22 0 d-------- C:\Program Files\AdVantage
2008-06-18 00:32:35 0 d-------- C:\Program Files\Jhoos
2008-06-14 22:03:17 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe Systems
2008-06-14 22:03:12 0 d-------- C:\Program Files\Common Files\Adobe Systems Shared
2008-06-14 22:02:22 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2008-06-14 16:52:14 106925 -r-hs---- C:\qa8sywva.cmd
2008-06-14 12:10:17 0 d-------- C:\Documents and Settings\Administrator\Application Data\PowerChallenge
2008-06-11 08:42:43 0 d-------- C:\Program Files\Intelligent Life Games
2008-06-10 20:11:56 19456 --a------ C:\WINDOWS\system32\s17BY5cW.dll
2008-06-02 15:38:01 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2008-06-02 15:31:38 0 d-------- C:\Program Files\Eidos
2008-06-01 10:14:10 0 d-------- C:\WARCRAFT
2008-05-30 18:22:26 0 d-------- C:\Program Files\AroundTheWorldIn80Days_at
2008-05-27 12:32:19 0 d-------- C:\CRIME
2008-05-25 09:15:04 35842 --a------ C:\WINDOWS\system32\6XW8gQ5M.exe
2008-05-24 20:20:19 29248 --a------ C:\WINDOWS\system32\d6IbH14C.exe
2008-05-20 17:57:38 0 d-------- C:\Documents and Settings\Administrator\Application Data\vlc
2008-05-20 17:57:20 0 d-------- C:\Program Files\VideoLAN


-- Find3M Report ---------------------------------------------------------------

2008-06-18 14:02:00 0 d-------- C:\Program Files\Yahoo!
2008-06-14 22:13:44 0 d-------- C:\Documents and Settings\Administrator\Application Data\Adobe
2008-06-14 22:04:30 0 d-------- C:\Program Files\Common Files\Adobe
2008-06-14 22:03:12 0 d-------- C:\Program Files\Common Files
2008-06-12 20:58:47 0 d-------- C:\Program Files\Absolute Poker
2008-06-12 14:29:15 409600 --a------ C:\WINDOWS\system32\wrap_oal.dll <Not Verified; Creative Labs; Creative Labs OpenAL32>
2008-06-12 14:29:15 114688 --a------ C:\WINDOWS\system32\OpenAL32.dll <Not Verified; Portions © Creative Labs Inc. and NVIDIA Corp.; Standard OpenAL™ Library>
2008-06-11 08:42:43 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-02 15:19:57 0 d-------- C:\Program Files\MDickie
2008-05-23 22:54:23 0 d-------- C:\Documents and Settings\Administrator\Application Data\Google
2008-05-23 22:52:29 0 d-------- C:\Program Files\Google
2008-05-18 23:48:51 0 d-------- C:\Program Files\Microsoft ActiveSync
2008-05-18 23:48:50 0 d-------- C:\Program Files\OFFICE11
2008-05-18 23:48:36 0 d-------- C:\Program Files\Common Files\L&H
2008-05-18 23:48:28 0 d-------- C:\Program Files\Templates
2008-05-18 23:48:24 0 d-------- C:\Program Files\Microsoft.NET
2008-05-18 23:47:35 0 d-------- C:\Program Files\CLIPART
2008-05-18 23:47:15 0 d-------- C:\Program Files\Microsoft Works
2008-05-18 23:47:08 0 d-------- C:\Program Files\MEDIA
2008-05-18 23:46:59 0 d-------- C:\Program Files\Stationery
2008-05-18 23:46:40 0 d-------- C:\Program Files\XLView
2008-05-16 11:10:54 30210 --a------ C:\WINDOWS\system32\w17FD5gB.exe
2008-05-16 10:37:36 0 d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2008-04-07 16:52:39 50688 --a------ C:\WINDOWS\system32\wbhelp2.dll <Not Verified; Stardock.Net, Inc; WindowBlinds for Win32 x86 machines>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2A72AF08-F4C3-42B0-851A-4260C066BA06}]
C:\WINDOWS\system32\adsmsex.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D53763BE-67A0-4403-9C8E-FB76BD2DFBB7}]
C:\WINDOWS\system32\adsmsex.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [10/16/2002 12:35 PM]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [06/11/2007 02:55 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [03/12/2004 02:18 AM]
"amva"="C:\WINDOWS\system32\amvo.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"FlashPlayerUpdate"=C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ALUAlert"=C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{650CA63D-4A01-4BF8-A608-9B1EBB36292E}"= C:\WINDOWS\system32\s17BY5cW.dll [06/10/2008 08:11 PM 19456]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdVantage]
"C:\Program Files\AdVantage\AdVantage.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\amva]
C:\WINDOWS\system32\amvo.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DownloadAccelerator]
"C:\Program Files\DAP\DAP.EXE" /STARTUP

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
C:\Program Files\Google\Google Talk\googletalk.exe /autostart

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
C:\WINDOWS\system32\\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]
AutoRun\command- C:\6x8be16.cmd
explore\Command- C:\6x8be16.cmd
open\Command- C:\6x8be16.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- D:\6x8be16.cmd
explore\Command- D:\6x8be16.cmd
open\Command- D:\6x8be16.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- E:\6x8be16.cmd
explore\Command- E:\6x8be16.cmd
open\Command- E:\6x8be16.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d3aed68a-a5bd-11dc-88b1-806d6172696f}]
AutoRun\command- 6x8be16.cmd
explore\Command- 6x8be16.cmd
open\Command- 6x8be16.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d3aed68b-a5bd-11dc-88b1-806d6172696f}]
AutoRun\command- 6x8be16.cmd
explore\Command- 6x8be16.cmd
open\Command- 6x8be16.cmd




-- End of Deckard's System Scanner: finished at 2008-06-20 11:24:29 ------------







AND THE EXTRA.TXT

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 2.40GHz
Percentage of Memory in Use: 68%
Physical Memory (total/avail): 254.8 MiB / 81.04 MiB
Pagefile Memory (total/avail): 625.78 MiB / 262.28 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1938.11 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 19.53 GiB total, 5.7 GiB free.
D: is Fixed (NTFS) - 29.29 GiB total, 21.77 GiB free.
E: is Fixed (NTFS) - 25.72 GiB total, 23.35 GiB free.
F: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - SAMSUNG SP0822N - 74.56 GiB - 3 partitions
\PARTITION0 (bootable) - Installable File System - 19.53 GiB - C:
\PARTITION1 - Extended w/Extended Int 13 - 55.02 GiB - D: - E:



-- Security Center -------------------------------------------------------------



-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Administrator\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=B-4031AFF714024
ComSpec=C:\WINDOWS\system32\cmd.exe
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Administrator
LOGONSERVER=\\B-4031AFF714024
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Common Files\Adobe\AGL
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 3 Stepping 3, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0303
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
USERDOMAIN=B-4031AFF714024
USERNAME=Administrator
USERPROFILE=C:\Documents and Settings\Administrator
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\rnuninst.exe RealNetworks|RealPlayer|6.0
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Absolute Poker --> C:\Program Files\_uninstallation_info\Absolute Poker\CasinoUninstall.exe
Adobe Acrobat 5.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Bridge 1.0 --> MsiExec.exe /I{B74D4E10-1033-0000-0000-000000000001}
Adobe Common File Installer --> MsiExec.exe /I{8EDBA74D-0686-4C99-BFDD-F894678E5B39}
Adobe Flash Player 9 ActiveX --> MsiExec.exe /X{8E9DB7EF-5DD3-499E-BA2A-A1F3153A4DF8}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Help Center 1.0 --> MsiExec.exe /I{E9787678-1033-0000-8E67-000000000001}
Adobe Photoshop CS2 --> msiexec /I {236BB7C4-4419-42FD-0409-1E257A25E34D}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Adobe Stock Photos 1.0 --> MsiExec.exe /I{786C5747-1033-0000-B58E-000000000001}
AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
Bang! Howdy --> C:\Program Files\Three Rings Design\bang\uninstall.exe
Download Accelerator Plus (DAP) --> C:\PROGRA~1\DAP\DAPREMOVE.EXE
GameSpy Arcade --> C:\PROGRA~1\GAMESP~1\UNWISE.EXE C:\PROGRA~1\GAMESP~1\INSTALL.LOG
Google Earth --> MsiExec.exe /I{97C0EA4A-1A0B-4C53-ACEB-49984DA79C90}
Google Talk (remove only) --> "C:\Program Files\Google\Google Talk\uninstall.exe"
Google Toolbar for Internet Explorer --> MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar1.dll"
GTA SA --> "C:\Program Files\Gta San Andreas\unins000.exe"
Harley-Davidson® - Race Around The World --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Harley-Davidson® - Race Around The World\Uninst.isu"
HijackThis 2.0.2 --> "C:\Documents and Settings\Administrator\Desktop\HijackThis.exe" /uninstall
Hitman: Contracts --> C:\PROGRA~1\Eidos\HITMAN~1\uninstall.exe
Imperial Wars --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BF30E67D-C4B9-4717-95C4-87A7EEF75D3A}\Setup.exe" -l0x9
IMVU Avatar Chat Software --> C:\Program Files\IMVU\Uninstall.exe
Intel Application Accelerator --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9984DF60-1C5B-11D3-ACA1-908A4FC10801}\Setup.exe" -INTELUNINST
Intel® Extreme Graphics Driver Software --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2562
Intel® PRO Network Adapters and Drivers --> Prounstl.exe
Java 2 SDK Standard Edition v1.4.0 --> C:\WINDOWS\IsUninst.exe -fC:\jdk1.4\Uninst.isu
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Jhoos - Powered by AdVantage --> C:\PROGRA~1\Jhoos\UNWISE.EXE C:\PROGRA~1\Jhoos\INSTALL.LOG
LiveReg (Symantec Corporation) --> C:\Program Files\Common Files\Symantec Shared\LiveReg\VcSetup.exe /REMOVE
Megaupload Toolbar --> C:\Program Files\MegauploadToolbar\uninstall.exe
Microsoft ActiveSync 4.0 --> MsiExec.exe /I{B208806F-A231-4FA0-AB3F-5C1B8979223E}
Microsoft Excel Viewer 97 --> C:\Program Files\XLView\setup\setup.exe
Microsoft Office PowerPoint Viewer 2003 --> MsiExec.exe /X{90AF0409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Word Viewer 2003 --> MsiExec.exe /I{90850409-6000-11D3-8CFE-0150048383C9}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Nero - Burning Rom --> MsiExec.exe /X{A4D7B764-4140-11D4-88EB-0050DA3579C0}
OpenAL --> "C:\Program Files\OpenAL\oalinst.exe" /U
Oxford Advanced Genie --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Oxford\GAS001OU\Uninst.isu"
RealOne Player --> C:\Program Files\Common Files\Real\Update_OB\rnuninst.exe RealNetworks|RealPlayer|6.0
Realtek AC'97 Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" REMOVE
VideoLAN VLC media player 0.8.6e --> C:\Program Files\VideoLAN\VLC\uninstall.exe
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type2161 / Success
Event Submitted/Written: 06/20/2008 10:36:46 AM
Event ID/Source: 1800 / SecurityCenter
Event Description:
The Windows Security Center Service has started.

Event Record #/Type2157 / Success
Event Submitted/Written: 06/19/2008 11:45:26 PM
Event ID/Source: 1800 / SecurityCenter
Event Description:
The Windows Security Center Service has started.

Event Record #/Type2153 / Success
Event Submitted/Written: 06/19/2008 11:23:32 PM
Event ID/Source: 1800 / SecurityCenter
Event Description:
The Windows Security Center Service has started.

Event Record #/Type2150 / Success
Event Submitted/Written: 06/19/2008 10:23:26 PM
Event ID/Source: 1800 / SecurityCenter
Event Description:
The Windows Security Center Service has started.

Event Record #/Type2147 / Success
Event Submitted/Written: 06/19/2008 04:39:20 PM
Event ID/Source: 1800 / SecurityCenter
Event Description:
The Windows Security Center Service has started.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type16873 / Error
Event Submitted/Written: 06/19/2008 11:12:39 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
AFD
AVG Anti-Spyware Driver
Fips
intelppm
IPSec
MRxSmb
NetBIOS
NetBT
RasAcd
Rdbss
Tcpip

Event Record #/Type16872 / Error
Event Submitted/Written: 06/19/2008 11:12:39 PM
Event ID/Source: 7001 / Service Control Manager
Event Description:
The World Wide Web Publishing service depends on the IIS Admin service which failed to start because of the following error:
%%1068

Event Record #/Type16871 / Error
Event Submitted/Written: 06/19/2008 11:12:39 PM
Event ID/Source: 7001 / Service Control Manager
Event Description:
The Simple Mail Transfer Protocol (SMTP) service depends on the IIS Admin service which failed to start because of the following error:
%%1068

Event Record #/Type16870 / Error
Event Submitted/Written: 06/19/2008 11:12:39 PM
Event ID/Source: 7001 / Service Control Manager
Event Description:
The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error:
%%31

Event Record #/Type16869 / Error
Event Submitted/Written: 06/19/2008 11:12:39 PM
Event ID/Source: 7001 / Service Control Manager
Event Description:
The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error:
%%31



-- End of Deckard's System Scanner: finished at 2008-06-20 11:24:29 ------------



AND ANOTHER THING HAS COME UP. I CAN'T DOUBLE CLICK TO OPEN MY DRIVES . FIRST THERE COMES AN OPTION OF "CHOSE THE PROGRAM U WANT TO USE TO OPEN THIS FILE"
ND AFTER CANCELLING IT A WINDOW SAYS "WINDOWS CAN NOT ACCESS THE SPECIFIED DEVICE,PATH OR FILE.YOU MAY NOT HAVE THE APPROPRIATE PERMISSIONS TO ACCESS THIS ITEM"
THE DRIVES ARE ACCESIBLE THOUGH BY TYPING THE PATH OF DRIVE.

THANKS FOR UR TIME . :thumbsup:

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:48 PM

Posted 20 June 2008 - 09:43 AM

Run Hijackthis again, click scan, and Put a checkmark next to each of the lines listed below. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {2A72AF08-F4C3-42B0-851A-4260C066BA06} - C:\WINDOWS\system32\adsmsex.dll (file missing)
O2 - BHO: QUICKfind BHO Object - {C08DF07A-3E49-4E25-9AB0-D3882835F153} - C:\PROGRA~1\TEXTware\QUICKF~1\PlugIns\IEHelp.dll (file missing)
O2 - BHO: (no name) - {D53763BE-67A0-4403-9C8E-FB76BD2DFBB7} - C:\WINDOWS\system32\adsmsex.dll (file missing)
O4 - HKCU\..\Run: [amva] C:\WINDOWS\system32\amvo.exe




Copy and paste this text into OTMoveIt just like you did before.

C:\WINDOWS\Tasks\At36.job
C:\WINDOWS\Tasks\At60.job
C:\WINDOWS\Tasks\At25.job
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At48.job
C:\WINDOWS\Tasks\At72.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At42.job
C:\WINDOWS\Tasks\At66.job
C:\WINDOWS\Tasks\At64.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At40.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At39.job
C:\WINDOWS\Tasks\At63.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At38.job
C:\WINDOWS\Tasks\At62.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At37.job
C:\WINDOWS\Tasks\At61.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At51.job
C:\WINDOWS\Tasks\At27.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At26.job
C:\WINDOWS\Tasks\At50.job
C:\WINDOWS\Tasks\At49.job
C:\WINDOWS\Tasks\At43.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At67.job
C:\WINDOWS\Tasks\At41.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At65.job
C:\WINDOWS\Tasks\At44.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At45.job
C:\WINDOWS\Tasks\At69.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At68.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At47.job
C:\WINDOWS\Tasks\At71.job
C:\WINDOWS\Tasks\At46.job
C:\WINDOWS\Tasks\At70.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At34.job
C:\WINDOWS\Tasks\At58.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At35.job
C:\WINDOWS\Tasks\At59.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At28.job
C:\WINDOWS\Tasks\At52.job
C:\WINDOWS\Tasks\At33.job
C:\WINDOWS\Tasks\At9.job
C:\WINDOWS\Tasks\At57.job
C:\WINDOWS\Tasks\At32.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At56.job
C:\WINDOWS\Tasks\At31.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At55.job
C:\WINDOWS\Tasks\At54.job
C:\WINDOWS\Tasks\At53.job
C:\WINDOWS\Tasks\At30.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At29.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\system32\6XW8gQ5M.exe
C:\WINDOWS\system32\d6IbH14C.exe
C:\WINDOWS\system32\w17FD5gB.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{650CA63D-4A01-4BF8-A608-9B1EBB36292E}
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d3aed68a-a5bd-11dc-88b1-806d6172696f}
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d3aed68b-a5bd-11dc-88b1-806d6172696f}
E:\6x8be16.cmd
D:\6x8be16.cmd
C:\6x8be16.cmd


================



Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.


Please post the log from Kaspersky, the log from OtMoveIt, and a new log from DSS in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 azzzy

azzzy
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:18 AM

Posted 21 June 2008 - 06:06 AM

here is the kasper sky log ... it was saved as a HTML document

KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, June 21, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2, v.2096 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, June 20, 2008 17:25:58
Records in database: 879810


Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area My Computer
A:\
C:\
D:\
E:\
F:\

Scan statistics
Files scanned 65580
Threat name 10
Infected objects 17
Suspicious objects 0
Duration of the scan 03:24:26

File name Threat name Threats count
C:\autorun.inf Infected: Worm.Win32.AutoRun.edv 1

C:\Documents and Settings\Administrator\My Documents\My Completed Downloads\SmitfraudFix.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1

C:\Program Files\AdVantage\AdVantage.exe Infected: not-a-virus:AdTool.Win32.WhenU.t 1

C:\Program Files\AdVantage\TR.dll Infected: not-a-virus:AdTool.Win32.WhenU.r 1

C:\qa8sywva.cmd Infected: Trojan-PSW.Win32.OnLineGames.akwp 1

C:\SDFix\backups\backups.zip Infected: Worm.Win32.AutoRun.edv 1

C:\SDFix\backups\catchme.zip Infected: Trojan-Spy.Win32.Zbot.akl 1

C:\_OTMoveIt\MovedFiles\06202008_111705\WINDOWS\system32\amvo.exe Infected: Worm.Win32.AutoRun.vaaa 1

C:\_OTMoveIt\MovedFiles\06202008_111705\WINDOWS\system32\amvo0.dll Infected: Worm.Win32.AutoRun.vaaa 1

C:\_OTMoveIt\MovedFiles\06202008_111705\WINDOWS\system32\amvo1.dll Infected: Worm.Win32.AutoRun.vaaa 1

C:\_OTMoveIt\MovedFiles\06202008_214218\WINDOWS\system32\6XW8gQ5M.exe Infected: Trojan-PSW.Win32.OnLineGames.arxy 1

C:\_OTMoveIt\MovedFiles\06202008_214218\WINDOWS\system32\d6IbH14C.exe Infected: Trojan-Downloader.Win32.Firu.dx 1

C:\_OTMoveIt\MovedFiles\06202008_214218\WINDOWS\system32\w17FD5gB.exe Infected: Trojan-Downloader.Win32.Agent.pah 1

D:\autorun.inf Infected: Worm.Win32.AutoRun.edv 1

D:\qa8sywva.cmd Infected: Trojan-PSW.Win32.OnLineGames.akwp 1

E:\autorun.inf Infected: Worm.Win32.AutoRun.edv 1

E:\qa8sywva.cmd Infected: Trojan-PSW.Win32.OnLineGames.akwp 1

The selected area was scanned.











HERE IS THE OTMOVEIT LOG


C:\WINDOWS\Tasks\At36.job moved successfully.
C:\WINDOWS\Tasks\At60.job moved successfully.
C:\WINDOWS\Tasks\At25.job moved successfully.
C:\WINDOWS\Tasks\At1.job moved successfully.
C:\WINDOWS\Tasks\At24.job moved successfully.
C:\WINDOWS\Tasks\At48.job moved successfully.
C:\WINDOWS\Tasks\At72.job moved successfully.
C:\WINDOWS\Tasks\At18.job moved successfully.
C:\WINDOWS\Tasks\At42.job moved successfully.
C:\WINDOWS\Tasks\At66.job moved successfully.
C:\WINDOWS\Tasks\At64.job moved successfully.
C:\WINDOWS\Tasks\At16.job moved successfully.
C:\WINDOWS\Tasks\At40.job moved successfully.
C:\WINDOWS\Tasks\At15.job moved successfully.
C:\WINDOWS\Tasks\At39.job moved successfully.
C:\WINDOWS\Tasks\At63.job moved successfully.
C:\WINDOWS\Tasks\At14.job moved successfully.
C:\WINDOWS\Tasks\At38.job moved successfully.
C:\WINDOWS\Tasks\At62.job moved successfully.
C:\WINDOWS\Tasks\At13.job moved successfully.
C:\WINDOWS\Tasks\At37.job moved successfully.
C:\WINDOWS\Tasks\At61.job moved successfully.
C:\WINDOWS\Tasks\At3.job moved successfully.
C:\WINDOWS\Tasks\At51.job moved successfully.
C:\WINDOWS\Tasks\At27.job moved successfully.
C:\WINDOWS\Tasks\At2.job moved successfully.
C:\WINDOWS\Tasks\At26.job moved successfully.
C:\WINDOWS\Tasks\At50.job moved successfully.
C:\WINDOWS\Tasks\At49.job moved successfully.
C:\WINDOWS\Tasks\At43.job moved successfully.
C:\WINDOWS\Tasks\At19.job moved successfully.
C:\WINDOWS\Tasks\At67.job moved successfully.
C:\WINDOWS\Tasks\At41.job moved successfully.
C:\WINDOWS\Tasks\At17.job moved successfully.
C:\WINDOWS\Tasks\At65.job moved successfully.
C:\WINDOWS\Tasks\At44.job moved successfully.
C:\WINDOWS\Tasks\At21.job moved successfully.
C:\WINDOWS\Tasks\At45.job moved successfully.
C:\WINDOWS\Tasks\At69.job moved successfully.
C:\WINDOWS\Tasks\At20.job moved successfully.
C:\WINDOWS\Tasks\At68.job moved successfully.
C:\WINDOWS\Tasks\At22.job moved successfully.
C:\WINDOWS\Tasks\At23.job moved successfully.
C:\WINDOWS\Tasks\At47.job moved successfully.
C:\WINDOWS\Tasks\At71.job moved successfully.
C:\WINDOWS\Tasks\At46.job moved successfully.
C:\WINDOWS\Tasks\At70.job moved successfully.
C:\WINDOWS\Tasks\At10.job moved successfully.
C:\WINDOWS\Tasks\At34.job moved successfully.
C:\WINDOWS\Tasks\At58.job moved successfully.
C:\WINDOWS\Tasks\At11.job moved successfully.
C:\WINDOWS\Tasks\At35.job moved successfully.
C:\WINDOWS\Tasks\At59.job moved successfully.
C:\WINDOWS\Tasks\At4.job moved successfully.
C:\WINDOWS\Tasks\At28.job moved successfully.
C:\WINDOWS\Tasks\At52.job moved successfully.
C:\WINDOWS\Tasks\At33.job moved successfully.
C:\WINDOWS\Tasks\At9.job moved successfully.
C:\WINDOWS\Tasks\At57.job moved successfully.
C:\WINDOWS\Tasks\At32.job moved successfully.
C:\WINDOWS\Tasks\At8.job moved successfully.
C:\WINDOWS\Tasks\At56.job moved successfully.
C:\WINDOWS\Tasks\At31.job moved successfully.
C:\WINDOWS\Tasks\At7.job moved successfully.
C:\WINDOWS\Tasks\At55.job moved successfully.
C:\WINDOWS\Tasks\At54.job moved successfully.
C:\WINDOWS\Tasks\At53.job moved successfully.
C:\WINDOWS\Tasks\At30.job moved successfully.
C:\WINDOWS\Tasks\At6.job moved successfully.
C:\WINDOWS\Tasks\At29.job moved successfully.
C:\WINDOWS\Tasks\At5.job moved successfully.
C:\WINDOWS\system32\6XW8gQ5M.exe moved successfully.
C:\WINDOWS\system32\d6IbH14C.exe moved successfully.
C:\WINDOWS\system32\w17FD5gB.exe moved successfully.
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{650CA63D-4A01-4BF8-A608-9B1EBB36292E} >
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{650CA63D-4A01-4BF8-A608-9B1EBB36292E} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{650CA63D-4A01-4BF8-A608-9B1EBB36292E}\ deleted successfully.
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C >
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C\\ deleted successfully.
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D >
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D\\ deleted successfully.
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E >
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E\\ deleted successfully.
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d3aed68a-a5bd-11dc-88b1-806d6172696f} >
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d3aed68a-a5bd-11dc-88b1-806d6172696f}\\ deleted successfully.
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d3aed68b-a5bd-11dc-88b1-806d6172696f} >
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d3aed68b-a5bd-11dc-88b1-806d6172696f}\\ deleted successfully.
File/Folder E:\6x8be16.cmd not found.
File/Folder D:\6x8be16.cmd not found.
File/Folder C:\6x8be16.cmd not found.

OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 06202008_214218










AND HERE IS THE DSS LOG. I ONLY GOT MAIN.TXT THIS TIME

Deckard's System Scanner v20071014.68
Run by Administrator on 2008-06-21 16:22:16
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 255 MiB (512 MiB recommended).


-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:22:23 PM, on 6/21/2008
Platform: Windows XP SP2, v.2096 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2096)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Documents and Settings\Administrator\Desktop\dss.exe
C:\DOCUME~1\ADMINI~1\MYDOCU~1\shorcuts\ADMINI~1.EXE

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = literotica
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe (User 'Default user')
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Administrator\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Administrator\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Administrator\Start Menu\Programs\IMVU\Run IMVU.lnk
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{8AF4E612-F4BE-46DF-A023-745F9F29800F}: NameServer = 172.172.172.1
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

--
End of file - 5179 bytes

-- Files created between 2008-05-21 and 2008-06-21 -----------------------------

2008-06-19 23:11:55 0 d-------- C:\WINDOWS\ERUNT
2008-06-18 00:47:22 0 d-------- C:\Program Files\AdVantage
2008-06-18 00:32:35 0 d-------- C:\Program Files\Jhoos
2008-06-14 22:03:17 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe Systems
2008-06-14 22:03:12 0 d-------- C:\Program Files\Common Files\Adobe Systems Shared
2008-06-14 22:02:22 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2008-06-14 16:52:14 106925 -r-hs---- C:\qa8sywva.cmd
2008-06-14 12:10:17 0 d-------- C:\Documents and Settings\Administrator\Application Data\PowerChallenge
2008-06-11 08:42:43 0 d-------- C:\Program Files\Intelligent Life Games
2008-06-10 20:11:56 19456 --a------ C:\WINDOWS\system32\s17BY5cW.dll
2008-06-02 15:38:01 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2008-06-02 15:31:38 0 d-------- C:\Program Files\Eidos
2008-06-01 10:14:10 0 d-------- C:\WARCRAFT
2008-05-30 18:22:26 0 d-------- C:\Program Files\AroundTheWorldIn80Days_at
2008-05-27 12:32:19 0 d-------- C:\CRIME


-- Find3M Report ---------------------------------------------------------------

2008-06-18 14:02:00 0 d-------- C:\Program Files\Yahoo!
2008-06-14 22:13:44 0 d-------- C:\Documents and Settings\Administrator\Application Data\Adobe
2008-06-14 22:04:30 0 d-------- C:\Program Files\Common Files\Adobe
2008-06-14 22:03:12 0 d-------- C:\Program Files\Common Files
2008-06-12 20:58:47 0 d-------- C:\Program Files\Absolute Poker
2008-06-12 14:29:15 409600 --a------ C:\WINDOWS\system32\wrap_oal.dll <Not Verified; Creative Labs; Creative Labs OpenAL32>
2008-06-12 14:29:15 114688 --a------ C:\WINDOWS\system32\OpenAL32.dll <Not Verified; Portions © Creative Labs Inc. and NVIDIA Corp.; Standard OpenAL™ Library>
2008-06-11 08:42:43 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-02 15:19:57 0 d-------- C:\Program Files\MDickie
2008-05-23 22:54:23 0 d-------- C:\Documents and Settings\Administrator\Application Data\Google
2008-05-23 22:52:29 0 d-------- C:\Program Files\Google
2008-05-20 17:57:38 0 d-------- C:\Documents and Settings\Administrator\Application Data\vlc
2008-05-20 17:57:20 0 d-------- C:\Program Files\VideoLAN
2008-05-18 23:48:51 0 d-------- C:\Program Files\Microsoft ActiveSync
2008-05-18 23:48:50 0 d-------- C:\Program Files\OFFICE11
2008-05-18 23:48:36 0 d-------- C:\Program Files\Common Files\L&H
2008-05-18 23:48:28 0 d-------- C:\Program Files\Templates
2008-05-18 23:48:24 0 d-------- C:\Program Files\Microsoft.NET
2008-05-18 23:47:35 0 d-------- C:\Program Files\CLIPART
2008-05-18 23:47:15 0 d-------- C:\Program Files\Microsoft Works
2008-05-18 23:47:08 0 d-------- C:\Program Files\MEDIA
2008-05-18 23:46:59 0 d-------- C:\Program Files\Stationery
2008-05-18 23:46:40 0 d-------- C:\Program Files\XLView
2008-05-16 10:37:36 0 d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2008-04-07 16:52:39 50688 --a------ C:\WINDOWS\system32\wbhelp2.dll <Not Verified; Stardock.Net, Inc; WindowBlinds for Win32 x86 machines>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [10/16/2002 12:35 PM]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [06/11/2007 02:55 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [03/12/2004 02:18 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"FlashPlayerUpdate"=C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ALUAlert"=C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdVantage]
"C:\Program Files\AdVantage\AdVantage.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\amva]
C:\WINDOWS\system32\amvo.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DownloadAccelerator]
"C:\Program Files\DAP\DAP.EXE" /STARTUP

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
C:\Program Files\Google\Google Talk\googletalk.exe /autostart

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
C:\WINDOWS\system32\\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet




-- End of Deckard's System Scanner: finished at 2008-06-21 16:22:39 ------------




THANKS A LOT :thumbsup:

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:48 PM

Posted 21 June 2008 - 08:01 AM

Delete these files with OTMoveIt just as you did before.

D:\autorun.inf 
D:\qa8sywva.cmd 
E:\autorun.inf 
E:\qa8sywva.cmd
C:\qa8sywva.cmd 
C:\Program Files\AdVantage


There's a few other files I'd like to have you scan.
  • Please go to Jotti's malware scan
  • Copy and paste the following file path into the "File to upload & scan" box on the top of the page:



    C:\WINDOWS\system32\s17BY5cW.dll


  • Click on the submit button
  • Please post the results in your next reply.

Also submit this file.

C:\WINDOWS\system32\CmdLineExt03.dll
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 azzzy

azzzy
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:18 AM

Posted 22 June 2008 - 03:00 AM

here are the results for C:\WINDOWS\system32\s17BY5cW.dll


Scanner results
Scan taken on 22 Jun 2008 07:53:09 (GMT)
A-Squared Found nothing
AntiVir Found HEUR/Malware
ArcaVir Found nothing
Avast Found Win32:Trojan-gen {Other}
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found Virus.Win32.Trojan
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing




AND HERE ARE THE RESULTS FOR C:\WINDOWS\system32\CmdLineExt03.dll (NOTHING WAS FOUND)



Scanner results
Scan taken on 22 Jun 2008 07:56:04 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing



THANK YOU VERY MUCH :thumbsup:

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:48 PM

Posted 22 June 2008 - 07:12 AM

Ok, good.
Delete this file with OtMoveIt just like the others.

C:\WINDOWS\system32\s17BY5cW.dll


Please post a new log from DSS.
How is your computer behaving now?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 azzzy

azzzy
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:18 AM

Posted 23 June 2008 - 04:14 AM

here is the dss log

Deckard's System Scanner v20071014.68
Run by Administrator on 2008-06-23 14:38:00
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 255 MiB (512 MiB recommended).


-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:38:05 PM, on 6/23/2008
Platform: Windows XP SP2, v.2096 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2096)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Administrator\Desktop\dss.exe
C:\DOCUME~1\ADMINI~1\MYDOCU~1\shorcuts\ADMINI~1.EXE

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = literotica
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe (User 'Default user')
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Administrator\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Administrator\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Administrator\Start Menu\Programs\IMVU\Run IMVU.lnk
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{21E474DB-80CC-4D16-A23E-C758B336110B}: NameServer = 203.124.20.100 4.2.2.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{8AF4E612-F4BE-46DF-A023-745F9F29800F}: NameServer = 172.172.172.1
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

--
End of file - 5293 bytes

-- Files created between 2008-05-23 and 2008-06-23 -----------------------------

2008-06-19 23:11:55 0 d-------- C:\WINDOWS\ERUNT
2008-06-18 00:32:35 0 d-------- C:\Program Files\Jhoos
2008-06-14 22:03:17 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe Systems
2008-06-14 22:03:12 0 d-------- C:\Program Files\Common Files\Adobe Systems Shared
2008-06-14 22:02:22 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2008-06-14 12:10:17 0 d-------- C:\Documents and Settings\Administrator\Application Data\PowerChallenge
2008-06-11 08:42:43 0 d-------- C:\Program Files\Intelligent Life Games
2008-06-02 15:38:01 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2008-06-02 15:31:38 0 d-------- C:\Program Files\Eidos
2008-06-01 10:14:10 0 d-------- C:\WARCRAFT
2008-05-30 18:22:26 0 d-------- C:\Program Files\AroundTheWorldIn80Days_at
2008-05-27 12:32:19 0 d-------- C:\CRIME


-- Find3M Report ---------------------------------------------------------------

2008-06-18 14:02:00 0 d-------- C:\Program Files\Yahoo!
2008-06-14 22:13:44 0 d-------- C:\Documents and Settings\Administrator\Application Data\Adobe
2008-06-14 22:04:30 0 d-------- C:\Program Files\Common Files\Adobe
2008-06-14 22:03:12 0 d-------- C:\Program Files\Common Files
2008-06-12 20:58:47 0 d-------- C:\Program Files\Absolute Poker
2008-06-12 14:29:15 409600 --a------ C:\WINDOWS\system32\wrap_oal.dll <Not Verified; Creative Labs; Creative Labs OpenAL32>
2008-06-12 14:29:15 114688 --a------ C:\WINDOWS\system32\OpenAL32.dll <Not Verified; Portions © Creative Labs Inc. and NVIDIA Corp.; Standard OpenAL™ Library>
2008-06-11 08:42:43 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-02 15:19:57 0 d-------- C:\Program Files\MDickie
2008-05-23 22:54:23 0 d-------- C:\Documents and Settings\Administrator\Application Data\Google
2008-05-23 22:52:29 0 d-------- C:\Program Files\Google
2008-05-20 17:57:38 0 d-------- C:\Documents and Settings\Administrator\Application Data\vlc
2008-05-20 17:57:20 0 d-------- C:\Program Files\VideoLAN
2008-05-18 23:48:51 0 d-------- C:\Program Files\Microsoft ActiveSync
2008-05-18 23:48:50 0 d-------- C:\Program Files\OFFICE11
2008-05-18 23:48:36 0 d-------- C:\Program Files\Common Files\L&H
2008-05-18 23:48:28 0 d-------- C:\Program Files\Templates
2008-05-18 23:48:24 0 d-------- C:\Program Files\Microsoft.NET
2008-05-18 23:47:35 0 d-------- C:\Program Files\CLIPART
2008-05-18 23:47:15 0 d-------- C:\Program Files\Microsoft Works
2008-05-18 23:47:08 0 d-------- C:\Program Files\MEDIA
2008-05-18 23:46:59 0 d-------- C:\Program Files\Stationery
2008-05-18 23:46:40 0 d-------- C:\Program Files\XLView
2008-05-16 10:37:36 0 d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2008-04-07 16:52:39 50688 --a------ C:\WINDOWS\system32\wbhelp2.dll <Not Verified; Stardock.Net, Inc; WindowBlinds for Win32 x86 machines>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [10/16/2002 12:35 PM]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [06/11/2007 02:55 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [03/12/2004 02:18 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"FlashPlayerUpdate"=C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ALUAlert"=C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdVantage]
"C:\Program Files\AdVantage\AdVantage.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\amva]
C:\WINDOWS\system32\amvo.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DownloadAccelerator]
"C:\Program Files\DAP\DAP.EXE" /STARTUP

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
C:\Program Files\Google\Google Talk\googletalk.exe /autostart

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
C:\WINDOWS\system32\\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet




-- End of Deckard's System Scanner: finished at 2008-06-23 14:38:23 ------------





WELL DOUBLE CLICK IS NOT OPENING MY C: DRIVE

AND THE PC STARTED TO GET RESTARTED THEN AND NOW

OTHER THINGS ARE MORE OR LESS GREAT ... THANKS TO YOU GUYS :thumbsup:

#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:48 PM

Posted 23 June 2008 - 07:59 AM

One last thing that I just noticed.


Open Notepad, and copy everything in the code box below and paste it into a new notepad file. Change the "Save As Type" to "All Files". Save it as fixme.reg on your Desktop. Make sure there is NO blank line above "REGEDIT4"!

REGEDIT4

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\amva]
Locate fixme.reg on your Desktop and double-click on it. When it asks if you want to merge with the registry, click YES.



Now let's clean up.
  • Make sure you have an Internet Connection.
  • Double-click OTMoveIt2.exe to run it.
  • Click on the CleanUp! button
  • A list of tool components used in the Cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OtMoveit2 to reach the Internet, please allow the application to do so.
  • Click Yes to begin the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.



Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

    You can find instructions on how to enable and reenable system restore here:

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

:thumbsup: :)
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:48 PM

Posted 03 July 2008 - 05:41 PM

Now that your problem appears to be resolved, this thread will be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users