Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware......rundll32.exe, Virtumonde Etc.


  • This topic is locked This topic is locked
4 replies to this topic

#1 MagicofDesperado

MagicofDesperado

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:52 AM

Posted 24 June 2008 - 09:40 PM

My Firefox 3.0 (installed, worked fine then was overtaken again....) can't open a number of my fav sites, won't let google search etc. , runs multiple rundll32.exe processes etc. Thought I had it down and out after I had run spybot a couple times and installed Firefox 3.0 but alas it took control of FF 3.0 as well.....
Teatimer just goes crazy if I don't allow some of the requested changes this bug tries to employ...

Here's my Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:18:32 PM, on 6/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Wireless Device\Wireless Keyboard\Magickey.exe
C:\Program Files\Wireless Device\Wireless Keyboard\osd.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.football365.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5323B887-F3A5-4B8D-8FA4-8C26050E6967} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {55EFE793-0E1B-4BAB-AD4D-5E484FADF331} - C:\WINDOWS\system32\ddcBQhEX.dll (file missing)
O2 - BHO: (no name) - {65703951-CAAE-4B95-83E4-C65FAE6C649F} - (no file)
O2 - BHO: (no name) - {6E382832-BAF3-4821-9D9F-07E53A460F43} - C:\WINDOWS\system32\xxyvvWQh.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {A68515B8-9C42-4AEA-91D9-E29380DDC239} - C:\WINDOWS\system32\opnnnlkI.dll (file missing)
O2 - BHO: (no name) - {BE7E4CE1-8CBA-44A6-956F-462A667D3286} - C:\WINDOWS\system32\ljJYSihI.dll
O2 - BHO: (no name) - {BF2E9722-319A-4111-B4A4-224E24AF2505} - C:\WINDOWS\system32\qoMfeffG.dll (file missing)
O2 - BHO: (no name) - {CC405164-EC4C-45B0-B471-D7E7C4554349} - (no file)
O2 - BHO: (no name) - {D007223A-8924-4E61-8529-CDB90F065FBF} - C:\WINDOWS\system32\yayaYsst.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [BM63b96d1a] Rundll32.exe "C:\WINDOWS\system32\pklfldsm.dll",s
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [] (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [] (User 'Default user')
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Enable Wireless Keyboard Driver.lnk = C:\Program Files\Wireless Device\Wireless Keyboard\Magickey.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://remote.truenorth.mb.ca/Remote/msrdp.cab
O20 - AppInit_DLLs: eqpgwgpb.dll rnsdgsdb.dll
O20 - Winlogon Notify: ljJYSihI - C:\WINDOWS\SYSTEM32\ljJYSihI.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe

--
End of file - 7021 bytes

BC AdBot (Login to Remove)

 


m

#2 MagicofDesperado

MagicofDesperado
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:52 AM

Posted 25 June 2008 - 06:14 PM

No thoughts??

#3 MagicofDesperado

MagicofDesperado
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:52 AM

Posted 25 June 2008 - 10:07 PM

I ran anti-malware and here's its log along with the new hijack this log. If anyone could take a look much appreciated:)





Malwarebytes' Anti-Malware 1.18
Database version: 893

9:35:20 PM 6/25/2008
mbam-log-6-25-2008 (21-35-20).txt

Scan type: Quick Scan
Objects scanned: 37660
Time elapsed: 7 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 11
Registry Values Infected: 3
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 26

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\yayaYsst.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\ljJYSihI.dll (Trojan.FakeAlert) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e737b5a1-cba2-448e-9e13-024b6b097c0b} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{e737b5a1-cba2-448e-9e13-024b6b097c0b} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{be7e4ce1-8cba-44a6-956f-462a667d3286} (Trojan.FakeAlert) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{be7e4ce1-8cba-44a6-956f-462a667d3286} (Trojan.FakeAlert) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ljjysihi (Trojan.FakeAlert) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{d7902562-aef6-4181-8f63-7be82bd05264} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\608a5e86 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{be7e4ce1-8cba-44a6-956f-462a667d3286} (Trojan.FakeAlert) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BM63b96d1a (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\yayaysst -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\yayaysst -> Delete on reboot.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\dfvscxub.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\buxcsvfd.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gkkjdatp.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ptadjkkg.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\igklhucg.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gcuhlkgi.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mdodbaiq.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qiabdodm.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yayaYsst.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\tssYayay.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tssYayay.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yllyjohi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ihojylly.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ljJYSihI.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\system32\cnkujcjb.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\eiaevpej.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fojdtnlw.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kcxardfe.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mghlrahk.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qurpvgio.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sxdvwlld.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\whpxfjum.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wvUoLdcA.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xsmtnxeb.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:59:02 PM, on 6/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\Wireless Device\Wireless Keyboard\Magickey.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Wireless Device\Wireless Keyboard\osd.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.football365.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5323B887-F3A5-4B8D-8FA4-8C26050E6967} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {55EFE793-0E1B-4BAB-AD4D-5E484FADF331} - C:\WINDOWS\system32\ddcBQhEX.dll (file missing)
O2 - BHO: {8a0f647d-4cf1-e7b8-22a4-38fce5f57116} - {61175f5e-cf83-4a22-8b7e-1fc4d746f0a8} - C:\WINDOWS\system32\kyjkxqxf.dll
O2 - BHO: (no name) - {65703951-CAAE-4B95-83E4-C65FAE6C649F} - (no file)
O2 - BHO: (no name) - {6E382832-BAF3-4821-9D9F-07E53A460F43} - C:\WINDOWS\system32\xxyvvWQh.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {A68515B8-9C42-4AEA-91D9-E29380DDC239} - C:\WINDOWS\system32\opnnnlkI.dll (file missing)
O2 - BHO: (no name) - {BF2E9722-319A-4111-B4A4-224E24AF2505} - C:\WINDOWS\system32\qoMfeffG.dll (file missing)
O2 - BHO: (no name) - {CC405164-EC4C-45B0-B471-D7E7C4554349} - (no file)
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [] (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [] (User 'Default user')
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Enable Wireless Keyboard Driver.lnk = C:\Program Files\Wireless Device\Wireless Keyboard\Magickey.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://remote.truenorth.mb.ca/Remote/msrdp.cab
O20 - AppInit_DLLs: eqpgwgpb.dll rnsdgsdb.dll
O20 - Winlogon Notify: ljJYSihI - C:\WINDOWS\
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe

--
End of file - 6879 bytes

#4 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:10:52 PM

Posted 28 June 2008 - 11:05 AM

Hello, my name is fenzodahl512 and welcome to BC.. Please do the following...


Please download Deckard's System Scanner (DSS) from HERE or HERE and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • Please let your firewall allow the scanning/downloading process.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.


Regards
fenzodahl512

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#5 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:10:52 PM

Posted 06 July 2008 - 04:43 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users