Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virusbursters


  • Please log in to reply
1 reply to this topic

#1 Qamrey Alam

Qamrey Alam

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:03:01 AM

Posted 01 July 2008 - 09:51 AM

Deckard's System Scanner v20071014.68
Run by Administrator on 2008-07-01 20:07:00
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 1 Restore Point(s) --
1: 2008-07-01 14:37:01 UTC - RP1 - نقطة اختبار النظام


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 504 MiB (512 MiB recommended).


-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:09:51, on 01/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\heap41a\svchost.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\agsaamca.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Ares\Ares.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\Documents and Settings\Administrator\سطح المكتب\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Administrator.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O1 - Hosts: 127.4.7.4 mcafee.com
O1 - Hosts: 127.4.7.4 www.mcafee.com
O1 - Hosts: 127.4.7.4 mcafeesecurity.com
O1 - Hosts: 127.4.7.4 www.mcafeesecurity.com
O1 - Hosts: 127.4.7.4 mcafeeb2b.com
O1 - Hosts: 127.4.7.4 www.mcafeeb2b.com
O1 - Hosts: 127.4.7.4 nai.com
O1 - Hosts: 127.4.7.4 www.nai.com
O1 - Hosts: 127.4.7.4 vil.nai.com
O1 - Hosts: 127.4.7.4 grisoft.com
O1 - Hosts: 127.4.7.4 www.grisoft.com
O1 - Hosts: 127.4.7.4 download.mcafee.com
O1 - Hosts: 127.4.7.4 grisoft.cz
O1 - Hosts: 127.4.7.4 www.grisoft.cz
O1 - Hosts: 127.4.7.4 norton.com
O1 - Hosts: 127.4.7.4 www.norton.com
O1 - Hosts: 127.4.7.4 symantec.com
O1 - Hosts: 127.4.7.4 www.symantec.com
O1 - Hosts: 127.4.7.4 liveupdate.symantecliveupdate.com
O1 - Hosts: 127.4.7.4 liveupdate.symantec.com
O1 - Hosts: 127.4.7.4 update.symantec.com
O1 - Hosts: 127.4.7.4 securityresponse.symantec.com
O1 - Hosts: 127.4.7.4 sarc.com
O1 - Hosts: 127.4.7.4 www.sarc.com
O1 - Hosts: 127.4.7.4 norman.com
O1 - Hosts: 127.4.7.4 www.norman.com
O1 - Hosts: 127.4.7.4 trendmicro.com
O1 - Hosts: 127.4.7.4 www.trendmicro.com
O1 - Hosts: 127.4.7.4 trendmicro.co.jp
O1 - Hosts: 127.4.7.4 www.trendmicro.co.jp
O1 - Hosts: 127.4.7.4 trendmicro-europe.com
O1 - Hosts: 127.4.7.4 www.trendmicro-europe.com
O1 - Hosts: 127.4.7.4 ae.trendmicro-europe.com
O1 - Hosts: 127.4.7.4 it.trendmicro-europe.com
O1 - Hosts: 127.4.7.4 secunia.com
O1 - Hosts: 127.4.7.4 www.secunia.com
O1 - Hosts: 127.4.7.4 winantivirus.com
O1 - Hosts: 127.4.7.4 www.winantivirus.com
O1 - Hosts: 127.4.7.4 esafe.com
O1 - Hosts: 127.4.7.4 www.esafe.com
O1 - Hosts: 127.4.7.4 f-secure.com
O1 - Hosts: 127.4.7.4 www.f-secure.com
O1 - Hosts: 127.4.7.4 europe.f-secure.com
O1 - Hosts: 127.4.7.4 bhs.com
O1 - Hosts: 127.4.7.4 www.bhs.com
O1 - Hosts: 127.4.7.4 datafellows.com
O1 - Hosts: 127.4.7.4 www.datafellows.com
O1 - Hosts: 127.4.7.4 cheyenne.com
O1 - Hosts: 127.4.7.4 www.cheyenne.com
O1 - Hosts: 127.4.7.4 ontrack.com
O1 - Hosts: 127.4.7.4 www.ontrack.com
O1 - Hosts: 127.4.7.4 sands.com
O1 - Hosts: 127.4.7.4 www.sands.com
O1 - Hosts: 127.4.7.4 sophos.com
O1 - Hosts: 127.4.7.4 www.sophos.com
O1 - Hosts: 127.4.7.4 icubed.com
O1 - Hosts: 127.4.7.4 www.icubed.com
O1 - Hosts: 127.4.7.4 perantivirus.com
O1 - Hosts: 127.4.7.4 www.perantivirus.com
O1 - Hosts: 127.4.7.4 virusalert.nl
O1 - Hosts: 127.4.7.4 www.virusalert.nl
O1 - Hosts: 127.4.7.4 pagina.nl
O1 - Hosts: 127.4.7.4 www.pagina.nl
O1 - Hosts: 127.4.7.4 antivirus.pagina.nl
O1 - Hosts: 127.4.7.4 virustotal.com
O1 - Hosts: 127.4.7.4 www.virustotal.com
O1 - Hosts: 127.4.7.4 vaksin.com
O1 - Hosts: 127.4.7.4 www.vaksin.com
O1 - Hosts: 127.4.7.4 forum.vaksin.com
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O2 - BHO: Seekmo /fleok=1D8A83A5C2ED127E9DAF6D2A1FBB39BFE4976E26CAEDA120180A196D6093 - {07AA283A-43D7-4CBE-A064-32A21112D94D} - C:\Program Files\Seekmo\bin\10.0.424.0\HostIE.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: cpmsky browser optimizer - {3a7e45d8-f512-803e-36ed-a1f479481c60} - C:\WINDOWS\system32\{1e0504a4-6a41-5c60-7b97-5f26a03752b1}.dll (file missing)
O2 - BHO: (no name) - {3E1500AC-87A5-416b-A211-82E848649DA9} - (no file)
O2 - BHO: (no name) - {4ee50b42-98e7-8d69-6da7-88e7c0f9ea20} - (no file)
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll
O2 - BHO: ALOT Toolbar - {5AA2BA46-9913-4dc7-9620-69AB0FA17AE7} - C:\Program Files\alot\bin\alot.dll (file missing)
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: مساعد تسجيل الدخول إلى Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} - (no file)
O2 - BHO: IeMonitorBho Class - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - C:\Program Files\Megaupload\Mega Manager\MegaIEMn.dll
O2 - BHO: (no name) - {c900b400-cdfe-11d3-976a-00e02913a9e0} - (no file)
O2 - BHO: (no name) - {cb5a26c3-d9b3-4ab0-9efc-443595518284} - (no file)
O3 - Toolbar: (no name) - {6e4cc754-caa4-4576-9af1-68323d5760d4} - (no file)
O3 - Toolbar: ALOT Toolbar - {5AA2BA46-9913-4dc7-9620-69AB0FA17AE7} - C:\Program Files\alot\bin\alot.dll (file missing)
O3 - Toolbar: (no name) - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O3 - Toolbar: Seekmo - {07AA283A-43D7-4CBE-A064-32A21112D94D} - C:\Program Files\Seekmo\bin\10.0.424.0\HostIE.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [IEUpdate] C:\WINDOWS\system32\agsaamca.exe
O4 - HKLM\..\Run: [SeekmoSA] "C:\Program Files\Seekmo\bin\10.0.424.0\SeekmoSA.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"
O4 - HKLM\..\RunServices: [IEUpdate] C:\WINDOWS\system32\agsaamca.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [IEUpdate] C:\WINDOWS\system32\agsaamca.exe
O4 - HKCU\..\RunServices: [IEUpdate] C:\WINDOWS\system32\agsaamca.exe
O4 - HKLM\..\Policies\Explorer\Run: [status] present
O4 - HKLM\..\Policies\Explorer\Run: [winlogon] C:\heap41a\svchost.exe C:\heap41a\std.txt
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunServices: [IEUpdate] C:\WINDOWS\system32\agsaamca.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunServices: [IEUpdate] C:\WINDOWS\system32\agsaamca.exe (User 'Default user')
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZRxdm707YYIN
O8 - Extra context menu item: &تصدير إلى Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Add to Banner Ad Blocker - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
O8 - Extra context menu item: تنزيل الارتباط باستخدام مدير ميغا... - C:\Program Files\Megaupload\Mega Manager\mm_file.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe
O9 - Extra button: بحث - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/f...p1.0.0.15-3.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1191910885562
O17 - HKLM\System\CCS\Services\Tcpip\..\{7B44F7E8-8C5D-402B-9D04-E5F7C55C81F2}: NameServer = 202.56.215.55,202.56.215.54,202.56.230.6
O17 - HKLM\System\CS1\Services\Tcpip\..\{7B44F7E8-8C5D-402B-9D04-E5F7C55C81F2}: NameServer = 202.56.215.55,202.56.215.54,202.56.230.6
O17 - HKLM\System\CS2\Services\Tcpip\..\{7B44F7E8-8C5D-402B-9D04-E5F7C55C81F2}: NameServer = 202.56.215.55,202.56.215.54,202.56.230.6
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll,C:\PROGRA~1\KASPER~1\KASPER~1\adialhk.dll,C:\PROGRA~1\KASPER~1\KASPER~1\kloehk.dll
O20 - Winlogon Notify: efcabyy - efcabyy.dll (file missing)
O22 - SharedTaskScheduler: asparagine - {65bbf06c-ea06-4818-92a3-f3550d0e1004} - (no file)
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Kaspersky Internet Security (avp) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe

--
End of file - 11607 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

All drivers whitelisted.


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S3 AresChatServer (Ares Chatroom server) - c:\program files\ares\chatserver.exe <Not Verified; Ares Development Group; Ares Chat Server>
S4 RichVideo (Cyberlink RichVideo Service(CRVS)) - "c:\program files\cyberlink\shared files\richvideo.exe" <Not Verified; ; RichVideo Module>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID:
Description: ‏‏وحدة تحكم Ethernet‏
Device ID: PCI\VEN_1904&DEV_2031&SUBSYS_00000000&REV_01\4&1A671D0C&0&10F0
Manufacturer:
Name: ‏‏وحدة تحكم Ethernet‏
PNP Device ID: PCI\VEN_1904&DEV_2031&SUBSYS_00000000&REV_01\4&1A671D0C&0&10F0
Service:


-- Files created between 2008-06-01 and 2008-07-01 -----------------------------

2008-07-01 20:09:40 0 d-------- C:\Program Files\Trend Micro
2008-07-01 19:32:48 2288 --a------ C:\WINDOWS\system32\tmp.reg
2008-07-01 19:15:20 44544 --a------ C:\WINDOWS\system32\clbdll.dll
2008-06-30 22:15:46 0 d-------- C:\Documents and Settings\All Users\Application Data\SeekmoSA
2008-06-30 22:15:46 0 d-------- C:\Documents and Settings\All Users\Application Data\2ACA5CC3-0F83-453D-A079-1076FE1A8B65
2008-06-30 22:15:41 0 d-------- C:\Program Files\Seekmo
2008-06-30 22:15:41 0 d-------- C:\Documents and Settings\Administrator\Application Data\Seekmo
2008-06-19 06:02:39 97280 -r-hs---- C:\WINDOWS\system32\agsaamca.exe
2008-06-18 01:18:16 0 d-------- C:\Program Files\Common Files\Akamai


-- Find3M Report ---------------------------------------------------------------

2008-07-01 19:05:48 0 d-------- C:\Program Files\Kaspersky Lab
2008-07-01 18:48:02 0 d-------- C:\Program Files\MyWebSearch
2008-07-01 18:42:57 0 d-------- C:\Program Files\MSN Messenger
2008-07-01 18:36:00 0 d-------- C:\Program Files\eToro
2008-07-01 18:35:13 0 d-------- C:\Program Files\FBrowsingAdvisor
2008-07-01 18:31:05 0 d-------- C:\Program Files\All Cleaner
2008-07-01 18:06:21 0 d-------- C:\Documents and Settings\Administrator\Application Data\Metacafe
2008-06-22 00:22:11 2926 --a------ C:\WINDOWS\mozver.dat
2008-06-18 01:18:16 0 d-------- C:\Program Files\Common Files
2008-06-18 01:17:50 0 d-------- C:\Program Files\Metacafe
2008-06-16 17:44:13 0 d-------- C:\Program Files\LimeWire
2008-06-05 15:45:21 0 d-------- C:\Program Files\JetAudio
2008-05-24 15:45:01 0 d-------- C:\Documents and Settings\Administrator\Application Data\LimeWire
2008-05-23 21:06:55 7 ---hs---- C:\AUTOEXEC.BAT
2008-05-18 22:33:35 0 d-------- C:\Program Files\Ofb1
2008-05-18 14:47:35 34 --a------ C:\WINDOWS\system32\rnplf8.dll
2008-05-18 14:37:47 0 d-------- C:\Program Files\Yahoo!
2008-05-07 16:13:39 0 d-------- C:\Program Files\PlayMP3z
2008-04-27 07:23:52 40713 --a------ C:\WINDOWS\system32\cpmsky-uninst.exe
2008-04-27 04:20:02 254130 --a------ C:\WINDOWS\system32\perfh001.dat
2008-04-27 04:20:02 40940 --a------ C:\WINDOWS\system32\perfc001.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{07AA283A-43D7-4CBE-A064-32A21112D94D}]
05/23/2008 08:52 PM 652552 --a------ C:\Program Files\Seekmo\bin\10.0.424.0\HostIE.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3a7e45d8-f512-803e-36ed-a1f479481c60}]
C:\WINDOWS\system32\{1e0504a4-6a41-5c60-7b97-5f26a03752b1}.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3E1500AC-87A5-416b-A211-82E848649DA9}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4ee50b42-98e7-8d69-6da7-88e7c0f9ea20}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C}]
04/25/2008 06:22 PM 62728 --a------ C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5AA2BA46-9913-4dc7-9620-69AB0FA17AE7}]
C:\Program Files\alot\bin\alot.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9A9C9B69-F908-4AAB-8D0C-10EA8997F37E}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c900b400-cdfe-11d3-976a-00e02913a9e0}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{cb5a26c3-d9b3-4ab0-9efc-443595518284}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{07AA283A-43D7-4CBE-A064-32A21112D94D}"= C:\Program Files\Seekmo\bin\10.0.424.0\HostIE.dll [05/23/2008 08:52 PM 652552]

[-HKEY_CLASSES_ROOT\CLSID\{07AA283A-43D7-4CBE-A064-32A21112D94D}]
[HKEY_CLASSES_ROOT\HostIE.Bho.1]
[HKEY_CLASSES_ROOT\TypeLib\{087C4054-0A2B-4F35-B0DB-BED3E21650F4}]
[HKEY_CLASSES_ROOT\HostIE.Bho]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [12/08/2005 01:27 AM]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [04/25/2007 09:14 PM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [02/26/2008 01:56 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [09/01/2006 06:27 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"IEUpdate"="C:\WINDOWS\system32\agsaamca.exe" [06/19/2008 06:02 AM]
"SeekmoSA"="C:\Program Files\Seekmo\bin\10.0.424.0\SeekmoSA.exe" [05/23/2008 08:54 PM]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [04/25/2008 06:21 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [08/30/2007 08:13 PM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 09:54 PM]
"MsnMsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [01/19/2007 03:25 PM]
"ares"="C:\Program Files\Ares\Ares.exe" [02/20/2008 08:03 PM]
"IEUpdate"="C:\WINDOWS\system32\agsaamca.exe" [06/19/2008 06:02 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runservices]
"IEUpdate"=C:\WINDOWS\system32\agsaamca.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"IEUpdate"=C:\WINDOWS\system32\agsaamca.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runservices]
"IEUpdate"=C:\WINDOWS\system32\agsaamca.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"IEUpdate"=C:\WINDOWS\system32\agsaamca.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableCMD"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"status"=present
"winlogon"=C:\heap41a\svchost.exe C:\heap41a\std.txt

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoFolderOptions"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcabyy]
efcabyy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll,C:\PROGRA~1\KASPER~1\KASPER~1\adialhk.dll,C:\PROGRA~1\KASPER~1\KASPER~1\kloehk.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"IEUpdate"= C:\WINDOWS\system32\agsaamca.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\clbdriver.sys]
@="driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^قائمة ابدأ^البرامج^بدء التشغيل^Metacafe.lnk]
path=C:\Documents and Settings\Administrator\قائمة ابدأ\البرامج\بدء التشغيل\Metacafe.lnk
backup=C:\WINDOWS\pss\Metacafe.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^قائمة ابدأ^البرامج^بدء التشغيل^Metacafe.lnk]
path=C:\Documents and Settings\All Users\قائمة ابدأ\البرامج\بدء التشغيل\Metacafe.lnk
backup=C:\WINDOWS\pss\Metacafe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^قائمة ابدأ^البرامج^بدء التشغيل^PalTalk.lnk]
path=C:\Documents and Settings\All Users\قائمة ابدأ\البرامج\بدء التشغيل\PalTalk.lnk
backup=C:\WINDOWS\pss\PalTalk.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AntiVirGear 3.8]
"C:\Program Files\AntiVirGear 3.8\AntiVirGear 3.8.exe" /h

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
"C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
????

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\My Web Search Bar]
rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\MWSBAR.DLL,S

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -onlytray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PcSync]
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Quick Heal Firewall Pro]
"C:\Program Files\Cat Computer\Quick Heal Firewall Pro\qhfw.exe" /waitservice

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]
????

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZangoOE]
C:\Program Files\Zango\bin\10.0.370.0\OEAddOn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZangoSA]
"C:\Program Files\Zango\bin\10.0.370.0\ZangoSA.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"usnjsvc"=3 (0x3)
"RichVideo"=2 (0x2)
"QuickHealFirewall"=2 (0x2)
"ose"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai Akamai


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{29311320-232f-11dd-be78-0016ecd2a246}]
AutoRun\command- G:\RavMon.exe
explore\Command- G:\RavMon.exe -e
open\Command- G:\RavMon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{39fd3392-0679-11dd-be37-0016ecd2a246}]
Auto\command- MicrosoftPowerPoint.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{41279337-2425-11dd-be7e-0016ecd2a246}]
AutoRun\command- G:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{825567a9-9ec3-11dc-bd44-0016ecd2a246}]
AutoRun\command- H:\RavMon.exe
explore\Command- H:\RavMon.exe -e
open\Command- H:\RavMon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8c3440fa-675e-11dc-bc40-0016ecd2a246}]
Auto\command- infrom.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL infrom.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a436fbb3-2815-11dd-9a9a-0016ecd2a246}]
AutoRun\command- 32e2.com
explore\Command- 32e2.com
open\Command- 32e2.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{edcdcaf4-0a32-11dd-be3e-0016ecd2a246}]
Auto\command- MicrosoftPowerPoint.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{faccee30-dfd7-11dc-bdfa-0016ecd2a246}]
Auto\command- G:\MicrosoftPowerPoint.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe




-- Hosts -----------------------------------------------------------------------

127.4.7.4 mcafee.com
127.4.7.4 www.mcafee.com
127.4.7.4 mcafeesecurity.com
127.4.7.4 www.mcafeesecurity.com
127.4.7.4 mcafeeb2b.com
127.4.7.4 www.mcafeeb2b.com
127.4.7.4 nai.com
127.4.7.4 www.nai.com
127.4.7.4 vil.nai.com
127.4.7.4 grisoft.com

59 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-07-01 20:10:44 ------------

BC AdBot (Login to Remove)

 


#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:05:31 PM

Posted 06 July 2008 - 12:49 AM

Hello Qamrey Alam and welcome to BC. Let's see what we can find. Please follow the steps below in order:

Before running a new scan let's clean out the temporary folders.

Download ATF Cleaner to your Desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Click Select All found at the bottom of the list.
  • Click the Empty Selected button.
If you use Firefox browser, do this also:
  • Click Firefox at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser, do this also:
  • Click Opera at the top and choose Select All from the list.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
Close ALL Internet browsers (very important).
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Now download OTScanIt from here or here to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
  • Close ALL OTHER PROGRAMS.
  • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
  • In the Drivers section click on Non-Microsoft.
  • Under Additional Scans click the checkboxes in front of the following items to select them:
    • Reg - BotCheck
      Reg - MountPoints2
      File - Additional Folder Scans
  • Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  • Save the file to your desktop or other location where you can find it back.
Use the Add Reply button and attach the file in your next post (do not try to copy/paste it into the post).

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users