Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Locksky.er Please Help


  • Please log in to reply
6 replies to this topic

#1 dpbklyn

dpbklyn

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:53 PM

Posted 01 July 2008 - 11:19 AM

Hello all, and thank you in advance for your help.

AVG is reporting that this computer is infected with Locksky.ER and I cant get rid of it...below are my logs:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:03:11, on 7/1/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ldhhlh] rundll32.exe "C:\DOCUME~1\ROCKST~1\LOCALS~1\Temp\dhttdddphpl.nls" WLEntryPoint
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Policies\Explorer\Run: [tdltlddd] rundll32.exe "C:\WINDOWS\system32\plhphptl.nls" WLEntryPoint
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1214784105489
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = 2kg.take2games.com
O17 - HKLM\Software\..\Telephony: DomainName = 2kg.take2games.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = 2kg.take2games.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = 2kg.take2games.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = 2kg.take2games.com
O20 - Winlogon Notify: elofqh - C:\WINDOWS\SYSTEM32\elofqh.dll
O20 - Winlogon Notify: vtUlJcYR - vtUlJcYR.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Indexing Service cisvcTapiSrv (cisvcTapiSrv) - Unknown owner - C:\WINDOWS\system32\3076q.exe (file missing)
O23 - Service: Indexing Service cisvcTapiSrv cisvcTapiSrvNla (cisvcTapiSrvNla) - Unknown owner - C:\WINDOWS\system32\3076n.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) Locator RpcLocatorlanmanserver (RpcLocatorlanmanserver) - Unknown owner - C:\WINDOWS\system32\1028o.exe (file missing)
O23 - Service: SmartLinkService (SLService) -   - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Print Spooler Spooler HotKey Poller (Spooler HotKey Poller) - Unknown owner - C:\WINDOWS\system32\1025j.exe (file missing)

--
End of file - 5137 bytes



Deckard's System Scanner v20071014.68
Run by Globalstar on 2008-07-01 11:55:05
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 4 Restore Point(s) --
4: 2008-07-01 15:55:12 UTC - RP144 - Deckard's System Scanner Restore Point
3: 2008-06-30 15:59:41 UTC - RP143 - Installed AVG 7.5
2: 2008-06-30 01:38:49 UTC - RP142 - Software Distribution Service 3.0
1: 2008-06-30 01:10:32 UTC - RP141 - Software Distribution Service 3.0


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Globalstar.exe) ------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:55:46, on 7/1/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Rockstar Games\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Globalstar.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ldhhlh] rundll32.exe "C:\DOCUME~1\ROCKST~1\LOCALS~1\Temp\phldpptlhhd.nls" WLEntryPoint
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Policies\Explorer\Run: [tdltlddd] rundll32.exe "C:\WINDOWS\system32\plhphptl.nls" WLEntryPoint
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1214784105489
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = 2kg.take2games.com
O17 - HKLM\Software\..\Telephony: DomainName = 2kg.take2games.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = 2kg.take2games.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = 2kg.take2games.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = 2kg.take2games.com
O20 - Winlogon Notify: elofqh - C:\WINDOWS\SYSTEM32\elofqh.dll
O20 - Winlogon Notify: vtUlJcYR - vtUlJcYR.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Indexing Service cisvcTapiSrv (cisvcTapiSrv) - Unknown owner - C:\WINDOWS\system32\3076q.exe (file missing)
O23 - Service: Indexing Service cisvcTapiSrv cisvcTapiSrvNla (cisvcTapiSrvNla) - Unknown owner - C:\WINDOWS\system32\3076n.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) Locator RpcLocatorlanmanserver (RpcLocatorlanmanserver) - Unknown owner - C:\WINDOWS\system32\1028o.exe (file missing)
O23 - Service: SmartLinkService (SLService) -   - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Print Spooler Spooler HotKey Poller (Spooler HotKey Poller) - Unknown owner - C:\WINDOWS\system32\1025j.exe (file missing)

--
End of file - 5217 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080417-174233-108 O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
backup-20080417-174233-109 O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
backup-20080417-174233-112 O4 - HKLM\..\Run: [mpgjepcb] rundll32.exe "C:\DOCUME~1\ROCKST~1\LOCALS~1\Temp\qlsfalsbap.nls" WLEntryPoint
backup-20080417-174233-121 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
backup-20080417-174233-141 O4 - Global Startup: Wireless-G Notebook Adapter.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
backup-20080417-174233-153 O2 - BHO: (no name) - {716E16D3-3C22-49B0-A932-993C17ED0B2B} - C:\WINDOWS\system32\fccaWQgD.dll (file missing)
backup-20080417-174233-180 O4 - HKLM\..\Run: [Printer] C:\WINDOWS\system32\printer.exe
backup-20080417-174233-182 O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
backup-20080417-174233-195 O4 - Startup: Bat - Auto Update.lnk = C:\Program Files\Bat\Bat.exe
backup-20080417-174233-199 O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20041101/qtinstall.info.apple.com/pthalo/us/win/QuickTimeInstaller.exe
backup-20080417-174233-200 O4 - Startup: findfast.exe
backup-20080417-174233-211 O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
backup-20080417-174233-236 O4 - HKLM\..\Policies\Explorer\Run: [elknqt] rundll32.exe "C:\WINDOWS\system32\mhkrih.nls" WLEntryPoint
backup-20080417-174233-240 O4 - HKLM\..\Run: [SystemDrive] C:\WINDOWS\system32\maxpaynow1.exe
backup-20080417-174233-265 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
backup-20080417-174233-288 O2 - BHO: QuickTalk 2.1 - {CF26FAC0-7D4E-46D8-AE64-B277B11443AC} - C:\WINDOWS\system32\luapvs.dll
backup-20080417-174233-297 O4 - HKLM\..\Run: [DriveSystem] C:\WINDOWS\system32\maxpaynowti1.exe
backup-20080417-174233-331 O2 - BHO: DVA Storm - {53952518-97B4-4885-B7D6-3A274DB20792} - C:\WINDOWS\nslbvxpgagr.dll
backup-20080417-174233-340 O4 - HKLM\..\Run: [iSecurity applet] rundll32.exe iSecurity.cpl,SecurityMonitor
backup-20080417-174233-341 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.falcon-nw.com
backup-20080417-174233-372 O20 - AppInit_DLLs: iSecurity.cpl
backup-20080417-174233-388 O4 - HKUS\S-1-5-18\..\Run: [autoload] C:\Documents and Settings\LocalService\cftmon.exe (User 'SYSTEM')
backup-20080417-174233-409 O4 - HKUS\S-1-5-18\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'SYSTEM')
backup-20080417-174233-420 O2 - BHO: iSecurity - {A8311E8F-E459-4D22-89B4-CB9DCF10A425} - iSecurity.cpl (file missing)
backup-20080417-174233-424 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
backup-20080417-174233-484 O4 - HKUS\.DEFAULT\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'Default user')
backup-20080417-174233-516 F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\shell.exe
backup-20080417-174233-520 O4 - HKCU\..\Run: [autoload] C:\Documents and Settings\Rockstar Games\cftmon.exe
backup-20080417-174233-539 O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
backup-20080417-174233-548 O14 - IERESET.INF: START_PAGE_URL=http://www.falcon-nw.com
backup-20080417-174233-557 O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
backup-20080417-174233-569 O4 - HKCU\..\Run: [Brave-Sentry] C:\Program Files\BraveSentry\BraveSentry.exe
backup-20080417-174233-571 O4 - HKLM\..\Run: [msdefender.exe] C:\WINDOWS\system32\msdefender.exe
backup-20080417-174233-586 O3 - Toolbar: sgoblxtm - {10BDE5C9-141F-4536-86D4-56883348BBA1} - C:\WINDOWS\sgoblxtm.dll
backup-20080417-174233-592 O4 - HKCU\..\Run: [DrvMon.exe] C:\WINDOWS\system32\DrvMon.exe
backup-20080417-174233-610 O4 - HKLM\..\Run: [taskmon] C:\WINDOWS\taskmon.exe
backup-20080417-174233-619 O2 - BHO: (no name) - {A8EEB996-62AA-4E48-995D-EADDCAC47476} - C:\WINDOWS\system32\vtUlJcYR.dll
backup-20080417-174233-620 O4 - HKCU\..\Run: [DriveHQ FileManager] "C:\Program Files\DriveHQ\DriveHQ FileManager\DriveHQClient.exe" autorun
backup-20080417-174233-627 O4 - HKLM\..\Policies\Explorer\Run: [ZntX0jHwhe] C:\Documents and Settings\All Users\Application Data\jorunefq\jyloladk.exe
backup-20080417-174233-678 O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
backup-20080417-174233-685 O4 - HKLM\..\Run: [csrss] C:\WINDOWS\system32\wbem\csrss.exe
backup-20080417-174233-699 O4 - HKLM\..\Run: [uzkpspad] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\uzkpspad.dll"
backup-20080417-174233-763 O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
backup-20080417-174233-768 O21 - SSODL: iSecurity - {A8311E8F-E459-4D22-89B4-CB9DCF10A425} - iSecurity.cpl (file missing)
backup-20080417-174233-781 O4 - HKLM\..\Run: [BisonCom] C:\WINDOWS\VdCap03C\BisonCom
backup-20080417-174233-783 O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
backup-20080417-174233-802 O4 - HKCU\..\Run: [zjohhbkw] C:\WINDOWS\system32\tkridido.exe
backup-20080417-174233-822 O4 - HKCU\..\Run: [Spoolsv] C:\WINDOWS\system32\spoolvs.exe
backup-20080417-174233-830 O4 - HKCU\..\Run: [kavir] C:\WINDOWS\kavir.exe
backup-20080417-174233-831 O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
backup-20080417-174233-834 O4 - HKLM\..\Run: [WinIFixer] C:\Program Files\WinIFixer\WinIFixer.exe
backup-20080417-174233-842 O4 - HKLM\..\Run: [autoload] C:\Documents and Settings\Rockstar Games\cftmon.exe
backup-20080417-174233-846 O4 - Global Startup: autorun.exe
backup-20080417-174233-849 O3 - Toolbar: Morpheus Toolbar - {3F3714A9-89A4-46be-8AF3-D0C9D1FB03F9} - C:\Program Files\MorpheusBar\bar\1.bin\MORPHBAR.DLL
backup-20080417-174233-896 O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
backup-20080417-174233-939 O4 - HKCU\..\Run: [Service Pack 1] C:\WINDOWS\system32\vedxg6ame4.exe
backup-20080417-174233-945 O4 - HKLM\..\Run: [cjb] C:\Program Files\cjb\cjb8.exe
backup-20080417-174233-954 O4 - HKCU\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
backup-20080417-174234-118 O23 - Service: Indexing Service cisvcTapiSrv cisvcTapiSrvNla (cisvcTapiSrvNla) - Unknown owner - C:\WINDOWS\system32\3076n.exe
backup-20080417-174234-325 O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
backup-20080417-174234-363 O23 - Service: Indexing Service cisvcTapiSrv (cisvcTapiSrv) - Unknown owner - C:\WINDOWS\system32\3076q.exe
backup-20080417-174234-374 O21 - SSODL: dsktbwfe - {9E068DF6-4C64-4F74-8152-3A751A41024D} - C:\WINDOWS\dsktbwfe.dll
backup-20080417-174234-378 O23 - Service: MSSysInterv (MSSysInterv1) - Unknown owner - C:\WINDOWS\winself.exe
backup-20080417-174234-416 O21 - SSODL: OLE Automation Module - {3F143C3A-1457-6CCA-03A7-7AA23B61E40F} - C:\WINDOWS\system32\wthunk32.dll
backup-20080417-174234-606 O21 - SSODL: ogxtsepr - {98CB10EE-4F00-4B1E-A071-24DF124EA382} - C:\WINDOWS\ogxtsepr.dll
backup-20080417-174234-784 O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
backup-20080417-174234-808 O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
backup-20080417-174234-830 O21 - SSODL: zip - {c54245f4-7dbc-4168-acd6-fb748f523001} - C:\WINDOWS\Installer\{c54245f4-7dbc-4168-acd6-fb748f523001}\zip.dll
backup-20080417-174234-855 O23 - Service: DriveHQ FileManagerFun - Drive Headquarter - C:\Program Files\DriveHQ\DriveHQ FileManager\DHQFMSvc.exe
backup-20080417-174234-968 O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
backup-20080503-063905-148 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = 2kg.take2games.com
backup-20080503-063905-186 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.197 85.255.112.72
backup-20080503-063905-230 O1 - Hosts: 124.217.252.78 secure.isoftpay.com
backup-20080503-063905-240 O4 - HKLM\..\Run: [iSecurity applet] rundll32.exe iSecurity.cpl,SecurityMonitor
backup-20080503-063905-255 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = 2kg.take2games.com
backup-20080503-063905-258 O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
backup-20080503-063905-261 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.197 85.255.112.72
backup-20080503-063905-287 O4 - HKLM\..\Run: [System] C:\WINDOWS\system32\wind32.exe
backup-20080503-063905-401 O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
backup-20080503-063905-405 O2 - BHO: DVA Storm - {53952518-97B4-4885-B7D6-3A274DB20792} - C:\WINDOWS\nslbvxpgagr.dll
backup-20080503-063905-411 O20 - AppInit_DLLs: iSecurity.cpl
backup-20080503-063905-419 O4 - HKCU\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
backup-20080503-063905-437 O1 - Hosts: 124.217.252.78 secure.isoftpay.com
backup-20080503-063905-465 O4 - HKCU\..\Run: [Microsoft Windows Installer] C:\DOCUME~1\ROCKST~1\LOCALS~1\Temp\ie.exe
backup-20080503-063905-472 O20 - Winlogon Notify: elofqh - C:\WINDOWS\SYSTEM32\elofqh.dll
backup-20080503-063905-482 O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
backup-20080503-063905-522 O4 - HKUS\S-1-5-18\..\Run: [autoload] C:\Documents and Settings\LocalService\cftmon.exe (User 'SYSTEM')
backup-20080503-063905-550 O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
backup-20080503-063905-639 O4 - HKUS\S-1-5-18\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'SYSTEM')
backup-20080503-063905-675 O17 - HKLM\Software\..\Telephony: DomainName = 2kg.take2games.com
backup-20080503-063905-688 O4 - HKLM\..\Policies\Explorer\Run: [tdldthld] rundll32.exe "C:\WINDOWS\system32\mhkrih.nls" WLEntryPoint
backup-20080503-063905-736 O4 - HKLM\..\Run: [DriveSystem] C:\WINDOWS\system32\maxpaynowti1.exe
backup-20080503-063905-757 O4 - HKLM\..\Run: [autoload] C:\Documents and Settings\Rockstar Games\cftmon.exe
backup-20080503-063905-792 O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
backup-20080503-063905-796 O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
backup-20080503-063905-811 O4 - HKLM\..\Run: [mpgjepcb] rundll32.exe "C:\DOCUME~1\ROCKST~1\LOCALS~1\Temp\qlsfalsbap.nls" WLEntryPoint
backup-20080503-063905-874 O4 - HKUS\.DEFAULT\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'Default user')
backup-20080503-063905-917 O4 - HKCU\..\Run: [autoload] C:\Documents and Settings\Rockstar Games\cftmon.exe
backup-20080503-063905-927 O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
backup-20080503-063905-970 O2 - BHO: (no name) - {A8EEB996-62AA-4E48-995D-EADDCAC47476} - C:\WINDOWS\system32\vtUlJcYR.dll
backup-20080503-063906-212 O21 - SSODL: zip - {c54245f4-7dbc-4168-acd6-fb748f523001} - C:\WINDOWS\Installer\{c54245f4-7dbc-4168-acd6-fb748f523001}\zip.dll
backup-20080503-063906-575 O20 - Winlogon Notify: WLCtrl32 - C:\WINDOWS\SYSTEM32\WLCtrl32.dll
backup-20080503-063906-710 O21 - SSODL: dsktbwfe - {2EFCD64C-7A38-42E5-BB1E-474E0BBFBB33} - C:\WINDOWS\dsktbwfe.dll
backup-20080503-063906-908 O20 - Winlogon Notify: vtUlJcYR - C:\WINDOWS\SYSTEM32\vtUlJcYR.dll
backup-20080503-063907-125 O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
backup-20080503-063907-182 O23 - Service: Indexing Service cisvcTapiSrv cisvcTapiSrvNla (cisvcTapiSrvNla) - Unknown owner - C:\WINDOWS\system32\3076n.exe
backup-20080503-063907-214 O23 - Service: Print Spooler Spooler HotKey Poller (Spooler HotKey Poller) - Unknown owner - C:\WINDOWS\system32\1025j.exe
backup-20080503-063907-272 O21 - SSODL: ogxtsepr - {1F2B1119-F41B-4B8E-8428-5292AC5678E9} - C:\WINDOWS\ogxtsepr.dll
backup-20080503-063907-385 O23 - Service: Indexing Service cisvcTapiSrv (cisvcTapiSrv) - Unknown owner - C:\WINDOWS\system32\3076q.exe
backup-20080503-063907-395 O21 - SSODL: iSecurity - {A8311E8F-E459-4D22-89B4-CB9DCF10A425} - (no file)
backup-20080503-063907-491 O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
backup-20080503-063907-494 O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
backup-20080503-063907-626 O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
backup-20080503-063907-630 O23 - Service: SmartLinkService (SLService) -   - C:\WINDOWS\SYSTEM32\slserv.exe
backup-20080503-063907-791 O23 - Service: ICF - Unknown owner - C:\WINDOWS\system32\svchost.exe:exe.exe
backup-20080503-063907-862 O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
backup-20080503-063907-915 O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe
backup-20080503-063907-943 O23 - Service: Remote Procedure Call (RPC) Locator RpcLocatorlanmanserver (RpcLocatorlanmanserver) - Unknown owner - C:\WINDOWS\system32\1028o.exe
backup-20080503-063907-964 O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
backup-20080503-063907-975 O23 - Service: MSSysInterv (MSSysInterv1) - Unknown owner - C:\WINDOWS\winself.exe

-- File Associations -----------------------------------------------------------

[COLOR=red].cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*[/COLOR]
[COLOR=red].cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%*[/COLOR]
[COLOR=red].exe - exefile - shell\open\command - rundll32.exe "C:\DOCUME~1\ROCKST~1\LOCALS~1\Temp\thlldphtdl.sys" WLEntry %1 %*[/COLOR]
[COLOR=red].scr - scrfile - shell\open\command - "%1" %*[/COLOR]


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 lnvbzyfc - c:\windows\system32\drivers\tedizqqy.dat
R3 ApfiltrService (Alps Pointing-device Filter Driver) - c:\windows\system32\drivers\apfiltr.sys <Not Verified; Alps Electric Co., Ltd.; Alps Touch Pad Driver for Windows 2000/XP>

S3 catchme - c:\docume~1\rockst~1\locals~1\temp\catchme.sys (file missing)
S3 CBTNDIS5 (CBTNDIS5 NDIS Protocol Driver) - c:\windows\system32\cbtndis5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
S3 ENTECH - c:\windows\system32\drivers\entech.sys <Not Verified; EnTech Taiwan; PowerStrip>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S2 cisvcTapiSrv (Indexing Service cisvcTapiSrv) - c:\windows\system32\3076q.exe srv (file missing)
S2 cisvcTapiSrvNla (Indexing Service cisvcTapiSrv cisvcTapiSrvNla) - c:\windows\system32\3076n.exe srv (file missing)
S2 RpcLocatorlanmanserver (Remote Procedure Call (RPC) Locator RpcLocatorlanmanserver) - c:\windows\system32\1028o.exe srv (file missing)
S2 Spooler HotKey Poller (Print Spooler Spooler HotKey Poller) - c:\windows\system32\1025j.exe srv (file missing)
S4 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
S4 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour>
S4 DriveHQ FileManagerFun - "c:\program files\drivehq\drivehq filemanager\dhqfmsvc.exe" <Not Verified; Drive Headquarter; Base Service>
S4 NICSer_WPC54G - c:\program files\linksys\wireless-g notebook adapter\nicserv.exe


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-04-01 00:06:00	   284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-06-01 and 2008-07-01 -----------------------------

2008-06-30 19:22:29	   552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-06-30 16:48:30		 0 dr-h----- C:\Documents and Settings\Rockstar Games\Recent
2008-06-30 16:45:48		 0 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-06-30 16:43:02		 0 d-------- C:\Program Files\Yahoo!
2008-06-30 15:38:51		 0 d-------- C:\Documents and Settings\Rockstar Games\Application Data\Malwarebytes
2008-06-30 15:16:26		 0 d-------- C:\Documents and Settings\Rockstar Games\.housecall6.6
2008-06-30 12:34:14		 0 dr-h----- C:\$VAULT$.AVG
2008-06-30 11:59:41		 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-06-29 22:37:02		 0 d-------- C:\WINDOWS\ERUNT
2008-06-29 20:53:40		 0 d-------- C:\WINDOWS\system32\scripting
2008-06-29 20:53:39		 0 d-------- C:\WINDOWS\l2schemas
2008-06-29 20:53:38		 0 d-------- C:\WINDOWS\system32\en
2008-06-29 20:53:38		 0 d-------- C:\WINDOWS\system32\bits
2008-06-29 20:50:18		 0 d-------- C:\WINDOWS\network diagnostic
2008-06-29 20:28:23		 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2008-06-29 18:50:59		 0 d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-06-29 18:50:55		 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-29 17:20:54		 0 d-------- C:\Program Files\Lavasoft
2008-06-29 17:20:22		 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-29 16:08:36		 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2008-06-29 16:07:41		 0 d-------- C:\Program Files\CCleaner
2008-06-29 15:33:44	  1400 --a------ C:\WINDOWS\system32\tmp.reg
2008-06-29 14:26:34		 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-29 14:25:26		65 --a------ C:\xcrashdump.dat
2008-06-29 14:23:30		 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-29 13:55:42		 0 d-------- C:\VundoFix Backups
2008-06-29 13:36:19		 0 d-------- C:\Program Files\Enigma Software Group
2008-06-17 21:35:45		 0 d-------- C:\Documents and Settings\Administrator\Application Data\DriveHQ
2008-06-17 21:32:03		 0 d-------- C:\Documents and Settings\Administrator\Application Data\Mozilla
2008-06-17 21:30:12		 0 d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2008-06-17 21:18:58		 0 d-------- C:\Documents and Settings\Rockstar Games\Application Data\AVG7
2008-06-17 21:18:33	   354 --ahs---- C:\WINDOWS\system32\dsfarxdo.ini2
2008-06-17 21:17:44	648581 --ahs---- C:\WINDOWS\system32\YaJmonpo.ini2
2008-06-17 21:09:46		 0 d-------- C:\ERDNT


-- Find3M Report ---------------------------------------------------------------

2008-06-29 22:34:23		 0 d-------- C:\Documents and Settings\Rockstar Games\Application Data\OpenOffice.org2
2008-06-29 20:53:59		 0 d-------- C:\Program Files\Messenger
2008-06-29 20:53:38		 0 d-------- C:\Program Files\Movie Maker
2008-06-29 20:51:35		 0 d-------- C:\Program Files\Windows NT
2008-06-29 19:33:31	113664 --a------ C:\WINDOWS\system32\elofqh.dll
2008-06-29 18:00:23	   111 --a-s---- C:\WINDOWS\system32\4076838199.dat
2008-06-29 17:20:22		 0 d-------- C:\Program Files\Common Files
2008-04-14 09:06:08	   345 --ahs---- C:\WINDOWS\system32\DgQWaccf.ini2
2008-04-13 20:12:19	113664 --a------ C:\WINDOWS\system32\tphppdth.sys
2008-04-13 20:12:19	113664 --a------ C:\WINDOWS\system32\tlhhht.sys
2008-04-13 20:12:19	113664 --a------ C:\WINDOWS\system32\thlthdlt.dll
2008-04-13 20:12:19	113664 --a------ C:\WINDOWS\system32\ldhtlpdd.sys


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [06/30/2008 12:36]
"ldhhlh"="C:\DOCUME~1\ROCKST~1\LOCALS~1\Temp\dhttdddphpl.nls WLEntryPoint" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/13/2008 20:12]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"tdltlddd"=rundll32.exe "C:\WINDOWS\system32\plhphptl.nls" WLEntryPoint

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy] 
C:\WINDOWS\System32\dimsntfy.dll 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\elofqh] 
elofqh.dll 06/29/2008 19:33 113664 C:\WINDOWS\system32\elofqh.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtUlJcYR] 
vtUlJcYR.dll 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\opnomJaY

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders	msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, ,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs	eaphost
dot3svc	dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
napagent
hkmsvc




-- End of Deckard's System Scanner: finished at 2008-07-01 11:57:52 ------------




   KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, July 1, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, July 01, 2008 13:44:02
Records in database: 901681
Scan settings
Scan using the following database 	extended
Scan archives 	yes
Scan mail databases 	yes
Scan area 	My Computer
C:\
D:\
E:\
F:\
G:\
H:\
Scan statistics
Files scanned 	75817
Threat name 	4
Infected objects 	12
Suspicious objects 	0
Duration of the scan 	01:13:34

File name 	Threat name 	Threats count
C:\Documents and Settings\Administrator\Desktop\Spyware\New Folder\SmitfraudFix\Reboot.exe	Infected: not-a-virus:RiskTool.Win32.Reboot.f	1	
C:\Documents and Settings\Administrator\Desktop\Spyware\New Folder\STEP 3-SmitfraudFix.exe	Infected: not-a-virus:RiskTool.Win32.Reboot.f	1	
C:\Documents and Settings\Rockstar Games\Desktop\spyware removal\SmitfraudFix\Reboot.exe	Infected: not-a-virus:RiskTool.Win32.Reboot.f	1	
C:\Documents and Settings\Rockstar Games\Desktop\spyware removal\STEP 3-SmitfraudFix.exe	Infected: not-a-virus:RiskTool.Win32.Reboot.f	1	
C:\Documents and Settings\Rockstar Games\Local Settings\Temp\dllplhhhpt.nls	Infected: Email-Worm.Win32.Locksky.cm	1	
C:\Documents and Settings\Rockstar Games\Local Settings\Temp\phldpptlhhd.nls	Infected: Email-Worm.Win32.Locksky.cm	1	
C:\Documents and Settings\Rockstar Games\Local Settings\Temp\ttphph.nls	Infected: Email-Worm.Win32.Locksky.cm	1	
C:\Program Files\MorpheusBar\bar\1.bin\NPMORPBR.DLL	Infected: not-a-virus:AdTool.Win32.MyWebSearch.i	1	
C:\Program Files\Mozilla Firefox\plugins\NPMorpBr.dll	Infected: not-a-virus:AdTool.Win32.MyWebSearch.i	1	
C:\VundoFix Backups\opnomJaY.dll.bad	Infected: Trojan.Win32.Monder.gen	1	
C:\WINDOWS\system32\hptlhhtp.nls	Infected: Email-Worm.Win32.Locksky.cm	1	
C:\WINDOWS\system32\plhphptl.nls	Infected: Email-Worm.Win32.Locksky.cm	1	
The selected area was scanned.

Thank you,

dp

BC AdBot (Login to Remove)

 


#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:03:53 PM

Posted 06 July 2008 - 12:53 AM

Hello dpbklyn and welcome to BC. Let's see what we can find. Please follow the steps below in order:

Before running a new scan let's clean out the temporary folders.

Download ATF Cleaner to your Desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Click Select All found at the bottom of the list.
  • Click the Empty Selected button.
If you use Firefox browser, do this also:
  • Click Firefox at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser, do this also:
  • Click Opera at the top and choose Select All from the list.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
Close ALL Internet browsers (very important).
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Now download OTScanIt from here or here to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
  • Close ALL OTHER PROGRAMS.
  • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
  • In the Drivers section click on Non-Microsoft.
  • Under Additional Scans click the checkboxes in front of the following items to select them:
    • Reg - BotCheck
      File - Additional Folder Scans
  • Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  • Save the file to your desktop or other location where you can find it back.
Use the Add Reply button and attach the file in your next post (do not try to copy/paste it into the post).

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#3 dpbklyn

dpbklyn
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:53 PM

Posted 07 July 2008 - 11:06 AM

OT, thank you for your reply. I cant run ANYTHIING on my machine...it gives me a rundll error loading %Local Settings%\temp\pdppdh.nls. I cant even get into regedit...

dp

#4 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:03:53 PM

Posted 07 July 2008 - 11:56 AM

Hi dpbklyn. Try running it in Safe Mode then.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#5 dpbklyn

dpbklyn
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:53 PM

Posted 07 July 2008 - 11:58 AM

I already tried that, I am about to lay a new OS over the old one...

#6 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:03:53 PM

Posted 07 July 2008 - 12:10 PM

Hi dpbklyn. Yeah, if you can't run anything in Normal or Safe Mode then there's not much that can be done. Without being able to see what's there or remove it it makes it impossible to do anything with it.

You could try a System Restore if that will run or try booting to the Last Known Good Configuration and see if that will at least let you run something.

Else a good reinstall will take care of everything.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#7 dpbklyn

dpbklyn
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:53 PM

Posted 07 July 2008 - 12:15 PM

please keep this thread open, I am going to try to "upgrade" the OS (from XP to XP SP3) to see if I can get somethign (anything) to run...

Thank you,

dp




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users